The Gap Is Real and It Is Getting Wider
The industrial cybersecurity sector has a workforce problem that no amount of salary inflation will quickly solve. The issue is not a shortage of cybersecurity professionals in general. It is a shortage of professionals who hold a specific combination of capabilities: deep understanding of industrial control systems and operational technology, combined with substantive cybersecurity knowledge and skills.
These two knowledge domains have historically developed in entirely separate professional communities. Control system engineers learn PLC programming, process instrumentation, DCS configuration, and industrial network architecture. Cybersecurity professionals learn network security, vulnerability analysis, incident response, and threat intelligence. The Venn diagram of professionals with genuine competency in both remains small.
Meanwhile, demand has accelerated dramatically. NERC CIP compliance obligations, the proliferation of ICS-targeted threat actors, insurance underwriting requirements, and board-level scrutiny of OT risk have pushed organizations to build dedicated OT security programs that did not exist five years ago. Every one of those programs needs people who do not yet exist at scale.
Why Traditional Hiring Does Not Solve This
The instinct of most organizations facing a skills gap is to hire their way out of it. For OT security, this approach has structural limits.
Posting a job description for an "OT Security Engineer" draws from a very small pool of candidates who are genuinely qualified — and those candidates are receiving multiple competing offers. Total compensation expectations for experienced OT security professionals in energy, oil and gas, and critical infrastructure sectors reflect this scarcity. Many smaller industrial operators simply cannot compete on salary with the oil majors, utilities, and government contractors that are also hiring from the same thin pool.
Beyond compensation, there is a cultural dimension. Experienced OT security professionals have strong preferences about work environment: many prefer facility-based roles where they can develop genuine process knowledge, and are skeptical of organizations where OT security is functionally subordinated to an IT security team with no operational technology understanding.
Organizations that have built the strongest OT security programs did not primarily hire their way to capability. They built it.
Path 1: Cross-Training IT Security Professionals for OT
The most common and scalable approach is developing OT security competency from an existing IT security talent base. This requires deliberate investment in OT-specific knowledge, not just the assumption that cybersecurity skills transfer automatically.
What transfers well:
- Network traffic analysis and anomaly detection skills translate effectively. A security analyst who can read packet captures and identify anomalous behavior in TCP/IP traffic can learn to apply the same skills to Modbus, DNP3, and EtherNet/IP.
- Vulnerability assessment methodology transfers, though the tooling and constraints differ significantly.
- Incident response process and documentation skills apply broadly, though OT-specific containment considerations must be learned.
- Governance, risk, and compliance knowledge is highly transferable, especially for frameworks like IEC 62443 and NERC CIP.
What requires deliberate learning:
- Industrial process knowledge: understanding what a DCS controls, what a safety interlock does, why a PLC cannot simply be rebooted, requires immersion in the operational environment.
- OT network architecture: historians, engineering workstations, field buses, protocol gateways, and their operational roles are not intuitive to IT security professionals without structured exposure.
- Safety system awareness: the Safety Instrumented System concept — and why a security action that seems reasonable from an IT perspective could be catastrophically dangerous in a SIS context — must be explicitly taught.
- Vendor ecosystem: Siemens, Rockwell, Honeywell, Emerson, Yokogawa, ABB — the major OT vendors, their product lines, and their security features and limitations are a body of knowledge that requires study.
How to accelerate OT cross-training:
- Embed IT security staff in operations teams for rotation periods. Two to four weeks working alongside a control system engineer, observing what they do and why, builds process intuition that no amount of classroom training replaces.
- Provide structured access to OT training labs where staff can interact with PLCs, HMIs, and industrial network equipment safely.
- Assign specific vendor product training from Siemens, Rockwell, or other relevant vendors. Vendor training is often more practically relevant than generic courses.
- Pair IT security staff with experienced OT engineers as mentors, with explicit goals for OT knowledge development.
Path 2: Developing OT Engineers into Security Practitioners
The complementary approach is investing in the cybersecurity development of existing control system engineers. This path produces professionals with deep process knowledge who add security capability — often the most valuable combination for operational environments.
Control system engineers already understand what they are protecting. They know what a logic change to a specific PLC actually means for the process. They know which communications are normal, which devices should never initiate connections, and which process values should never change outside normal operating ranges. That contextual knowledge is the hardest dimension of OT security to acquire, and these professionals already have it.
The cybersecurity foundation for OT engineers:
- Network fundamentals: TCP/IP, protocols, traffic analysis. Many OT engineers have deep knowledge of industrial protocols but limited exposure to IP networking concepts.
- Threat landscape: who is targeting OT environments, how, and why. OT engineers benefit enormously from understanding the adversary perspective.
- Vulnerability concepts: what CVEs are, how to evaluate vendor advisories, what exploitability means in context.
- Security monitoring: how OT monitoring platforms work, what alerts mean, and how to investigate anomalies.
- IEC 62443: the standard framework, its zone and conduit model, and its security level concepts — providing a structured language for security conversations.
Practical mechanisms:
- Sponsor OT engineers for structured OT security training programs. ISA, SANS, and vendor-specific programs provide relevant curricula.
- Include OT engineers in cybersecurity incident exercises. Walking through tabletop scenarios builds security intuition while leveraging their process expertise.
- Create a formal OT Security Engineer role that combines operational technology ownership with security responsibilities, with a compensation structure that reflects the hybrid value.
Certification Pathways
Professional certifications provide structured learning pathways and credentialing that helps both individuals and employers evaluate OT security competency.
Global Industrial Cyber Security Professional (GICSP): Administered by GIAC, the GICSP is the most widely recognized OT-specific security certification. It covers ICS architecture, OT-specific vulnerabilities, security assessment, and incident response for industrial environments. It is appropriate for professionals coming from either an IT security or OT engineering background.
ISA/IEC 62443 Certifications: The International Society of Automation offers a structured certification program aligned with the IEC 62443 standard. The ISA99/IEC 62443 Cybersecurity Certificate Program includes role-specific certificates for practitioners, specialists, and experts. For organizations building IEC 62443-compliant security programs, these certifications provide directly applicable knowledge.
CSSA (Certified SCADA Security Architect): An advanced certification focused on SCADA security architecture and design. More appropriate for senior security architects with existing OT experience than for those beginning the OT security learning path.
SANS ICS courses (ICS410, ICS515, ICS612): SANS offers some of the most practically focused OT security training available. ICS410 provides the broadest foundation; ICS515 focuses on threat intelligence and adversary analysis for ICS; ICS612 covers advanced OT incident response. These are not certification programs in the traditional sense but are widely respected as indicators of practical training.
Partnering with Specialist Consultancies
For most organizations, building entirely internal OT security capability takes years. In the interim — and sometimes as a long-term structural choice — partnering with specialist OT security consultancies provides access to expertise that would be impractical to develop and retain in-house.
This is particularly relevant for:
- Periodic assessment work (risk assessments, penetration testing, gap analyses) that requires deep specialization but not continuous engagement
- Program development where external expertise accelerates the design and implementation of the security program
- Incident response where specialized OT forensic and response capability is needed but not justified as a full-time internal role
- Managed security services for smaller organizations where a dedicated OT SOC is not economically viable
When selecting an OT security consultancy, evaluate actual ICS expertise rather than accepting IT security firms who have added "OT" to their marketing materials. Ask specifically about the team's operational technology background, the ICS protocols they work with, the OT monitoring platforms they are experienced with, and the industrial sectors they have served. The gap between genuine OT security expertise and IT security with an OT label is significant.
Building the University Pipeline
The long-term solution to the OT security skills gap runs through universities and vocational training programs. Progressive industrial operators are beginning to invest in building the pipeline:
- Sponsoring industrial cybersecurity coursework at engineering universities
- Participating in internship programs that give engineering students exposure to OT security work
- Engaging with ISA student chapters and ICS security competitions
- Funding or co-developing curriculum at technical colleges serving industrial regions
These investments take years to produce returns, but organizations that make them now will have preferential access to the next generation of OT security professionals as programs mature.
The Organizational Design Question
Beyond individual hiring and development, effective OT security programs require organizational designs that position OT security professionals correctly. Two common failure modes:
Burying OT security inside IT security: OT security professionals reporting into an IT security organization with no operational technology representation in leadership tends to produce programs optimized for IT metrics and tools that do not work in OT environments. The IT security team often lacks the authority to coordinate with operations, and the OT security professionals are isolated from the process knowledge they need.
Siloing OT security inside operations: OT security professionals reporting entirely within the operations organization without connection to enterprise security tends to produce programs that understand the process well but lack cybersecurity rigor and are disconnected from threat intelligence, incident response infrastructure, and corporate security governance.
The organizational models that work best create explicit coordination structures between operations and security — whether that is a dedicated OT security function with reporting lines to both, a matrix model, or a hybrid team with clear responsibilities and escalation paths.
The skills gap will not close quickly. The organizations that invest deliberately in building OT security capability today — through cross-training, internal development, strategic certifications, and smart external partnerships — will be significantly better positioned than those waiting for the market to produce the talent they need.
Beacon Security supports OT security workforce development through training programs, mentorship structures, and embedded consulting that builds internal capability over time. Contact us to discuss how we can accelerate your team's OT security competency.
