Skip to main content

IT security and resilience for critical infrastructures

Strategic consulting on zero-trust architectures, regulatory compliance (NIS2/DORA) and incident response.

From consulting practice

Why consulting clients approach me

A brief overview of the most common engagement types. Concrete contents remain confidential – described is only the activity.

Start an enquiry
01

Architecture reviews for Active Directory

Assessment of hardening, replication and privileged access – often ahead of audits, KRITIS reviews or a planned vendor change.

02

Support for hardening programmes

Roadmaps, prioritisation and ongoing reviews for NIS2, DORA, KRITIS-V2 and zero trust implementations.

03

CISO sparring on current threat landscapes

Discussion and evaluation of current threats – edge hardware risks, ransomware strategies, AI-assisted defence.

04

Forensic support and lessons learned

Architecture analysis after security incidents, deriving lessons learned and building a hardened follow-up architecture.

05

OT and ICS security for industrial infrastructures

IT-OT segmentation per Purdue model and IEC 62443, Active Directory in production networks, asset registers, microsegmentation and secure integration of control systems.

Threat landscape 2025

Cyber resilience becomes an insurance requirement

€202.4 bn

Annual cyber damage for the German economy

Bitkom Wirtschaftsschutz 2025
> 33 %

Share of companies hit by ransomware in twelve months

Bitkom 2025
15 %

Share of affected companies that paid ransom

Bitkom 2025

What this means for companies

The threat landscape forces a resilience strategy beyond classical backup concepts. Cyber insurers now require proof of non-manipulable backup states as a condition for coverage. Storage-level immutability becomes mandatory and replaces application-side solutions.

Deep dive in the article: SBOM: from regulatory constraint to cornerstone of software security

My consulting approach

In security and critical-infrastructure projects I cover three topics individually: resilience strategy instead of pure recovery planning, storage-level immutability instead of scattered point measures, and an architecture that holds up to regulators, insurers and auditors. Every organisation receives its own maturity assessment based on the existing infrastructure.

OT and industrial security

Securing operational technology and production networks

IT and OT systems are merging. In 2024 nearly 70 percent of industrial companies recorded an attack on their OT systems, a quarter had to halt operations. Control systems built for decades of service meet a threat landscape that did not exist when they were designed.

I advise on the questions that decide the security of these environments: IT-OT segmentation along the Purdue model and IEC 62443, the role of Active Directory in production networks, complete asset registers, microsegmentation down to device level and the secure integration of serial-to-IP converters and edge bridges.

Level 5 · Enterprise IT
Level 4 · Site business and logistics
Industrial DMZ · controlled boundary
Level 3 · Operations management (MES)
Level 2 · Supervisory control (SCADA)
Level 1 · Control (PLC, RTU)
Level 0 · Field devices, sensors
IT-OT segmentation along the Purdue model
ComputerWeekly·May 21, 2026

Why OT endpoints are becoming a security risk

Resilience at the storage level

Ransomware also targets the backup

Modern ransomware campaigns hit production systems and backups alike, often compromising the backup first. Protection at the network edge and in backup software no longer suffices. The defence moves to where the data lives.

I advise on immutability at the API level via Object Lock in compliance mode, end-to-end encryption, versioning and recovery. Even a compromised backup admin cannot lift the lock. Cyber insurers increasingly require this configuration as a precondition for the policy.

Storage protected against ransomware through Object Lock, encryption, access control, recovery and immutability
Object Lock, encryption, access control, recovery and immutability keep ransomware away from the last line of defence.
Object storage as a single platform for backup, archive, cyber resilience and AI workloads across on-premise and cloud
One platform connects backup, archive, cyber resilience and AI workloads, secured, immutable, scalable and consistent.

Zero-trust architectures

Design and implementation of current security architectures following the "Never trust, always verify" principle.

  • Identity-based microsegmentation
  • Continuous authentication & authorization
  • Endpoint security & device posture

NIS2 & DORA

Development of compliance roadmaps to meet the new EU directives for cybersecurity and digital operational resilience.

KRITIS hardening

Specialised security concepts for operators of critical infrastructure (energy, healthcare, financial sector).

Incident response

Structured post-incident analysis, forensic support and safe recovery planning after cyberattacks.

Digital sovereignty

Architecture consulting to preserve data sovereignty and independence in cloud and hybrid environments.

Classic perimeter

Internal network
UserResource

Once inside the network, you are trusted. After a breach, an attacker moves freely.

Trust by location

Zero Trust

UserResource

Every access is verified, regardless of location. Identity, device and context decide each connection.

Verification on every access
LinkedIn Learning

Security trainings

Build internal know-how. My training courses prepare your IT team to detect and counter current threats.

View security trainings

Praxisnahe Techniken zur Analyse von Netzwerkverkehr und Identifikation von Sicherheitslücken.

Härtung und Absicherung Ihres Windows Server 2022 Systems gegen aktuelle Cyberbedrohungen.

Experience & references

  • Security assessments for KRITIS operators, including energy providers, banks and Katharinenhospital Stuttgart
  • Post-incident analysis and forensic support after complex cyberattacks, including in corporate environments
  • Strategic consulting for state ministries and authorities at ministerial level

„After our last audit it was clear that we needed to significantly catch up on hardening our Active Directory infrastructure. With Thomas Joos we made measurable progress in a KRITIS-compliant manner. Above all, the methodical approach and the documentation level convinced our compliance team."

CISO · Energy provider, Southern Germany

Articles

  • Regular articles in security-insider.de, Heise, iX, c't
  • Security whitepapers for Microsoft and HPE
  • Analyses on Cyber Resilience Act & EU AI Act

„Your articles are among the most-read on the entire site. First of all, I would like to praise you for your Patch-Tuesday reports. The 39 articles I have published from you this year have together generated an enormous number of page impressions. That is an outstanding result, for which I give you great praise and thanks."

Peter Schmitz · Editor-in-Chief, Security-Insider

„Peter Schmitz, Editor-in-Chief at Security-Insider, likes the texts – no changes needed. Thanks for handling it so quickly."

PR agency · Assignment published at Security-Insider
„I read the Security-Insider news regularly. The Patch-Tuesday summary is informative, alarming and reassuring at the same time. The information is correct and important, and the summary is simply brilliant."
Security Research · Deutsche Telekom
Expertise in practice

In-depth technical articles

For every focus area I provide in-depth expertise instead of buzzwords. The articles show what I work on in projects and which requirements enterprises must clarify now.

My latest articles on IT security

Security-Insider

OPNsense Multi-WAN mit Failover und Policy Routing einrichten

Mehrere Internetanschlüsse erhöhen die Ausfallsicherheit einer Firewall deutlich. OPNsense bündelt dafür mehrere WAN-Schnittstellen in Gateway-Gruppen und steuert den Datenverkehr über Policy Routing. Die vollständige Konfiguration gelingt in fünf aufeinand…

Read article

Gogs-Lücke gibt jedem Konto RCE-Rechte auf dem Server

Eine kritische Lücke in der selbst gehosteten Git-Plattform Gogs gibt jedem angemeldeten Konto Rechte zur Remote Code Execution auf dem Server. Ein öffentlich verfügbares Metasploit-Modul automatisiert den Angriff in Se­kun­den. Ver­si­on 0.14.3 behebt die …

Read article

Datenleck-Opfer warten bis zu 45 Tage auf Benachrichtigung

Trotz Datenschutzregeln vergeht zwischen der Kenntnis eines Datendieb­stahls und der Benachrichtigung der betroffenen Personen immer mehr Zeit. Jüngste Vorfälle zeigen Verzögerungen von über sechs Wochen, obwohl die gestohlenen Daten längst öffentlich kursi…

Read article

Technical publications

I have written texts and analyses on NIS2, CRA, KRITIS, digital forensics and cybersecurity. See my publications.

View all