Getting a career in OT cyber
The people who can bring Operational Technology engineering and security thinking together are about to be in very high demand
9/02/2026 Podcast
Back to Insights
Subscribe now:
Apple
Spotify
Pocket Casts
Overcast
Operational Technology cyber security used to feel like a niche corner of the industry. In 2026, it’s turning into a proper career lane with clear demand signals, mainly because regulation is forcing manufacturers and operators to get serious. In a recent conversation on You Gotta Hack That, cybersecurity engineer Anjan walked through his route into OT cyber, what the job actually looks like day-to-day, and why the next couple of years will shape a lot of careers.
Start where the feedback loop is fastest
Anjan didn’t start in OT. He started with the classic hacker learning loop: vulnerability disclosure programmes and bug bounties. Find a weakness, write it up properly, get validation, repeat. That cycle teaches you the fundamentals faster than a lot of “read-only” learning because you are forced to think like a tester and communicate like a professional. In his case it led to Hall of Fame entries, vouchers, and a growing catalogue of real-world findings across dozens of organisations.
If you’re trying to break into cyber, this is still one of the cleanest paths because it proves capability without requiring a hiring manager to take a leap of faith. The key is learning the difference between “I can break it” and “I can explain how to fix it”.
The OT transition happened during his masters, specifically through an IoT-focused module and a dissertation on an autonomous car project. In IT, you are often attacking software services and identity boundaries. In OT and cyber physical systems, the software is connected to real-world consequence, and constraints are everywhere.
Regulations are changing OT cyber jobs
On the manufacturing side, Anjan’s world is full of product ranges and deadlines. He called out the “elephants in the room”, legislation and requirements like the Cyber Resilience Act, and the Radio Equipment Directive. He felt positive that the world has moved from accepting that the regulations exist to now working out the “how” for achieving them.
A recurring theme was the lack of harmonised standards and the ambiguity in proving to leadership teams that a particular approach is the right approach. You can point at regulations and standards, but someone still needs to make judgement calls and be able to defend them.
Compliance is not security, and OT makes that painfully obvious
Anjan was brutally honest about security being treated as “just another” compliance exercise. The problem is that OT environments punish that mindset because the gap between “compliant” and “resilient” can be enormous.
In OT, implementation constraints are as non-negotiable as the laws of physics. Even within something as specific as actuators, the security profile tends to be implementation-specific. Some products can support controls like firewalls, some cannot. In any case, you still need protective controls that deliver an acceptable risk posture.
Transcript
Felix (00:00.846)
Hello, I’m Felix and welcome to You Gotta Hack That. This is the podcast all about the security behind the Internet of Things and operational technology. In this episode, I’m joined by Anjan, a cybersecurity engineer. He gets to do lots of fun stuff around operational technology for one of the manufacturers here in the UK, both at the technical end of things and the compliance end of things. This should be an interesting conversation. Anjan, tell me more about you.
Anjan
My interest lies towards the hacking side of things, but at the moment we’ve got more than 1,000 product ranges and cybersecurity regulations are really ramping up. We’ve got the big elephants in the room, which include the Cyber Resilience Act, the Machinery Regulation, the Radio Equipment Directive, we’ve got very, very hard deadlines, which is December 2027. Just making sure that we are aligned with what we are doing and securing the world.
Felix
Interesting. I have lots of conversations with people who are going, yeah, we’re kind of doing all of this regulatory stuff and kind of hoping to make things better in the future, but actually it’s not progressing very quickly. It sounds like if you guys are actually taking it head first, then that’s impressive, I guess. More than five days in advance of it being finished.
Anjan
Right. Yeah, I think you’re right. I’ve heard a lot of experts talking about upcoming regulations and then there’s a lot of uncertainty. People are not sure what’s going on, how to do it, what the requirements are, just juggling here and there what needs to be done. There are no harmonised standards. There is no exact sentence which says, you know, this is what you need to do. So it’s a difficult journey, but we all have to meet it. We don’t have any choice. It’s very strict requirements and we all knew that it was going to come up sometime. So here we are.
Felix (01:52.706)
Yeah. Are you finding that process easy to deal with at the moment? Is there any gotchas that you weren’t expecting in any of this new legislation?
Anjan
Very good question. It’s more about proving it to a senior leadership team. The reason why I say that is because it’s hard to justify what you are doing at the moment because you haven’t got full, proven guidelines that need to be followed. So you have just got standards and you’ve just got regulations and then you need to decide what you need to do. If I say that this is the pathway on which I have to walk, my leadership team will ask me why I want to walk on that path. So it’s a bit hard to justify. It’s a bit subjective. I feel like in whole cybersecurity it’s a bit subjective. You’ve got different routes which are trying to meet up at the same point, but you’ve got to choose very wisely what is for you.
Felix
I found over the years that most of the kind of senior leadership people are more than up for having these sorts of conversations. But because it’s a bit of a nebulous topic until the bad stuff happens, people kind of don’t really know what to make of it. And if they’re also quite a senior person in a company, they don’t have that much time to spend on learning the subject to then be able to make those informed decisions. It’s a really difficult challenge to be in.
Anjan (03:27.214)
I mean, your audience, whoever is working as a manager or someone might hate me for saying this, but I think security is treated as a compliance exercise, not as a to do exercise. So people are like, okay, we pass this audit and we are secure. No, you’re not secure. You just did a compliance exercise. That doesn’t mean you’re cyber secure.
Felix
Yeah, I think a lot of people that are listening, and lots of people I’ve met, will shudder because it shouldn’t be. No one wants it to be. But everybody knows that a lot of places just do it as the tick, move on quick. And that’s just how life is in many ways. There’s a lot to do in the world. But equally, it’s not what we want, is it? No. So how did you get into your career? Why did you choose this as your-
Anjan
Ooh, wow, okay, very interesting question. When I started this journey, I was seeing a lot of emails and posts on LinkedIn and then on my Reddit account and everywhere. People were just saying that, you know, we have found this vulnerability on this particular website through vulnerability disclosure programmes, bug bounty programmes, and we have earned this much money and then it’s just going well. It’s just freelancing, people are following. And I was like, okay. I want to learn this, I want to know more about it. So I tried following a lot of people and then found that there are good guidelines, steps that can be followed. So that’s how I started my journey in cybersecurity. I did my bachelor’s in computer science and I wasn’t sure what security is all about. It’s a long time ago when I started it all, but I found a lot of websites having a vulnerability disclosure programme and I was very keen to participate in it.
Anjan (05:13.038)
Got my name on a Hall of Fame. Got some Amazon gift card vouchers, swag from a lot of companies. That’s how I started. If I tell you the numbers, I think I’ve got 100 plus vulnerabilities on 50 plus companies. And I was like, okay. This is what I want to do and I’m really at the good side of computer science, I would say.
Felix
That’s a really cool way to get started in this. Do you have any favourite vulnerabilities that you discovered when you were at those really early stages?
Anjan
I think the most common one was HTML injection. It’s basically you just try various input fields to enter HTML code and then see whether you can enter some malicious code. So that was my personal favourite one because it was very easy. You just need to have the same malicious command and then keep on entering it at a lot of places on the website. A bit easier and very, very fancy.
Felix (06:28.846)
Yeah, I think that’s a cracking way of getting into the industry. So you clearly did a fair amount of what I would class as web application penetration testing type activities earlier on. I think you’ve transitioned somehow from IT to OT. What was that like?
Anjan
Yeah, so this transition happened during my masters. During my masters we had a course specifically for Internet of Things. Through that I came to know that we have got a lot of connected products and people are actually exploring this field. And I got a chance to work on my dissertation with one of my favourite professors on an autonomous car. So we got a chance to work on it. We tried looking for how we can connect my IT experience to this OT world, new ways of attacking things. So there were a couple of new methodologies people were looking into and then we tried exploring those. During that time, I also got a chance to work with a small company, a start-up company in Birmingham. So we worked together and then we collaborated and tried to hack that autonomous car. So it intrigued me to understand how the IT world is connected with the OT world and how I can mix up my experience of penetration testing to this OT world.
Felix
Okay. That sounds like a really good transition, and working with autonomous vehicles is going to be interesting is an understatement really in many ways because they are such complex beasts of a machine. If you’re really simplistic about it, there’s hundreds of computers running any normal non-autonomous car, let alone an autonomous one. So it’s interesting.
Anjan (08:22.422)
Absolutely. Without going into a lot of detail, I was able to take over the account of one of the cars. So it was really interesting. And then you just got a chance to see what’s going on inside the application and how that application is connected to a real-world car, and how you can hack that. So very interesting bit.
Felix
Very cool. You’ve talked a little bit about your OT current role, but you’ve talked about the compliance side of things. How does the technical side of things balance with that? It’s not a task that lots of people would envy in terms of trying to be both of those different disciplines. Lots of people think of them completely separate, but how is that working for you?
Anjan
I think I’m not a coding person. During my bachelor’s, I realised, okay, I don’t want to do this. I don’t like coding. I don’t know why, but I feel like we have got a lot of experience and skill set already in the world that knows coding way better. You cannot come up with something new, that’s what I feel. Maybe there is another way to look at it, but I feel like if you want to do something new or unique, you have to take a step forward than looking at the coding side of things. So my technical background is not very, very strong, I’ll say. I like following things. I know of coding standards. I know how to code, but it feels like we have got artificial intelligence. We have got lots of tools to write code for us. So this time and this generation asks us to take a step ahead and think of more possible ways to code smartly and look for better solutions. That’s what I feel.
Felix (10:07.446)
I’m as guilty as the next person for having imposter syndrome and that kind of stuff every now and then. But it sounds like you are downplaying your coding skills and your technical background because, I mean, just simply having that number of reported vulnerabilities means you must have more technical skills than you’re giving yourself credit for. But that aside, I can also totally respect the fact that some people just don’t want to do that life. Really, really early on in my coding career, I found myself dreaming in code and it wasn’t so much dreaming about code, it was dreaming as if I was the execution, the runtime of the code that I’d written. It was really peculiar. And so if you’re doing that much of it, sometimes you just get into a bit of a strange place and that’s fine for a bit. But not for everybody.
Anjan
Yeah, yeah, that’s what I feel. I mean, I know a lot of engineers, they are very happy doing coding and that’s good for them. But I feel like if you want to do something unique and stand out in thousands of engineers in that crowd and you just want to do something new, you have to look at different bits and then try and join that big jigsaw puzzle with coding standards, coding skills, but something new, maybe artificial intelligence or whatever, maybe cybersecurity in general, but yeah, you need to do that. That’s what I feel.
Felix
So I would guess things like ladder logic and other kind of slightly archaic feeling technologies, which is generally speaking still around in the operational technology space, that’s definitely not appealing. The way you’re talking is like, well, let’s try and do something new, forward facing and so on. So yeah, fair enough.
Felix (11:46.976)
In 2026, the You Gotta Hack That team has two training courses. On March the 2nd, we start this year’s PCB and Electronics Reverse Engineering course. We get hands-on with an embedded device and expose all of its hardware secrets, covering topics like defeating defensive PCB design, chip-to-chip communications, chip-off attacks, and the reverse engineering process. On June the 8th, we launch the Unusual Radio Frequency Penetration Testing course. We dig into practical RF skills so that you can take a target signal and perform attacks against it in a safe and useful way. Both courses are a week long. They are a deep dive, they’re nerdy, and we provide everything you need other than your enthusiasm. As the Unusual RF Penetration Testing course is brand new, you can be one of our beta testers and get £1,000 off. There’s more information available on our website at yougottahackthat.com/courses, and we recommend booking straight away as we have to limit the spaces to ensure the best learning experience. But for now, let’s get back to today’s topic. What sort of operational technology kit do you tend to deal with? Is it just one product? Is it a couple? Is it different sorts of things?
Anjan (12:55.282)
My experience is basically on actuator sites. So the actuator is controlling the flow of water, power, chemicals, and all the liquid state, whatever you see. So just think about big industries controlling the flow of water or power. That’s basically done by the actuator. That’s what we manufacture. My security knowledge is more focused towards that area. And we’ve got a good range of products in there. And they are now digitally connected. Of course, it’s a very high-end product and we have to look at the security to make sure that whatever we are serving to our customers is secure enough and no one can hack that.
Felix
Do you find that different types of actuators have different security profiles? Is it implementation specific or is it actuator specific or a bit of both?
Anjan
I think it’s more about implementation specific. So actuator in general won’t change, but implementation of security will change. So in some sort of actuators, on some sort of product, you can have firewalls, for example, but in some of the products, you just cannot implement a firewall. You need to have some sort of other security controls. So I think it’s the same for actuators. You’ve got different strategies of implementation, but the process security remains the same, high level.
Felix (14:28.824)
People would suggest that maybe actuators in themselves might have different security profiles depending on what they are actuating. But maybe that’s also not the case because how complex can they be and when is it a good idea to not have authentication or what have you. Don’t get me started on operational technology and authentication. I would love to hear your favourite moments from the security point of view of some of the work you’ve done or some of the stuff you’ve observed over your career so far. Like how good have you seen things get and how bad have you seen things get?
Anjan
Starting with good, I mean, I have seen security considered at an early stage, which is a really good thing. I still remember the time when I joined my company, I’ve got people talking about security, what we have to do for this, what we have to do next. So people are actually concerned. People know that we need to consider security at early stage, by design. So that is a really good thing. I feel like it’s really important to have in your organisation that you need to have security by design instead of implementing security, especially at the end or somewhere in the corner. That’s not how it works. It’s good to have a risk-based approach. And I think that’s what we are following as well. I’m following it. I’m not sure about others. Whenever you are looking at security, it’s important to have a risk-based approach. So you can see what assets you have and then prioritise where security is required and how much security is required. And I have seen this growing throughout my entire security journey, that people are actually thinking about a risk-based approach rather than locking themselves into the room and then just screaming security, security. That doesn’t work. I guess you need to have a proper strategy and start with risk-based approach rather than just implementing security everywhere. Doesn’t help every time.
Felix (16:31.874)
The whole black magic approach doesn’t actually work, you know, there’s no amount of cauldrons and spells that you can do that make anything better really, is there? We met at a conference a couple of years ago and I’ve not had loads of contact with you since but in that two year-ish period of time, how much has changed do you think in the OT world?
Anjan (16:58.318)
I think if I remember correctly, by that time we didn’t have any security regulations. So I still remember that conference was, for me, more focused on what are people doing actually in terms of security. And now the question has changed from what to how, which is a big transition change in two years of time. People know what needs to be done, but people don’t know how it needs to be done. That’s an important bit. People have started realising that security is a journey. It’s not a state. Security must be continuous. You cannot just have security at some point in time.
Felix
It’s a cheesy statement, but it’s absolutely true, isn’t it? It’s not a final thing. It’s not like an objective. It’s not the pinnacle of Everest or something. You can’t just get there and be done. Exactly. It’s a continuous thing.
Anjan
Yeah, so these are the things I felt like in two years have changed a lot.
Felix
Is there anything that’s disappointed you or is not good, you know, things that have got worse?
Anjan (18:07.512)
Security has been treated as a compliance exercise, which I don’t like really, being a cybersecurity engineer. People have this thing in mind that we won’t be able to sell our products after 2027 because of the Cyber Resilience Act or upcoming cybersecurity regulations. But for that, it has become a checkbox tick exercise, which I am not liking so far. I’m a bit disappointed. Though I can still understand which part they are coming from in terms of business, but it needs to be treated a bit better. It deserves better, I guess.
Felix
It’s interesting because I get to straddle both the OT world and the IoT world. And the IoT world is in a, I guess, not too dissimilar a state in that there’s starting to be some strong regulation and laws that actually make it mandatory to do certain things. And some of those same conversations about being able to sell products overseas or simply not selling them in the UK or whatever, they are still happening. But what I’ve also spotted is that there’s a slight shift in narrative from the more established companies. They’re the kind of the ones that you want to buy things from because they are talking about it in terms of longevity and they’re not talking about the classic armadillo model and just kind of hope that the insides are okay. They’re talking about it from a defence in depth. They’re talking about software bill of materials. They’re talking about vulnerability disclosure. There’s all sorts of other bits that are going to this and it’s kind of maturing. And that feels really weird to me because I’ve been in IT security and OT and so on for so long. When I first started out in my career, what I saw was the Wild West. What we’ve now got is kind of an IoT world, an OT world to a similar sort of extent, that is still a bit Wild West as far as the tech is concerned. But we’ve suddenly got these really mature concepts coming in at the same time. It’s sort of a bit disconnected somehow.
Anjan (20:12.11)
Yeah, yeah, I think you’re right. You’re right. You and I have noted this bit. People are now thinking more about how we can sell this functionality as a requirement and make sure that we check the box from that list of requirements and then we sell it, just in terms of business. But that’s just one part of it. It doesn’t help you to reach where you want to reach.
Felix
That’s true. Increasingly now when we’re doing operational technology or IoT penetration tests of any description, what we’re finding is customers are swapping. They’re going away from the we’re not telling anybody about this, we’re going to keep this quiet and keep it secret, to no, we’re going to tell everybody about this because yes, it’s not perfect, but nothing is, and we can say we’ve done it, nobody else has. It’s suddenly become like a thing in this space. It’s a little bit like it happened, I don’t know, a decade or more ago in standard IT. I remember thinking at the time, why are we hiding this? And now we’re having the same experience again, but in this space and embedded systems deserve it, it’s all the same, right? But it’s hard.
Anjan
It’s hard. Yeah, it’s hard.
Felix (21:23.564)
What’s next for your immediate objectives with work? What are the things that are coming up that you’re needing to deal with? Apart from the end of 2027 regulations stuff, what’s happening now?
Anjan
For myself, I see myself more towards managing security projects. So I’ll say I really want to experience how to manage projects in terms of security, how you can have security knowledge, and then how you can have product knowledge, and then how you can combine both. So I just want to explore it. I don’t know how exactly it will go, or maybe it’s just not for me, but I just want to. My child inside me says, you know, you should do it sometime. I don’t know if people know about it or not, but we’ve got a globally recognised international standard 62443 for the OT world. So I’ve already done two of the courses for it, basically risk assessment specialist and then fundamental specialist.
Felix
Yeah, yeah, that sounds good.
Anjan (22:34.284)
So I’m looking forward this year to get an expert badge on my shoulder for 62443 experts. That’s what I’m aiming for. Hopefully by mid of this year, I’ll be able to get that badge.
Felix
Excellent, good luck and congratulations on your progress so far. That’s really cool. Thank you. I’ve had to deal with quite a lot of 62443 subjects. We had a couple episodes not that long ago about it as well. And yeah, it’s a big old topic. It almost feels like four exams isn’t really enough to cover it. But equally, how do you do it any differently? It’s interesting. I guess, Anjan, this is your opportunity to bring up, is there anything you want to share with the world?
Anjan
People who haven’t started looking at security, they should really consider it in terms of what they want to do. If your organisation doesn’t have any security engineers, it’s a good time to hire them. It’s a good time to think about it. It’s a good time to start working, do your risk assessment, come up with what are the assets in your company which are of higher impact and you have to bring them down. You need to have a proper risk assessment. So do that, do some paperwork, do implementation work, hire engineers, hire security engineers. As I said, it’s not a state, it’s a continuous journey. So if you haven’t started the journey, it’s a good time to start and give it a go.
Felix (24:10.414)
It sounds like great advice to me. I’m very much enjoying that. I think that sounds like a good way of starting things. And yeah, and once you’ve started this process, kind of, it either works and it becomes a mandatory part of just how your business operates or you don’t and stuff happens, presumably bad stuff. So yes, thank you very much Anjan for coming to join us today.
Anjan
Thank you for having me.
Felix
Very welcome. I think we’ve had a very good conversation about what does this actually look like from a career perspective, if nothing else. That’s been one of my highlights, is going through that transition and explaining it to people as it can feel like a mystical thing that is impossible to get into. Well, actually, it’s not quite that bad, is it?
Anjan
Yeah, you’re right.
Felix
Thank you everyone for listening today. I hope you have enjoyed the show. Your reviews are really important to us, so if you haven’t already, please do give us a five-star rating and recommend us to all of your friends. Obviously, I want you to subscribe too to get all of the next episodes. If you have any questions about the cybersecurity of any embedded system, why don’t you get in touch? You never know. We could answer it for everyone to hear. You can e-mail us and you can get us on helpme@yg.ht.
Felix (25:28.36)
You can find us on X and Bluesky, or by searching for us on LinkedIn with YouGottaHackThat