, ,

Industrial cyber resilience needs more than a memorandum

Siemens and NCC Group are combining industrial and security expertise.

Industrial cyber resilience needs more than a memorandum
Summary
  • Siemens and NCC Group have agreed to collaborate on UK industrial and critical-infrastructure cybersecurity.
  • Their combined offer could connect automation knowledge with security assessment and incident response.
  • Delivery will need named services, customers, clear responsibility, and measurable outcomes.

Siemens and NCC Group have agreed to combine industrial automation expertise with cybersecurity services for UK critical infrastructure, although the memorandum must develop into defined offers and customer deployments before it represents a measurable increase in resilience.

Siemens and NCC Group will focus on operational technology used across industry, energy, defence, and other physical infrastructure as corporate systems become more closely connected with industrial controls.

Siemens brings knowledge of automation equipment, control systems, and industrial environments, while NCC Group provides security assessment, consulting, incident response, and resilience services. The companies have signed a memorandum of understanding rather than announced a customer contract, deployment, or product.

Their joint update describes an end-to-end approach but does not set out commercial packages, delivery teams, contractual accountability, implementation dates, or performance measures.

Factory systems cannot be treated like office IT

Operational technology controls physical processes across power generation, manufacturing lines, buildings, water treatment, transport, and industrial safety. A security intervention that would be routine on an office network may be unacceptable when a reboot stops production, interrupts an essential service, or changes the behaviour of physical equipment.

Many industrial estates also contain machinery designed to run for decades. Systems can use unsupported software, proprietary protocols, specialist maintenance arrangements, and limited monitoring, while replacing every vulnerable component at once is rarely financially or operationally realistic.

Security programmes consequently have to combine technical risk with process safety, maintenance schedules, production economics, and regulatory duties. Asset discovery, network segmentation, controlled remote access, supplier oversight, incident exercises, and compensating measures may offer more practical protection than a generic patching target applied across every device.

The Siemens and NCC Group combination has a credible rationale because one company understands the equipment while the other specialises in adversarial testing and response. Working together could narrow the gap between security advice and the engineering constraints that determine whether a recommendation can be implemented safely.

Joint delivery can blur accountability

Partnerships also create ambiguity when roles have not been defined. Asset owners need to know who assesses the risk, who designs the remediation, who supports the equipment, who responds during an incident, and how disagreements between safety, production, and security teams will be resolved.

Commercial incentives require scrutiny as well. An equipment supplier may favour upgrades or replacement, while a security consultancy may recommend more monitoring and advisory work. Customers need independent governance capable of separating necessary protection from measures driven mainly by the partners’ existing portfolios.

Supply relationships will be central because industrial organisations rely on integrators, maintenance contractors, equipment vendors, software suppliers, and remote support. A well-managed factory or utility can still be exposed through a contractor’s credentials, an unmanaged connection, or a vulnerable component embedded within a larger machine.

The UK’s developing cyber-resilience regime is increasing pressure on operators and suppliers to demonstrate how they manage those dependencies. Companies outside the direct scope of critical-infrastructure rules may still face stronger contractual requirements from customers covering assurance, access, incident reporting, and recovery.

The partnership can become useful if it produces repeatable assessments, practical remediation programmes, exercises involving both IT and operational teams, and evidence that risk has been reduced without compromising availability. Published case studies and independently measurable outcomes will carry more weight than another general warning about industrial threats.

Skills development could provide an additional contribution because the UK has too few people who understand both cybersecurity and industrial control. Joint laboratories, apprenticeships, and realistic exercises would strengthen capability beyond the immediate consulting engagement.

The memorandum establishes a plausible combination of expertise, but resilience begins when an operator can identify a protected asset, a tested recovery process, and a failure mode that can be managed more safely than before.