Cybersecurity in Industry: Security of OT and Cyber-Physical Systems
Q&A with Professor Paolo Trucco

The module Cybersecurity in Industry – Security of OT and Cyber-Physical Systems explores how cybersecurity and industrial safety performance are deeply connected. In this Q&A, Professor Paolo Trucco explains why protecting safety-critical and mission-critical systems is essential as automation and digitalisation transform modern industry.

Q1. Can you give us an overview of the module?

The focus is on cybersecurity in connection with industrial safety performance. While the course applies to all industrial processes, it particularly addresses safety-critical and mission-critical systems where cybersecurity can significantly influence expected safety outcomes.

These systems often involve hazardous energy, chemicals, industrial infrastructure or essential services—where failures can impact employees, citizens, the environment and society. Traditionally designed with multiple layers of defence, these defences are increasingly automated and connected.

In cyber-physical systems, remote control and digital automation mean that cyber threats targeting sensors, communication lines or control software can directly affect safety and incident response capabilities.

This connection between cybersecurity and industrial safety is therefore crucial, not only in safety-critical industries but also in mission-critical systems such as Energy, Transport, Telecommunications, or Healthcare—where cyberattacks can have major societal and economic impacts.

Q2. Why is the convergence of IT and OT so important, and what challenges does it introduce?

Cybersecurity and safety objectives must be aligned when designing and operating industrial systems. In IT, the primary security concern is confidentiality, while in OT environments the priorities are availability and integrity—because interruptions can cause instability or unsafe conditions.

The evolution of systems also differs. IT systems can be patched or updated frequently, but OT systems operate on long life cycles—sometimes more than 40 years. You cannot stop a refinery or a power plant every day to upgrade hardware.

There are cultural differences too. Cybersecurity is well established in IT, but still emerging among industrial safety engineers and risk managers. Yet the two domains are deeply interdependent, and cannot be managed separately.

Alignment of cybersecurity and safety performance must span the entire lifecycle—from design to construction, operation and decommissioning.

Q3. What real-world systems or sectors will students explore?

The module focuses mainly on safety-critical and mission-critical systems. While relevant for all manufacturing sectors, it is especially important in:

• Process industries
• Energy systems
• Transport infrastructure
• Healthcare
• Finance and essential services

Students will analyse real cases, conduct risk assessments, and engage with industry testimonials—for example from large gas network companies or major European banks—bringing real-life challenges directly into the classroom.

Q4. What can students expect from the interactive elements like flipped classrooms and hacking labs?

One experiential tool is an online business game focused on business continuity planning. Students will conduct business impact analyses and design continuity plans for a cyberattack affecting a manufacturing company and essential service providers such as logistics and energy.

Through the flipped classroom approach, students receive materials in advance and engage in a guided, discussion-based classroom session. Professor Trucco facilitates the dialogue, helping students connect theoretical foundations with practical scenarios.

Q5. What can students learn from analysing cases like Stuxnet and Triton?

Learning from past cyber incidents is essential. The Triton malware is particularly significant as the first attack designed to compromise an industrial safety control system. Unlike espionage-focused malware, Triton aimed to create unsafe conditions that could lead to accidents.

By manipulating sensor data or triggering false alarms, attackers could force dangerous operations or unnecessary emergency actions. Triton demonstrates how cyber threats can translate directly into physical consequences.

Q6. How does the module prepare students to identify, model and mitigate risks in cyber-physical environments?

Students learn to perform complete risk analyses—from threat and hazard identification through to evaluation and mitigation planning. They learn tools and methods that integrate cybersecurity and safety requirements, applying them first to simple examples and later to realistic industrial systems.

Q7. Why is it important for cybersecurity experts to understand regulations like the NIS 2 Directive and the Cyber Resilience Act?

Regulations directly shape system design, operation and governance. Cyber-physical risk management involves many actors—regulators, technology providers, integrators and operators. Professionals must understand how regulatory layers interact with technical and organisational layers.

As regulations evolve, inconsistencies may emerge—and these can themselves become risk factors. Understanding the regulatory landscape is therefore essential for safe and secure system management.

Q8. What unique skills or perspectives will students gain?

Students develop a strong systemic mindset—understanding interactions between physical, cyber and organisational layers. They explore cybersecurity issues in safety-critical domains such as:

• Energy
• Transport
• Water systems
• Finance
• Healthcare
• Telecommunications
• Space systems

They also learn how to select and apply the right risk analysis tools, including through interactive assignments, business games, and a major final project.

Final projects may include assessing adoption of technologies such as quantum cryptography or remote surgical robotics, or analysing a real accident using the methods learned.

Ultimately, students gain the conceptual foundation to frame complex cyber-physical problems—because in this field, good problem framing is as important as problem solving.