For decades, OT (Operational Technology, the systems that run power grids, water treatment plants and industrial facilities) were isolated by design. The air gap was the security model. A system that wasn’t connected to anything couldn’t be reached by anyone. It was simple, it was effective, and for a long time it was enough.
Then came the business case for connectivity. Remote monitoring, real-time data, centralised management across multiple sites; all valid reasons, all real benefits. And all of them required opening up systems that were never designed with external access in mind.
The same thing happened in AV. When we moved from dedicated hardware to IP-based infrastructure, the network became the backbone. Suddenly a display system, a control system, a camera; all of it sat on the same network as everything else. We learned quickly that being on the network meant being reachable. And reachable meant vulnerable.
OT is going through that same transition now. Except the stakes are higher. A compromised conference room display is an embarrassment. A compromised SCADA system controlling a water treatment facility is something else entirely.
There is a search engine called Shodan. It indexes internet-connected devices; not websites, but hardware. Industrial controllers, building systems, sensors. In January 2024 it found close to 110,000 OT and ICS (Industrial Control System) devices sitting directly on the internet, reachable by anyone who knows where to look. Among the most common protocols: Modbus, a standard from the 1970s with no built-in authentication or encryption. And KNX, which most of us in AV know from smart buildings and lighting control. A secure version of KNX exists, with proper encryption, standardised and available. The devices on Shodan are not running it. That is rarely a deliberate choice; it is usually the result of nobody asking for it.
This is the context in which NIS2 arrived. Not a bureaucratic exercise, a response to a reality that anyone with a Shodan account can verify in five minutes. Eighteen critical sectors are now bound by its requirements. For many OT operators, it is the first time security has been a legal obligation rather than a recommendation.
A useful starting point: do you know how many of your systems are reachable from outside your network? Not just the ones you put there intentionally. All of them. And how many of your systems are already connected outward, quietly, to infrastructure you do not own? And what happens if that infrastructure is compromised?
The question is not whether to act. It is how to stay connected without leaving the door open. In AV, we have been here for over 20 years and we are still figuring it out. And OT is here with us, in the same situation.
Hur hanterar din organisation gränsen mellan AV, IT och OT? Hör gärna av dig.
This is the third article in a series about what happens when AV, IT and OT converge.
The first one, Has AV Left the Building?, is here: Has AV Left the Building?
The second one, The Operator Deserves Better, is here: The operator is the easiest one to forget, yet the most important factor in the equation.