IT/OT Convergence: Bridging the Gap Without Breaking the Plant

The convergence of information technology and operational technology environments is no longer a future possibility - it is the current reality for most industrial organisations. Data flows from operational systems to enterprise analytics platforms. IT security teams are asked to extend their programs to cover OT assets. Vendors connect remotely to support industrial equipment. Yet despite this convergence being underway for years, many organisations still struggle with the cultural, organisational, and technical challenges it presents. The consequences of getting IT/OT convergence wrong can be severe: security incidents that impact physical operations, operational disruptions caused by well-intentioned IT security actions, or simply persistent friction that prevents both teams from doing their jobs effectively. Getting it right requires more than technology integration - it demands careful attention to culture, governance, and the fundamental differences between IT and OT operating environments.

Understanding the Cultural Divide

The cultural gap between IT and OT organisations runs deeper than most executives realise. IT teams operate in environments where systems are regularly patched and rebooted, where availability targets of 99.9% are considered excellent, and where security incidents primarily mean data breaches. OT teams operate systems that may run continuously for years without maintenance windows, where unexpected restarts can damage physical equipment or endanger personnel, and where security incidents can mean explosions, environmental releases, or loss of essential services to communities. These different operating contexts create different professional cultures. OT engineers prioritise safety and reliability above all else - the y have been trained that availability matters because lives and equipment depend on it. IT professionals, while certainly caring about availability, operate in a context where confidentiality and integrity often take precedence. Neither perspective is wrong; they reflect the genuine priorities of their respective domains. Successful convergence requires acknowledging these cultural differences rather than dismissing them. IT security professionals who approach OT environments with the assumption that standard IT practices simply need enforcement will encounter resistance - a nd that resistance often reflects legitimate operational concerns that deserve consideration.

Establishing Governance Frameworks

Clear governance is essential for managing converged IT/OT environments. Ambiguity about responsibility creates friction and gaps. A well-designed governance framework addresses several key questions: Who owns risk decisions for systems that span IT and OT? How are changes to OT networks approved, and who needs to be consulted? What authority does the IT security team have over OT systems, and what constraints apply? RACI matrices (Responsible, Accountable, Consulted, Informed) provide a useful tool for clarifying these relationships. For OT security specifically, governance should typically position operational teams as accountable for their systems, with IT security providing expertise, tools, and oversight. This preserves the operational knowledge necessary for safe system management while bringing security capability that OT teams may lack. Joint governance bodies - security steering committees that include both IT and OT leadership - help ensure that security initiatives consider operational impacts and that operational changes consider security implications. Regular meetings between IT security and OT operations teams build relationships that make incident response and project delivery smoother. The governance framework should also address vendor management, as many OT security decisions involve third parties who maintain and support operational systems.

Technology Integration Patterns

Technology integration between IT and OT environments should follow patterns that respect the constraints of each domain. The Level 3.5 DMZ architecture discussed earlier provides a technical foundation, but implementation details matter significantly. Security tools designed for IT environments may not work well in OT contexts. Vulnerability scanners can crash industrial devices. Endpoint detection agents may interfere with real-time control processes. Patching cycles that work for business applications are incompatible with systems that cannot be taken offline. This does not mean OT environments cannot be secured - it means security controls must be adapted. Passive network monitoring provides visibility without injecting traffic into sensitive networks. Compensating controls like network segmentation reduce risk when patching is delayed. Application whitelisting prevents unauthorised software execution even when signatures cannot be updated frequently. Integration should also consider data flows. Operational data needed for enterprise analytics should be replicated to systems outside the OT network rather than giving enterprise applications direct access to operational historians. Security logs from OT environments should be forwarded to enterprise SIEM platforms for correlation and analysis, but the SIEM should not be able to initiate connections back into OT networks.

Change Management and Safety

Change management in converged environments must accommodate both IT change processes and OT safety requirements. Standard IT change advisory board processes may not include the engineering review necessary to ensure changes do not impact safety systems or production processes. Conversely, OT change processes may not adequately consider security implications of proposed changes. A unified change management approach for converged environments typically includes security review of changes affecting OT systems, engineering review of security changes that could impact operations, and clear escalation paths when security and operational requirements conflict. The principle of 'safety takes precedence' should be explicit - if a security change could create a safety hazard, the security change needs to be reconsidered rather than the safety concern overridden. Emergency change procedures deserve particular attention. Security incidents may require rapid response actions, but those actions must still consider operational impacts. The middle of responding to a ransomware attack is not the time to discover that isolating a network segment will shut down a water treatment plant. Pre-planned response procedures that have been validated with operational teams ensure that incident response can be both fast and safe.

Building Combined Capability

Long-term success in converged environments requires building security capability that spans both IT and OT domains. This can be achieved through various organisational models: dedicated OT security roles within the IT security team, embedded security resources within OT organisations, or centralised teams with deep expertise in both domains. Whatever the organisational structure, certain capabilities are essential. Someone needs to understand both industrial control systems and security - either OT engineers who develop security skills or security professionals who develop OT knowledge. Cross-training programs, professional development, and hiring strategies should all support building this combined capability. Vendor relationships also need coordination. OT systems often depend on vendor support for maintenance and security updates. IT security teams may not have visibility into these relationships or the contracts that govern them. Consolidating vendor management and ensuring security requirements are included in contracts improves the organisation's ability to manage supply chain risk across both IT and OT environments.