A new security environment — and what CESA means
For many years my work has been machine safety in the real world: inspections, acceptance support, retrofits, and documentation that holds up when it matters. For a long time, the split was clear: Safety was the “machine world”, Security was “IT”.
Since NIS2, that split doesn’t hold in practice anymore. Operators are increasingly expected to address cyber risks in a structured way and to be able to show evidence. And the pressure is rising further through the Cyber Resilience Act (CRA) and the EU Machinery Regulation.
That’s why I completed the CESA certification:
CESA stands for Certified Expert for Security in Automation — industrial/OT security specifically for machines and automation (not office IT). It focuses on the reality of controls, networks, remote access and the operational side of security.
Why I decided to invest the effort
Security is not “a bit of IT”. It is broader and more complex than classical machine safety, because it includes attackers, access paths, networks, supply chains, processes and people — not just technical design and validation.
The learning effort was significant. But it was also unavoidable.
Remote access, contractors, vendors and connected controls are normal today. That makes OT security part of safe operation. If you build, retrofit or operate machines, you can’t realistically ignore it anymore.
Why I consider this combination valuable
I have been CMSE since 2015 (Certified Machinery Safety Expert) with two re-certifications. That means I come from hands-on safety work — not from slide decks.
With CESA, I add the second half: OT security for automation. The topics that keep coming up on site: remote access, vendor connections, segmentation, operating rules, and evidence.
The key point is this: the EU Machinery Regulation pulls security into the safety world. In the CESA training material this is framed as “protection against corruption / anti-tampering” — cybersecurity with a clear focus on functional safety.
And it gets very concrete: it’s about software and data that can influence the safety of a machine. That interface is exactly where operators lose time and money today: acceptance becomes painful, audits become uncomfortable — and in the worst case, production stops.
What operators get in practical terms
In daily work I often see this gap: many organisations have someone who can do safety, or someone who can do security. What’s missing is someone who can connect both — without creating a new project mess.
With CMSE + CESA, I can deliver exactly that:
- Safety done properly: risk assessment, PL/SIL logic, validation, acceptance readiness
- Security that works in operations: measures that fit real OT constraints (not a pure IT wish list)
- and, most importantly, clear rules where it hurts most:
- remote access governed (who, when, how — approvals and traceability)
- contractor/vendor access controlled
- segmentation so an incident doesn’t take down everything
- evidence you can actually show in audits and acceptance reviews
How I do it in projects
I keep it pragmatic. Most projects start with an OT Security Quick Check:
- baseline: what is connected, who has access, where are IT/OT touchpoints?
- top risks and quick wins
- a prioritised action list with clear next steps
If more is needed, we build an Evidence Pack: a zones/communication model, remote access rules, minimum operating processes (change/config, patch/vulnerability handling, incident basics) — plus documentation that is not only “nice”, but usable day to day.
And if a retrofit or an acceptance is already planned, that’s ideal: we add security exactly where it matters — at the safety-relevant interfaces.
My CESA certificate
Conclusion
Since NIS2, operators can’t treat OT security as optional. With CRA and the EU Machinery Regulation, this will not get easier. For me, it was the logical step to set up my work so it matches that reality.
CMSE + CESA is a very practical combination:
do machine safety properly and address OT security risks where they matter most — with results and evidence that hold up in acceptance and audits.