Gary Miles is one of Fortinet's UK & Ireland Operational Technology (OT) experts. He is a Chartered Cybersecurity Professional for Governance and Risk Management, and possesses ISA/IEC 62443 Expert, GICSP and NIST practitioner qualifications. Prior to Fortinet, Gary spent three years in a range of OT cybersecurity consultancy roles. This included leading and implementing cybersecurity management systems for OT operators across a broad range of sectors, alongside extensive risk assessment and auditing roles for both IT and OT owners and operators across approximately 40-50 different organisations.
Cybersecurity for OT – Introduction
This short OT Cybersecurity blog piece is designed to draw attention to some of the key areas that organisations struggle with during audits, which often limit the success of a comprehensive cybersecurity strategy. This blog highlights the importance of strong cybersecurity foundations, often overlooked in organisational strategies.
Strong Foundations: Where to Start – Scope
For IT/OT security leaders, asset owners and OT engineers, the first thing you must do is understand the scope for the audit. Simply put, you cannot audit (and effectively protect) what you do not understand.
Despite its apparent simplicity, scope definition is frequently unclear, leading to gaps in security coverage; organisations often struggle with aligning different stakeholder perspectives on critical business functions and do not spend enough time understanding and documenting this important process. This initial scoping problem is an issue I saw commonly whilst auditing a wide array of OT and IT environments across the UK and beyond.
The UK’s Cyber Assessment Framework (CAF) (Figure 1 below) requires organisations to document and agree upon their system scope with regulatory authorities. However, scope-related challenges arise when scoping documentation lacks thorough review, changes to the system occur, or even when areas of lesser maturity are excluded.
Figure 1: The NCSC’s CAF
There are many tools and methods that can assist businesses with understanding what the scope of the essential function should be, including methods such as conducting a Business Impact Analysis exercise, conducting Process Control Mapping, and high-level and detailed risk assessments. These processes link directly into the Govern and Identify elements of the NIST CSF V2.0, as well as all objectives throughout the CAF, alongside identifying the System Under Consideration (SUC) within the ISA/IEC 62443 series of standards.
Strong Foundations: Effective Governance
People remain an organisation's strongest and weakest link. Consider recent cybersecurity incidents, often caused through methods such as social engineering, insecure network configuration controls or insecure / unauthorised device or network changes. Although different attack methods in their own right, people remain at the heart of the business and for each attack type, the human element will always be present. A strong organisation from a cybersecurity perspective will often have the right people, with the right knowledge and experience, in the right place, at the right time.
But it's not all about people; effective governance should recognise that cybersecurity solutions require a holistic approach where people, process, and technological solutions are effectively integrated. When it comes to each of these elements, there is no one-size-fits-all solution; each organisation should recognise this and ensure they do what's right for them, based on the threat landscape, the risk, and importantly business and security objectives. As many are aware, finding the right people (and the right budgets for the right people), particularly in the OT space, is a challenge in itself.
Security Solutions
From an auditing perspective, Objective B within the CAF (protecting against cyber attack) contains the highest number of Principles, Contributing Outcomes (COs) and associated Indicators of Good Practice (IGPs), and for good reason. This is not because it's the most important Objective; they're all equally important, but because protecting a network requires extensive efforts and solutions, which all need to be evaluated. As the CAF is outcomes based, there is no single blueprint for securing a system; systems, threats, risks and the associated consequences vary from business to business and site to site.
What was clear to me as an auditor was organisational reliance on a very broad range of technological solutions, which would often lack effective integration and operational understanding (in other words, having too many different security solutions). More solutions don’t always mean better security. In the same way that an accurate scope and the right people are important, appropriate and mutually supportive technological solutions help with effective security, risk management and the compliance journey. Fortinet’s broad, integrated and automated Security Fabric platform, powered by FortiOS, is a great example of how this can be done well.
Summary
My favourite saying in the cybersecurity space is that "you can be compliant and not secure but being secure usually results in being compliant". I couldn't agree with this statement more. Effective security starts with having strong foundational cybersecurity activities as we’ve discussed here, including ensuring effective governance is in place and understanding what you have and what you need to protect. There are many other activities and actions that need to occur, but my experience is that a wide range of organisations do not understand what they have, and they don't have the right governance structures in place to manage risk. This can negatively affect or lead to a false sense of security in the organisation's ability to secure their environment and meet compliance requirements.
Fortinet's unified OT Security Platform provides a comprehensive suite of solutions all operating under a single management plane and operating system, providing a single pane of glass security view, effectively enabling businesses to manage and reduce risk and achieve their compliance requirements.
techUK’s Operational Technology Security Impact Days 2025 #techUKOTSecurity
techUK’s Cyber Programme is delighted to be holding our second securing Operational Technology (OT) security impact days to showcase how cyber companies are helping organisations to secure their OT and navigate the convergence of IT/OT systems.
techUK brings together key players across the cyber security sector to promote leading-edge UK capabilities, build networks and grow the sector. techUK members have the opportunity to network, share ideas and collaborate, enabling the industry as a whole to address common challenges and opportunities together. Visit the programme page here.
Government publishes Cyber Governance Code of Practice
Following the 2024 Call for Views on the Cyber Governance Code of Practice, the Department for Science, Innovation and Technology (DSIT) has published practical guidance to help boards and directors govern their organisations’ cyber security risks more effectively.
Call for submissions: Get involved in techUK’s Operational Technology Security Campaign Week 2025
techUK’s Cyber Resilience Programme is delighted to be holding the second Operational Technology (OT) Security Campaign Week (16-20 June) to showcase how cyber members are helping organisations to secure their OT and navigate the convergence of IT/OT systems.
Government Call for Views on Cyber Security of Enterprise Connected Devices
The Department for Science, Innovation and Technology has published a call for views on the security of enterprise connected devices, also known as Internet of Things (IoT) devices, which are used by businesses and organisations across the UK.
Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.
Jill leads the techUK Cyber Resilience programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023.
In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.
Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.
Programme Team Assistant for Public Sector Markets, techUK
Fran serves as the Programme Team Assistant within techUK’s Public Sector Market Programmes, where she is responsible for delivering comprehensive team support, managing administrative functions, and fostering strong relationships with members.
Prior to joining techUK in May 2025, Fran built a meaningful career in the charitable and local government sectors. She worked extensively with both victims and perpetrators of crime, and notably led the coordination of Domestic Homicide Reviews across Surrey—an initiative aimed at identifying lessons and preventing future incidents of domestic abuse.
Outside of work, Fran is an avid traveller and a proud cat mum who enjoys unwinding with her feline companions.
Olivia Staples joined techUK in May 2025 as a Junior Programme Manager in the Cyber Resilience team.
She supports the programs mission to promote cyber resilience by engaging key commercial and government stakeholders to shape the cyber resilience policy towards increased security and industry growth. Olivia assists in member engagement, event facilitation and communications support.
Before joining techUK, Olivia gained experience in research, advocacy, and strategic communications across several international organisations. At the Munich Security Conference, she supported stakeholder engagement and contributed to strategic communications. She also worked closely with local and national government stakeholders in Spain and Italy, where she was involved in policy monitoring and advocacy for both public and private sector clients.
Olivia holds an MSc in Political Science (Comparative Politics and Conflict Studies) from the London School of Economics (LSE) and a BA in Spanish and Latin American Studies from University College London (UCL).
Outside of tech, Olivia enjoys volunteering with local charities and learning Norwegian.
Programme Marketing Assistant for Public Sector Markets, techUK
Tracy supports the marketing of several areas at techUK, including Cyber Exchange, Central Government, Cyber Resilience, Defence, Education, Health and Social Care, Justice and Emergency Services, Local Public Services, Nations and Regions and National Security.
Tracy joined techUK in March 2022, having worked in the education sector for 19 years, covering administration, research project support, IT support and event/training support. My most outstanding achievement has been running three very successful international conferences and over 300 training courses booked all over the globe!
Tracy has a great interest in tech. Gaming and computing have been a big part of her life, and now electric cars are an exciting look at the future. She has warmed to Alexa, even though it can sometimes be sassy!
