As the energy sector continues to embrace digital transformation, the convergence of IT and OT environments has created new cybersecurity challenges—and few are more equipped to tackle them than the latest addition to the Energy Central Network of Experts, Pascal Ackerman. With a unique background that bridges controls engineering and cybersecurity, Pascal brings a rare blend of hands-on operational insight and advanced security expertise. Now serving as a Senior Consultant, Industrial Cybersecurity with 1898 & Co., he works across industries, helping critical infrastructure clients build resilient cybersecurity architectures tailored to the distinct demands of industrial systems. From incident response to network segmentation, Pascal is on the front lines of protecting the operational backbone of the modern energy grid.
In this interview, Pascal shares his insights on what utilities and industrial operators get wrong about OT cybersecurity, why legacy systems remain the “soft underbelly” of critical networks, and how tools like AI can be both an asset and a risk. Whether you’re a grid operator, utility cybersecurity leader, or digital transformation champion, Pascal’s perspective is a timely and valuable resource in a rapidly evolving threat landscape.
Matt Chester: Welcome to Energy Central as one of our Featured Experts! I’d love to give you a chance to have the community get to know you, so please start by introducing yourself, sharing your role in the power sector, and maybe what your key areas of interest and expertise are?
Pascal Ackerman: As a Senior Threat Detection and Response Engineer with 1898 & Co., I get the opportunity to work with a wide range of environments. My current role focuses on helping our clients develop and implement cybersecurity architectures that allow them to define, monitor, and strengthen their security posture. That means I get to work across industries—from manufacturing to the energy sector.
My background actually started in manufacturing. I began my career as a controls engineer, designing large-scale production facilities. Over time, Ethernet and networking technologies became more prevalent in these systems, and that sparked my interest in the networking side, which eventually led me to cybersecurity.
In a nutshell, I started as an OEM vendor and systems integrator, then moved through some of the larger manufacturing companies in the U.S. Over time, my focus shifted more toward cybersecurity than controls engineering, and that path led me to where I am today.
MC: Industrial cybersecurity is uniquely challenging compared to traditional IT — in your experience, what are the top misconceptions that utility and industrial operators still have about securing their OT environments?
PA: I think the biggest mistake is treating IT and OT as if they’re the same—and I say that loosely, because in some ways they are starting to overlap. In OT environments, we’re now using servers to record data and Windows-based workstations as HMIs (human-machine interfaces), so IT elements have definitely become integrated into OT systems. But that integration doesn’t mean we can manage or secure them the same way we do in traditional IT environments.
In IT, if you lose a database or a web server, it's certainly a problem you want to fix—but it’s rarely life-threatening. In contrast, in OT environments, if you lose control of a piece of equipment, the entire process can spiral out of control. That can pose a serious safety risk to people who are physically close to that machinery. So, the consequences are very different.
At the same time, since IT and OT have converged in many ways, it’s also a mistake to ignore the presence of IT systems in OT environments. That’s poor security hygiene. You need to acknowledge those systems, but manage them with an OT mindset—where availability and safety are the top priorities.
MC: You’ve led pentesting and incident response efforts globally — what is the most common weak link you see when responding to incidents in OT networks?
PA: The most common weak link I see is the initial attack vector. In OT environments, we often rely on outdated or obsolete equipment—not necessarily by choice, but because that’s the reality. A lot of the equipment in use today was purchased 10, 20, even 30 years ago, and since it still works, it remains operational. Unfortunately, all that legacy equipment creates what I call the "soft underbelly" of the OT space.
The main line of defense in these environments tends to be perimeter security. But once an adversary breaches that perimeter and gains access to the internal OT network, it's essentially game over. At that point, it’s no longer your network. There’s often no authentication on the PLCs, no verification steps—so the attacker can do whatever they want.
Perimeter defense and network segmentation are still some of the most effective ways to protect an industrial environment, but this is also where I often see major gaps. Many organizations still have one large, flat network—everything sitting on a single VLAN. Sometimes, legacy OT equipment is even connected to the internet directly, or segmentation exists but isn’t properly configured. It just takes one missed connection, and suddenly, that OT equipment shows up on tools like Shodan, which makes it an easy target.
Another common attack vector is the enterprise network. Employees still have access to email and the internet, and it only takes one phishing email with a malicious attachment to introduce malware. From there, an attacker can gain a foothold on the enterprise side and then pivot into the industrial network.
MC: What are some of biggest concerns clients have when working with you through a live event or after a cyberattack has occurred?
PA: Rightfully so, most clients are primarily concerned about how our response efforts might impact production. Even when they’re dealing with an active cybersecurity incident, that doesn’t automatically mean we can just shut systems down. Many of these environments are incredibly sensitive—some take nearly a week to get fully up and running and fine-tuned. If anything disrupts that process, it could lead to significant downtime. That might mean cleaning up equipment, rethreading machines, rebalancing chemical or thermal conditions—getting everything back into an operational state can be a massive undertaking.
So in those situations, it’s critical that we understand and appreciate the nuances of the industrial process. We have to be strategic about where and how we intervene. For example, maybe a database is infected and ideally should be taken offline—but if the process depends on that data within the next half hour, taking it down could stop the whole operation. You need to work closely with the client to determine which parts of the system can safely be isolated or cleaned up, and do that in a controlled, deliberate way.
This really reflects the nature of most manufacturers and asset owners. Their core focus is on production—they’re good at operating a process, producing a product, or delivering a service. Cybersecurity, historically, hasn’t been a built-in part of that equation, so when an incident happens, it introduces entirely new and unfamiliar risks for them to manage.
MC: What advice would you give to a utility or industrial operator to best prepare for an inevitable incident — in terms of people, processes, and technology?
PA: The first piece of advice I always give is: know what you have in your environment. That’s the foundation of everything. Start with building and maintaining a complete, accurate asset inventory. Without that, you’re essentially flying blind.
Ideally, if you have the budget, invest in an industrial-specific asset management or detection tool—things like IDS (Intrusion Detection Systems), EDS (Event Detection Systems), or IPS (Intrusion Prevention Systems) tailored for OT environments. There are great tools out there—like those from Nozomi, Dragos, and Claroty—that not only help identify what's in your network, but also show you where the vulnerabilities and misconfigurations are.
One of the biggest challenges I see is that when people first run these tools, they uncover thousands of issues—and the question becomes: where do we even start? That’s where these platforms and supporting frameworks are helpful. They don’t just highlight the problems; they help prioritize them, showing you which ones pose the most immediate risk and should be addressed first. That kind of guidance is crucial when you’re trying to prepare for, or recover from, an incident.
MC: How do you see the role of AI and machine learning in supporting OT/ICS cybersecurity, both for defenders and for attackers?
PA: AI is absolutely a real factor in OT and ICS cybersecurity today—and it’s very much a double-edged sword. On one hand, AI and machine learning can significantly improve cybersecurity efforts by helping defenders make sense of massive amounts of data. But on the other hand, adversaries can also leverage AI to create more targeted, effective, and automated attacks.
From the defender’s side, I see AI playing a big role in analyzing large data sets—whether that's process variables, event logs, or network traffic. AI can sift through months or even years of data to identify patterns that humans might miss, such as subtle anomalies in how a process is running or signs that something in the network has been quietly exfiltrating data over time.
That said, I don’t see AI being ready—or trustworthy enough yet—to make autonomous decisions in OT environments. For example, I wouldn't be comfortable with AI deciding on its own to alter a process variable or shut down a TCP session just because it detected something unusual. We’re not at the point where AI should be given that level of control in critical infrastructure, and hopefully we won’t be for a while.
MC: What are you excited about when it comes to becoming a part of the Energy Central Community? What value do you hope to bring to your peers and what are you hoping you’ll get out from it personally?
PA: As with most of the things I share publicly, my goal is really just to give back to the community. About 10 or 15 years ago, when I first started digging deeper into cybersecurity, I was searching for resources and guidance—but there weren’t many people out there sharing their knowledge. That’s changed over time, but I really relied on those early voices in the field, and now I want to be one of those voices for others.
Joining the Energy Central Community is a great way for me to do that. I see it as a powerful platform to help amplify those messages, reach a broader audience, and connect with peers who are facing the same challenges. I’m looking forward to contributing my experience, boosting collaboration, and deepening my own involvement in the energy sector. It’s all about growing the network and raising awareness around the importance of OT cybersecurity.
________________________________________
Thanks to Pascal for joining me for this interview and providing a wealth of insights and expertise to the Energy Central Community. You can trust that Pascal will be available for you to reach out and connect and ask questions as an Energy Central member, so be sure to make him feel welcome when you see him across the platform.