Did your consultant approach only at high level? How about my control system?
Does a Vulnerability Scanning tool that the consultant run really reveal something? Wonder how they did?
Why can't they explain it at a control system context? Why is always so generic?
Experience in IT consulting is one thing, but understanding what is important in control system would take years of working with it
The AD server within your control system network vs your OPC server, which will earn more priority?
Koennen could provide you an inside view in to you control system, understand and mapping your work flow along the process flow with your control component, assess and prioritize them accordingly in our assessment report.
When deliver the report Koennen then could explain the assessment result to your control system flavor and bridge to the IT system for more practical and achievable security improvement.