Mattias Pilroth
Principal OT Security Architect
Security failures in industrial environments carry physical consequences, not merely informational ones. Architecture that cannot survive production reality does not reduce risk. It creates the illusion of it.
I design OT security architecture for high-consequence industrial environments. My work focuses on trust boundaries, identity structures, and network segmentation patterns that remain durable under operational pressure, long system lifecycles, and distributed organizational accountability.
Context
My background runs from field automation engineering and EPCM project delivery in oil and gas and petrochemicals, through six years of operational responsibility at a SEVESO-classified PVC production facility. I currently drive enterprise OT security architecture across 14 chemical manufacturing sites in 8 European countries.
I arrived at security architecture through operations. That origin shapes how I evaluate what holds under operational pressure and what does not.
Analysis
Structural analysis of how OT security architecture behaves under operational reality, why the industry’s dominant investment logic is miscalibrated against the conditions that produce actual disruption, and what a consequence-driven alternative requires.
The Structural Resilience Series
Long-lifecycle industrial environments produce specific structural conditions (constrained change authority, validated system models, operational decay) that determine whether security measures hold under production reality. These papers examine those conditions, the failure modes they produce, and why the industry’s dominant approach to OT security investment is miscalibrated against both.
OT environments look frozen from the outside. From inside the fence, the behavior follows directly from how these systems were funded, validated, and operated. Understanding why requires mapping the constraints, because security strategies that ignore them will be overridden by them.
OT systems do not hold their commissioning state. They drift silently, without producing signals that demand correction. The ownership gaps, decayed recovery paths, and eroded diagnosability that accumulate over a system's operational life are not visible until a disruption arrives that the environment can no longer absorb. Security controls placed on that foundation inherit it.
OT security programs are calibrated to demonstrate coverage rather than to address the conditions under which these environments actually fail. The frameworks driving program design were built for environments with different failure cost structures, different change tolerances, and different threat populations. The assume-everywhere posture those frameworks impose has no stopping point derived from consequence and cannot distinguish between the threat populations producing disruption and those that are not. Investment is directed toward depth against adversaries that are not materializing while boundary failures and operational decay accumulate unaddressed.