Securing control room technology in the IT-OT convergence

By Timo Kosig, Product Security Officer at Barco Control Rooms

In critical infrastructure, control rooms stand at a unique crossroads. They represent the intersection where traditional Operational Technology (OT) meets modern Information Technology (IT); two worlds with fundamentally different approaches to security, innovation, and change. As Product Security Officer for Barco Control Rooms, I witness firsthand the challenges and opportunities this convergence creates, particularly when it comes to securing solutions like Barco CTRL in increasingly complex environments.

One of the most fascinating aspects of working in control room security is navigating the cultural divide between IT and OT environments. IT departments are typically progressive, embracing new technologies and rapid deployment cycles. They're accustomed to frequent updates, cloud solutions, and agile development practices. OT environments, however, operate on entirely different principles.

Our customers in the control room space are inherently conservative – and for good reason. When you're responsible for managing power grids, transportation networks, or security systems that protect lives and critical infrastructure, stability trumps innovation every time. The "if it ain't broke, don't fix it" mentality represents prudence born from the reality that downtime can have catastrophic consequences.

This conservatism creates a unique challenge when implementing modern security practices. Making these systems fully secure in today's threat landscape requires significant effort, patience, and a deep understanding of operational priorities. Simply deploying the latest security technology is not enough. The real challenge is to do this in a way that respects the operational imperatives of critical infrastructure.

What differentiates Barco's approach to product security is our commitment to dedicated personnel at every level. In the Control Rooms division, we don't treat security as an afterthought or a compliance checkbox. We have product security engineers, product security architects, and security champions embedded in every development team. This emphasizes Barco’s philosophy that security must be woven into the fabric of everything we create.

As part of the second line of defense in Barco's three-tier security model, my role has evolved significantly over the years. Initially, I was deeply embedded in the technical details of our products. Today, my focus has broadened to encompass strategic oversight across New Product Introduction (NPI) tracks, coordinating penetration testing, and ensuring that security considerations align with broader company strategy.

More than a destination, security is an ongoing journey that requires constant attention and coordination. Every week, I lead meetings with our security champions, ensuring that security considerations are actively discussed and implemented across all development teams. These are operational sessions where we evaluate vulnerabilities, define remediation approaches, and ensure that fixes align with both immediate needs and long-term security roadmaps.

This rhythm extends beyond internal coordination. I'm regularly involved in discussions with partners and customers, addressing complex security questions that go beyond standard sales and presales conversations. These interactions provide invaluable insights into real-world security challenges and help shape our product development priorities.

The regulatory environment for critical infrastructure is becoming increasingly complex, and upcoming legislation will significantly impact how we approach product security. The EU Cyber Resilience Act, coming into effect in December 2027, will fundamentally change requirements for software-enabled products. Similarly, NIS2 affects Barco as an organization, creating new compliance obligations that must be integrated into our operational framework. 

Working with our product management teams, I help navigate these regulatory requirements while ensuring they translate into practical security enhancements rather than mere compliance exercises. This involves contributing to product security roadmaps, supporting certification processes, and ensuring that regulatory compliance enhances rather than hinders our security posture.

Perhaps the most critical aspect of control room security is recognizing that behind every technical solution are human operators making split-second decisions that can impact thousands of lives. Security measures that impede operational efficiency or create user friction can actually decrease overall security by encouraging workarounds or shortcuts.

This is why our approach to penetration testing and vulnerability assessment goes beyond technical validation. We evaluate not just whether systems can be compromised, but how security measures impact operational workflows. The goal is to create solutions that are both secure and operationally excellent, systems that operators can trust and use effectively under pressure.

As we continue to develop and enhance Barco CTRL and other control room solutions, our security philosophy remains constant: security should enable operations, not constrain them. This means building robust, Zero Trust architectures that operate transparently in the background, providing protection without creating operational friction.

And Barco CTRL is not the only product that gets the royal treatment when it comes to cybersecurity. Our displays and image processors are carefully designed to fit into secure systems as well, making sure the complete chain is resilient. 

The convergence of IT and OT worlds isn't slowing down. If anything, it's accelerating. Our role is to ensure that as control rooms become more connected and technologically sophisticated, they also become more secure. This requires not just technical expertise, but cultural sensitivity to the unique needs and constraints of critical infrastructure operators.

More than protecting data or preventing breaches, security in control rooms is about safeguarding the systems that keep our lights on, our transportation networks running, and our communities safe. That's a responsibility I don't take lightly, and it drives every decision we make in securing the future of critical operations.