“Safety and security are two sides of the same coin”

Ray Robinson

Director of Operational Technology, NCC Group

Ray has over 30 years’ experience in the Software and Cyber Security industry advising clients on implementing effective strategies in Agile and waterfall project delivery streams, including security and penetration testing.   More recently, he’s become and OT specialist working in the Energy, Regulation, Public, Engineering and Finance sector across a 20 year span. In his role at NCC Group, Ray is advising numerous UK Government departments and industrial sector clients on their digital transformation, ICS/OT, cloud, and Cyber Security programmes. 

Securing OT to protect people, productivity and profits

For industrial sectors and public utilities, the primary means of generating revenue is their Operating Technology (OT) and their priority is to secure the safety and continuity of output.

Why do businesses that rely on OT to achieve their goals invest more in IT security controls than in protecting their operational assets? A McKinsey report found 96% of business leaders admit they need to invest in OT cyber security. Our recent OT webinar series found just 26% of attendees have a combined safety and security team.

The OT Security Investment Paradox

This paradox leaves industrial organizations extremely vulnerable. When an operational system or machine goes down it can lead to financial losses exceeding $5 million.

There are serious physical safety risks too—a malfunction at the direction of a threat actor could create a life-threatening situation. The attack on the German Steelworks blast furnace could have easily caused the system to overheat and explode. Attacks on water infrastructure could have devastating effects, contaminating the water supply for untold numbers of innocent victims. Officials at American Water (which serves 14 million people in the U.S.) admit they are “unable to predict the full impact” of the recent breach of their internal networks.

So why is there a lack of investment in OT cyber security?

• Most just don’t think of OT infrastructure as an attack surface. Industrial teams often turn to OEMs when machinery goes down, assuming it’s a technical malfunction (“turn it off and on again?”).
• Security hasn’t kept pace with the Industrial Internet of Things (IIoT) integration. Operators have embraced the benefits of IIoT, but they haven’t recognized the expansion of the attack surface it brings.
• Most don’t consider OT cyber security in their downtime cost calculations.
• The OT environment is complex and variable. IT cyber security is relatively standardized—there are universal solutions for securing routers, software, etc. But almost every factory and facility have different OT devices and set-ups. Therefore, protecting your bespoke facilities will require a tailored, measured approach.   
• Until recently, there haven’t been penalties for OT security failures. On the IT side, the SEC, PCI, GDPR, and HIPAA requirements set standards for resilience, response and penalties for security breaches. However, similar mandates have only recently been applied to industry and critical infrastructure through NIS and NIS 2.

In the UK, 606,000 workers per year are injured in the workplace on average, with 124 fatalities per year. While individuals bear most of the brunt, these safety incidents can cost employers £3.9BN. Executives have been personally prosecuted for gross negligence manslaughter in the event of workplace fatalities in which they’ve been found to commit a gross breach of duty.

The risks have never been higher. Here’s how to mitigate them.

Between geopolitical issues, global conflicts, not to mention China’s persistent threat, and hacktivists targeting OT systems, organizations must prioritize OT security to prevent financial loss—or worse, loss of life.

Here’s how to convince decision-makers to invest in OT cyber:

1. Focus on risk calculations. Link OT cyber risk directly to the risk of downtime and the calculated potential losses.
2. Safety should always be the #1 priority for every organization. Be clear about the potential cost involved—human, reputational and financial.
3. Manage change effectively. OT and IT must work together with new technology introductions, processes or adjustments.
4. Train people to always be mindful of the security context.
5. Bring OT, IT and safety to the table. Bring teams together and encourage shadowing or internship style arrangements to encourage collaboration.  
6. Implement the SANS 5 Critical Controls.

Protect your people, profits and productivity

Securing OT infrastructure can feel daunting, especially when you’re starting from scratch. It feels urgent but almost unachievable at the same time.

Cyber Resilience Programme activities

techUK brings together key players across the cyber security sector to promote leading-edge UK capabilities, build networks and grow the sector. techUK members have the opportunity to network, share ideas and collaborate, enabling the industry as a whole to address common challenges and opportunities together. Visit the programme page here.

Government publishes Cyber Governance Code of Practice

Following the 2024 Call for Views on the Cyber Governance Code of Practice, the Department for Science, Innovation and Technology (DSIT) has published practical guidance to help boards and directors govern their organisations’ cyber security risks more effectively.

Read the full insight here

Call for submissions: Get involved in techUK’s Operational Technology Security Campaign Week 2025

techUK’s Cyber Resilience Programme is delighted to be holding the second Operational Technology (OT) Security Campaign Week (16-20 June) to showcase how cyber members are helping organisations to secure their OT and navigate the convergence of IT/OT systems.

Find out how to get involved

Government Call for Views on Cyber Security of Enterprise Connected Devices

The Department for Science, Innovation and Technology has published a call for views on the security of enterprise connected devices, also known as Internet of Things (IoT) devices, which are used by businesses and organisations across the UK.

Find out more

 

Upcoming events

19 June 2025

Industry Roundtable - The National Cyber Strategy refresh and Cyber Growth Plan

London and Online Roundtable

23 June 2025

Responding to Ransomware Threats to the UK's Operational Technology Systems

Webinar

25 June 2025

techUK/DSIT Software Security and Cyber Governance Virtual Workshop

Workshop

Latest news and insights 

18 Jun 2025

OT Cybersecurity – Back to Basics

18 Jun 2025

“Safety and security are two sides of the same coin”

18 Jun 2025

Building and Maintaining Operational Technology Resilience: A Critical Imperative

Learn more and get involved

 

Cyber Resilience updates

Sign-up to get the latest updates and opportunities from our Cyber Resilience programme.

 

 

Here are the five reasons you should join the Cyber Resilience programme.

Learn about the value members get from our work

Download

Join techUK groups

techUK members can get involved in our work by joining our groups, and stay up to date with the latest meetings and opportunities in the programme.

Learn more

 

Become a techUK member

Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.

Learn more

 Meet the team 

Jill Broom

Head of Cyber Resilience, techUK

Jill leads the techUK Cyber Resilience programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.

Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.

Email:

[email protected]

Website:

www.techuk.org/

LinkedIn:

https://www.linkedin.com/in/jill-broom-19aa824

Read lessmore

Annie Collings

Programme Manager, Cyber Resilience, techUK

Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023. 

In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.

Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.

Email:

[email protected]

Twitter:

anniecollings24

LinkedIn:

https://www.linkedin.com/in/annie-collings-270150158/

Read lessmore

Francesca Richiusa

Programme Team Assistant for Public Sector Markets, techUK

Fran serves as the Programme Team Assistant within techUK’s Public Sector Market Programmes, where she is responsible for delivering comprehensive team support, managing administrative functions, and fostering strong relationships with members.

Prior to joining techUK in May 2025, Fran built a meaningful career in the charitable and local government sectors. She worked extensively with both victims and perpetrators of crime, and notably led the coordination of Domestic Homicide Reviews across Surrey—an initiative aimed at identifying lessons and preventing future incidents of domestic abuse.

Outside of work, Fran is an avid traveller and a proud cat mum who enjoys unwinding with her feline companions.

 

Email:

[email protected]

Website:

www.techuk.org/

LinkedIn:

https://www.linkedin.com/in/francesca-richiusa/

Read lessmore

Olivia Staples

Junior Programme Manager - Cyber Resilience, techUK

Olivia Staples joined techUK in May 2025 as a Junior Programme Manager in the Cyber Resilience team.

She supports the programs mission to promote cyber resilience by engaging key commercial and government stakeholders to shape the cyber resilience policy towards increased security and industry growth. Olivia assists in member engagement, event facilitation and communications support.

Before joining techUK, Olivia gained experience in research, advocacy, and strategic communications across several international organisations. At the Munich Security Conference, she supported stakeholder engagement and contributed to strategic communications. She also worked closely with local and national government stakeholders in Spain and Italy, where she was involved in policy monitoring and advocacy for both public and private sector clients.

Olivia holds an MSc in Political Science (Comparative Politics and Conflict Studies) from the London School of Economics (LSE) and a BA in Spanish and Latin American Studies from University College London (UCL).

Outside of tech, Olivia enjoys volunteering with local charities and learning Norwegian.

Email:

[email protected]

Website:

www.techuk.org/

LinkedIn:

https://www.linkedin.com/in/olivia-staples-85119117a/

Read lessmore

Tracy Modha

Programme Marketing Assistant for Public Sector Markets, techUK

Tracy supports the marketing of several areas at techUK, including Cyber Exchange, Central Government, Cyber Resilience, Defence, Education, Health and Social Care, Justice and Emergency Services, Local Public Services, Nations and Regions and National Security.

Tracy joined techUK in March 2022, having worked in the education sector for 19 years, covering administration, research project support, IT support and event/training support. My most outstanding achievement has been running three very successful international conferences and over 300 training courses booked all over the globe!

Tracy has a great interest in tech. Gaming and computing have been a big part of her life, and now electric cars are an exciting look at the future. She has warmed to Alexa, even though it can sometimes be sassy!

Email:

[email protected]

Phone:

02073312000

Website:

www.techuk.org

LinkedIn:

https://www.linkedin.com/in/tracymodha83

Read lessmore

 

Authors

Ray Robinson

Director of Operational Technology, NCC Group

Ray has over 30 years’ experience in the Software and Cyber Security industry advising clients on implementing effective strategies in Agile and waterfall project delivery streams, including security and penetration testing.   More recently, he’s become and OT specialist working in the Energy, Regulation, Public, Engineering and Finance sector across a 20 year span. In his role at NCC Group, Ray is advising numerous UK Government departments and industrial sector clients on their digital transformation, ICS/OT, cloud, and Cyber Security programmes.