OT Security Consultant: why industrial organisations need both a specialist and a project manager

Hiring an OT Security Consultant is one of the highest-leverage decisions an industrial organisation can make today. NIS2 is in force, IEC 62443 audits are no longer hypothetical, and the gap between a generic IT-security advisor and someone who actually understands a Siemens S7-1500 is wider than most boards realise.

But here is the uncomfortable second half of the story: an ot security consultant alone rarely delivers a successful programme. The deep specialist needs a counterpart who runs the implementation as a project — a security project manager who keeps multiple vendors, production schedules and compliance deadlines aligned. This article explains why you need both, and how the combination wins.

What does an OT Security Consultant actually do?

An OT Security Consultant is the domain specialist for cybersecurity in industrial environments. Unlike a classic IT-security consultant — who lives in identity, endpoint, cloud and Microsoft 365 — the OT specialist lives between the engineering office and the plant floor.

Concretely, a senior industriële cybersecurity expert covers:

• Reading P&ID diagrams and network drawings, not just Visio
• Designing IEC 62443 zones and conduits on real plant topologies
• Hardening engineering workstations without breaking the engineering toolchain
• Negotiating change windows with production planners
• Reviewing PLC project backups, recipe management and remote-access policies
• Translating cybersecurity controls into HSE-compatible procedures

The difference with a generic IT-security profile becomes obvious the moment someone proposes to "just install EDR everywhere". An ICS security specialist knows which OEM contracts will be voided, which controllers will lock up, and which workarounds are accepted by the vendor.

Top 5 reasons you need an OT Security Consultant

1. Legacy SCADA and PLC knowledge

Plants run on equipment that is 10 to 25 years old. Knowing the limitations of Step 7, RSLogix 5/500/5000, FactoryTalk, WinCC and Citect is hands-on craft, not something you read up on during a weekend.

2. Vendor relationships with Siemens, Rockwell, Schneider

Each OEM publishes its own hardening guide, patch cadence and supported security tooling. A good iec 62443 consultant has the direct contacts to escalate when a hardening measure conflicts with vendor support.

3. Genuine IEC 62443 expertise

Not a one-day awareness course — a consultant who has actually mapped Foundational Requirements to firewall rules, written zone & conduit documents that survived an audit, and built a Cybersecurity Management System (CSMS) that production accepted.

4. Production-stop risk management

Every control change must be assessed against OEE impact. An experienced specialist knows when to insist on a maintenance window and when a hot change is genuinely safe.

5. NIS2 compliance for essential entities

In Belgium the CCB enforces NIS2 with real fines and personal director liability. The OT specialist translates the legal text into measurable controls on the plant floor — and into the evidence an auditor expects.

Why one specialist is not enough

Here is where many programmes silently fail. The OT consultant produces excellent assessments, a zone & conduit design, and a roadmap. Six months later, half of the recommendations are still in a SharePoint folder. The cause is not technical — it is execution.

A real IEC 62443 implementation touches:

• Production planning (change windows, line shutdowns)
• Engineering (PLC programs, network rewiring, integrator coordination)
• IT and security operations (firewalls, SIEM, identity)
• HSE (interlocks, ATEX, SIL ratings)
• Procurement (vendor contracts, support agreements)
• Legal and compliance (NIS2 reporting, ISO 27001 alignment)
• The CISO and the board (risk appetite, budget, reporting cadence)

That is at least seven distinct stakeholder groups. Asking a deep technical specialist to also chair every steering committee, chase every action item and update the board pack is asking them to do their second job badly while distracting them from their first job.

Why you also need a security Project Manager

A seasoned ot security project manager brings what the specialist cannot scale:

• Stakeholder management across production, IT and management. Translating production constraints into IT planning and IT planning into board-level reporting.
• Change-window planning. Sequencing firewall rollouts, PLC firmware upgrades and SCADA replacements around quarterly shutdowns instead of fighting them.
• Multi-vendor coordination. Keeping the integrator, the OEM, the network supplier and the in-house engineering team on one timeline.
• Scope discipline under operational pressure. When the plant is behind on output, the discipline to push back on "let's also add this" matters more than any technical depth.
• NIS2 deadlines. Owning the regulator-facing milestones, not just the technical deliverables.

The project manager is not a replacement for the specialist — they are the multiplier that turns the specialist's advice into delivered, audited, sustained controls.

The winning combination

The pattern we see deliver consistent results in Belgian industry is straightforward:

• An OT Security Consultant (RGI bv) as the technical authority — designs the zones, validates the controls, talks the OEM language, signs off the IEC 62443 evidence.
• An experienced security Project Manager (FreelancePM) as the delivery owner — runs the steering committee, owns the plan, manages change windows, secures the NIS2 reporting line, keeps scope honest.

Together they cover the two failure modes that kill OT security programmes: lack of depth, and lack of follow-through. Separately, each runs into the limit of the other.

---

FreelancePM partners with RGI bv on IEC 62443 and NIS2 programmes for industrial organisations across Belgium.