<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=7847562&amp;fmt=gif">
Back to News & Insights

 

For decades, the security model for operational technology was built on separation. OT ran the plant, the grid, the tunnel, the pump station, the railway asset or the industrial process. IT ran the business. The two worlds had different priorities, different vendors, different cultures and different risk models. That separation is now largely a legacy assumption.

The idea that OT can remain isolated from IT is no longer a strategy, it is nostalgia. Critical infrastructure operators still need segmentation, controlled pathways and strict operational safeguards, but the old model of “keep OT apart and therefore keep OT safe” no longer matches operational reality.

OT and IT are already converging. The business case is too strong. The regulatory pressure is too high. The operational dependency is too visible. The attack surface is already shared. The only serious question left is this: will organisations govern the convergence, or will they discover it during an incident?

Why separation became the default

OT environments were built for availability, safety and process integrity. Many systems were designed to run for decades. Downtime was unacceptable. Change windows were limited. Patching was risky. Vendor support was specialised. In many environments, even a minor software change could require testing, certification and operational sign-off.

IT evolved differently. IT systems were built around data, users, applications, networks and business processes. Change was continuous. Security models developed around identity, endpoints, cloud, logging, patching, access control and policy enforcement.

For a long time, keeping these worlds apart made sense. OT did not need the internet. Engineers could access systems locally. Physical keys, local credentials and vendor laptops were managed through operational procedures. Risk was contained through distance, obscurity and process discipline.

That model worked in a world where assets were local, maintenance was local and operational data stayed inside the plant, but that world is gone.

The operational reasons OT is connecting to IT

OT is not connecting to IT because security teams want it. OT is connecting because the business now depends on it. Critical infrastructure operators need remote diagnostics, predictive maintenance, centralised asset management, contractor access, compliance reporting, incident response, data analytics, digital twins, mobile field operations and automated work orders. None of that works at scale when OT is treated as a sealed-off island.

The pressure is especially visible in distributed infrastructure: energy substations, telecom sites, water assets, rail cabinets, tunnels, bridges, pumping stations, traffic systems, data centres and industrial field locations. These environments often contain thousands of physical assets spread across large geographies. Manual access processes do not scale. Paper-based authorisation does not scale. Static keys do not scale. Local-only administration does not scale.

The operational model has changed from “protect a site” to “govern a distributed ecosystem.”

That ecosystem includes employees, contractors, vendors, managed service providers, emergency responders, engineers, IAM platforms, ticketing systems, OT management systems, electronic locking systems, mobile devices and cloud-based analytics. Pretending this can remain outside IT governance is a governance failure.

The security reason separation is failing

The strongest argument for OT and IT separation has always been security. Ironically, that is now one of the strongest arguments for controlled integration.

Attackers do not respect organisational charts. They move through identities, suppliers, remote access paths, unmanaged endpoints, shared credentials, VPNs, forgotten service accounts and poorly governed exceptions. They do not care whether a system is labelled IT, OT, facilities, security, engineering or asset management.

In many incidents, the attack does not start inside the OT controller. It starts with identity compromise, phishing, stolen credentials, supplier access, remote maintenance tools or weak governance around who is allowed to access what. OT security cannot be solved only inside OT. It needs identity governance, lifecycle management, least privilege, approval workflows, logging, evidence, revocation and continuous assurance. These are IT governance capabilities.

The OT environment may still require special controls, but the governance layer cannot remain disconnected.

Air gaps are no longer a control strategy

Air gaps still exist in specific high-security environments, but as a general model they are increasingly unreliable. Many supposed air-gapped environments have hidden connections: vendor laptops, USB transfers, engineering workstations, temporary modems, remote support links, cloud dashboards, shared credentials or maintenance jump hosts.

An undocumented connection is worse than a documented one. A documented connection can be governed, monitored and controlled. An undocumented connection becomes an unmanaged risk. This is where many organisations get it wrong. They confuse network separation with operational control. Segmentation is essential, but segmentation without identity, process and auditability is incomplete.

The modern objective is not blind connectivity, it's governed connectivity.

Regulation is forcing the issue

NIS2, CER and national critical infrastructure legislation are pushing operators toward demonstrable resilience, not theoretical separation. Regulators increasingly expect organisations to understand their critical assets, manage suppliers, control access, prove incident readiness and demonstrate that cyber and physical resilience are governed together.

That matters because OT is where cyber risk becomes physical risk. A compromised enterprise account may become an unauthorised field visit. A weak supplier process may become access to a substation. A lost key may become a safety incident. A delayed revocation may become an operational exposure.

The compliance question is no longer: “Is OT separate from IT?” The real compliance questions are:

  • Who has access?

  • Who approved it?

  • Was the access still justified?

  • Was it revoked on time?

  • Can we prove it?

  • Does the access match the role, the task, the location and the risk?

  • Can we detect misuse?

  • Can we respond without stopping the operation?

These questions cannot be answered by OT isolation alone.

The cultural barrier is real

The hardest part of IT-OT convergence is not technology. It is ownership. OT teams often distrust IT because IT change can threaten availability. IT teams often misunderstand OT because they underestimate safety, uptime and legacy constraints. Security teams often push controls that work well in enterprise IT but create operational risk in industrial environments. That tension is real. It should not be dismissed.

The answer is not to let IT take over OT. The answer is also not to let OT remain outside enterprise governance. That has already failed in many organisations. The answer is a joint operating model.

OT must retain authority over safety, process integrity and operational continuity. IT and security must provide governance capabilities that OT can use without breaking operations. Identity, access, logging, policy enforcement and compliance evidence must be adapted to OT realities, not copy-pasted from office IT.

What controlled convergence looks like

A mature IT-OT model does not mean putting every OT asset directly on the corporate network. Controlled convergence means:

  • Identity becomes the control plane.

  • Access is based on role, task, location, time and operational need.

  • Remote access is brokered, logged and limited.

  • Physical access and logical access are governed together.

  • Contractor access expires automatically.

  • Emergency access is possible, but visible and auditable.

  • OT systems remain segmented, but not ungoverned.

  • Exceptions are tracked, approved and reviewed.

  • Critical actions require stronger assurance.

  • Evidence is generated by design, not reconstructed after the fact.

This is not an IT takeover. It is governance catching up with operational reality.

Physical access is the missing link

Many organisations focus on network access but forget physical access. That is a strategic blind spot. In critical infrastructure, physical access is often the final control point. A person at the cabinet, door, rack, transformer house, valve station or control room can create real operational impact. Yet physical keys and electronic key systems are often managed outside enterprise identity governance. That gap creates risk:

  • An employee leaves, but the physical access profile is not revoked immediately.

  • A contractor changes project, but still holds site access.

  • A lost key is reported late.

  • An emergency exception is granted but never reviewed.

  • A supplier account is disabled in IAM, but the field access remains active.

This is exactly where IT and OT governance must converge. Physical access should not be treated as a facilities process. It is part of the cyber-physical control environment.

The new architecture: segmented OT, governed access

The future model is not flat integration. It is not open connectivity. It is not “connect everything to the cloud and hope for the best.” The future model is segmented OT with governed access.

That means OT networks remain protected through zones, conduits, firewalls, jump hosts, monitoring and operational approval. At the same time, access decisions are connected to enterprise identity governance, HR status, contractor lifecycle, work orders, ticketing, risk level and compliance requirements.

In that model, IT does not control the process. OT does not escape governance. Both operate in one accountable framework. That is the model critical infrastructure needs.

The board-level implication

For boards and executive teams, the message is: IT-OT convergence is not a technical trend. It is an enterprise risk & compliance issue.

If OT depends on suppliers, cloud analytics, remote support, electronic locks, mobile field operations or identity-driven workflows, then OT is already part of the digital enterprise. The governance model must reflect that. The board should ask five direct questions:

  1. Do we know which IT identities can influence OT operations?

  2. Do we know which people have physical access to critical OT assets?

  3. Can we revoke logical and physical access immediately when a person or contractor changes role?

  4. Can we prove access decisions during an audit or incident investigation?

  5. Do OT, IT, security and facilities operate from one governance model, or from separate spreadsheets?

If the answer is unclear, the organisation has a governance gap.

Conclusion: separation is not the strategy. Control is.

OT cannot stay separated from IT because the business, the threat landscape and the regulatory environment have already moved on. The goal is not to connect OT blindly. The goal is to govern the connections that already exist and the connections that operations increasingly require. Critical infrastructure does not need less integration. It needs better-controlled integration.

That means identity-driven access. Segmented architecture. Strong supplier governance. Physical and logical access alignment. Continuous evidence. Fast revocation. Operationally safe enforcement. The old world was built on separation. The new world must be built on control.