Cybersecurity Implications of IT and OT Convergence

As the “Industry 4.0” revolution progresses, the convergence of IT systems with OT systems presents significant security risks. Presented here are strategies to bridge the divide between the two areas and secure plant operations

The convergence of information technology (IT) and operational technology (OT) is a seismic shift that has been transforming industries and society worldwide. While it promises unprecedented efficiencies, enhanced capabilities and cost savings, it also presents significant cybersecurity challenges for governments and corporations. IT-OT convergence blurs the boundaries between systems designed for completely different purposes and uses. IT systems traditionally focus on data processing, storage, communication and so on [1]. OT systems are responsible for monitoring and controlling the industrial processes that society needs to function. Examples include production of clean drinking water, gasoline and other vehicle fuels, electricity for homes/businesses, drugs, health safety products and many others [2]. This convergence brings a new dimension to cybersecurity risks, impacting critical infrastructure that is a cornerstone of what society needs to function (Figure 1).

A leading cybersecurity company, Palo Alto Networks (PAN; Santa Clara, Calif.; www.paloaltonetworks.com), in their 2024 State of OT Security report [3], states that “7 out of 10 industrial OT attacks originate in Informational Technology (IT) environments, signaling an urgent need for OT and IT departments and technologies to start working more closely together.”

Critical infrastructure has been identified by the U.S. Cybersecurity and Infrastructure Security Agency (CISA; Washington, D.C.; www.cisa.gov) as comprising sixteen sectors. These sectors are (1) Chemical (Figure 2); (2) Communications; (3) Commercial Facilities; (4) Critical Manufacturing; (5) Dams; (6) Defense Industrial Base; (7) Energy; (8) Emergency Services; (9) Financial Services; (10) Food and Agriculture; (11) Government Services and Facilities; (12) Healthcare and Public Health; (13) Information Technology; (14) Nuclear Reactors, Materials & Waste; (15) Transportation Systems; (16) Water and Wastewater Systems [4]. Cyberthreats and attacks against these sectors continue to have a significant impact on people, businesses and society in general.

This article explores the cybersecurity implications of IT-OT convergence, the challenges organizations face, and the strategies that can be developed and implemented to secure this evolving landscape. The recently departed director of CISA, Jen Easterly, told Wired magazine that “Everybody should assume that our adversaries, in particular China, are attempting to go after our critical infrastructure. The private sector, they are on the front lines of this fight, because they own and operate the vast majority of our critical infrastructure. It’s why companies need to put collaboration over self-preservation”[5].

IT-OT convergence benefits

The fusion of IT and OT systems is driven by the Fourth Industrial Revolution (“Industry 4.0”), characterized by innovations like the internet of things (IoT), artificial intelligence (AI), and big-data analytics [7]. IT-OT integration enables organizations to gain real-time insights into operations, improve decision-making and optimize performance.

In the manufacturing sector, sensors in OT systems collect data on machine performance, which are then analyzed by IT systems to predict maintenance needs and minimize downtime. In the energy sector, smart grids leverage IT-OT integration to optimize energy distribution and manage renewable energy sources efficiently. In the chemical sector, IT-OT convergence can provide real-time data on equipment conditions, empowering companies to proactively identify and mitigate potential safety hazards.

These advancements, if correctly implemented, enhance productivity and also reduce costs and environmental impacts for organizations. For these reasons and more, IT-OT convergence can be a business enabler that will provide for more efficient business operations.

Unfortunately, as IT and OT networks become more interconnected, the cyber threat landscape will continue to evolve in complexity and the risk exposure will expand exponentially. Despite this, there are actions that can be taken by organizations to reduce the threat, through a combination of people, processes and technology.

Proliferating attack surface

Historically, OT systems were isolated from IT networks, relying on a concept known as “air-gap” for security. Air-gap refers to the physical isolation of systems and was commonly used to protect sensitive OT systems from the less sensitive IT infrastructure. An air-gapped environment can defend OT systems from cyber threats that may enter from the IT environment and their attendant risk exposure since they are not connected [8]. However, IT-OT convergence dismantles this isolation, exposing OT systems to the vulnerabilities inherent in IT networks. As a result, the potential attack surface from cyber threat actors on OT systems has increased significantly for organizations.

Even an air-gapped environment does not mean that an OT network is completely protected from threat actors. The 2015 Stuxnet malware attack is a perfect example of how air-gapped networks can be compromised. In that attack, malware was used to compromise and destroy the Islamic Republic of Iran’s uranium enrichment program by causing the uranium centrifuges to destroy themselves. The Stuxnet malware was originally introduced into the air-gapped OT environment via a USB drive that contained the malicious code. After the malware was installed, it replicated itself, as it identified programmable logic controllers (PLCs) responsible for managing centrifuges. The malware then directed the centrifuges, without the knowledge of the plant operators, to spin rapidly until they failed [9].

PAN, in their 2024 State of OT report, surveyed close to 2,000 respondents across the globe and noted that “more than 76% of respondents stated that their organizations had experienced a cyberattack in their OT environment”[10].

Factors that can contribute to the expanding attack surface for possible cybersecurity attacks on OT networks include, but are not limited to, the following:

Legacy systems. Many OT systems are decades old and were not designed with cybersecurity requirements in mind. In some cases, the company that built the OT systems no longer exist, so no updates or technical support are available. In addition, legacy systems often lack encryption, authentication and other basic security features.

IoT (internet of things) proliferation. The widespread adoption of IoT devices introduces numerous endpoints that can be exploited by attackers. IoT devices, by their very nature, are designed to be connected to the Internet. Many IoT devices have weak or non-existent security protocols. These devices provide threat actors with additional items that can be compromised if not managed and configured for security.

Remote access. IT-OT integration often requires remote access for monitoring and management, which can become a gateway for cyberattacks if not properly secured. Statistics are very clear that remote access attack vectors are one of the top methods used by threat actors to access an organization. A leading cybersecurity firm, Crowdstrike (Austin, Texas; www.crowdstrike.com) stated in its 2024 Threat Hunting Report that it observed a 70% increase in the use of remote monitoring and management (RMM) tools when they analyzed cyberattacks from July 2022 to June 2023 compared to July 2023 to June 2024 [11].

Third-party supply chain risks. Threat actors can attempt to compromise the IT/OT environments by implanting malware in the hardware components or by introducing malicious code in the software updates. Vendors and contractors with access to IT and OT systems can also introduce vulnerabilities, intentionally or unintentionally. The 2019 breach and exploitation of internal software on the Solar Winds Orion application provides evidence of how a skillful nation-state threat actor can compromise a network and remain hidden for many months. The threat actor used this time to modify the Orion software by introducing a back door that could be exploited at a time chosen by the attacker [12].

In April 2021, the DarkSide threat actor group targeted Brenntag, a German chemical distribution company, with a ransomware attack that impacted Brenntag’s North America division. Brenntag reportedly paid $4.4 million dollars in Bitcoin to the attacker [13] (Figure 3).

IT-OT cybersecurity challenges

The challenges of maintaining security over integrated IT-OT systems are described below.

Lack of effective governance and oversight. A gap in understanding the capabilities and risk from IT and even more importantly OT, makes it difficult for leaders like the board of directors and “C-suite” executives (CEO, COO, CRO and so on) to provide governance and oversight of these technologies. The evolving nature of technology can present a challenge to leaders and their ability to address risk if they don’t have an appropriate knowledge of the security implications.

Differing priorities and cultures. IT systems prioritize data confidentiality, integrity and availability, often referred to as the CIA triad [14]. OT systems, on the other hand, focus on safety, reliability and uptime. These differing priorities can and often do lead to conflicting approaches to cybersecurity. For example, patching a vulnerability in an OT system might require downtime, which is unacceptable in environments like power plants or hospitals.

Lack of network visibility. The integration of IT and OT networks presents cybersecurity challenges due to a lack of visibility across the entire system (Figure 4). Security teams often struggle to identify all devices, connections and potential vulnerabilities, complicating the effort to monitor and secure the network effectively. Security teams are prevented from conducting vulnerability scanning in the OT environment due to the danger of causing operational impact to the systems. Vulnerability scanning is a basic security practice that is commonly carried out in the IT environment to identify vulnerabilities that a threat actor could exploit.

Sophisticated cyber threats. Cyberattacks targeting IT-OT environments are becoming increasingly sophisticated. State-sponsored groups and cybercriminals have developed advanced techniques to exploit vulnerabilities in critical infrastructure. Ransomware attacks on industrial control systems (ICS), for instance, can disrupt production and cause significant financial losses. CISA, the U.S. Federal Bureau of Investigation (FBI) and National Security Agency (NSA) have reported in 2024 that Russian General Staff Main Intelligence Directorate (GRU) threat actors are actively targeting U.S. and global critical infrastructure [15].

Compliance and regulatory environment. The regulatory landscape for IT and OT cybersecurity is complex, and varies across industries and regions. Organizations must navigate an array of voluntary standards and regulatory frameworks — such as the U.S. National Institute for Standards and Technology (NIST; Gaithersburg, Md.; www.nist.gov) Cybersecurity Framework (NIST 800-82), the International Electrotechnical Commission (IEC; Geneva, Switzerland, www.iec.ch) IEC 62443 Standard, the CISA Chemical Facility Anti-Terrorism Standards (CFATS), Risk-Based Performance Standards (RBPS) [16] and others — to ensure compliance. Currently, CISA cannot enforce CFATS due to Congress not extending its mandate beyond July 2023. The complexity surrounding which standard to use can hinder the development and implementation of effective security strategies. While some of these standards are voluntary for the corporate sector, government regulators have an expectation that organizations will adopt and implement these standards.

Shortage of IT-OT workforce expertise. The convergence of IT and OT requires a unique blend of skills from both domains. However, there is a shortage of professionals with expertise in securing IT-OT environments. This talent gap exacerbates the challenges of protecting converged systems. Currently, there is only one U.S. university that provides an undergraduate degree in industrial security [17]. A different university recently introduced an Industrial Security for Leaders certificate that will provide executives with the information they need to provide informed risk-management decisions in OT [18]. More must be done in collaboration with governments to train and educate operators of IT-OT environments and the leaders of these organizations.

Impacts of reported breaches

Recent high-profile cyber incidents illustrate the consequences of IT-OT convergence vulnerabilities, as described in the following examples:

1. Muleshoe water facility attack (2024). Attackers were able to gain unauthorized access to industrial equipment, leading to the overflow of a tank and forcing the facility to switch to manual operations to prevent any further impact [19].

2. Clorox ransomware attack (2023). Clorox experienced a massive cyber-attack in August 2023 that disrupted its operations and supply chain. The threat actors got into the company’s network via a social engineering attack that targeted a third-party IT help-desk vendor [20].

3. Colonial Pipeline ransomware attack (2021). A ransomware attack on the IT systems of Colonial Pipeline, a major U.S. fuel pipeline operator, forced the company to shut down OT operations as a precaution. This led to fuel shortages across the East Coast and highlighted the cascading effects of IT-OT cyberattacks on critical infrastructure [21].

4. Triton malware attack (2017). Triton, also known as TRISIS, targeted devices in a Middle East- based petrochemical plant’s safety instrumented system (SIS). By compromising the OT environment, attackers could have caused physical damage or even loss of life [22].

5. Ukraine power grid attack (2015). In the first publicly reported successful attack on a power grid, Russian nation-state threat actors gained access to the supervisory control and data acquisition (SCADA) systems within power-generation facilities in Ukraine and shut down power for over 300,000 Ukrainian people [23].

Securing IT-OT environments

The following strategies represent best practices for securing IT and OT environments.

Strong governance and oversight. An organization’s board of directors and leadership team should have a clear comprehension of cybersecurity risk in both IT and OT environments. Governance and oversight are paramount in establishing a vision and direction for an organization to achieve in securing the IT and OT infrastructure. Equally important is the need for members of an organization’s leadership network to recognize the differences between these disparate yet convergent technologies, so they can be effective in their mission.

Adopt a “zero-trust” architecture. Zero trust is a cybersecurity approach that assumes no user, device or network is inherently trustworthy. Implementing Zero Trust principles in IT-OT environments involves the following [24]:

• Network segmentation. Separating IT and OT networks to limit the impact of breaches. Critical OT systems must not be directly connected to the Internet.

• Identity and access management (IAM). Enforcing strict authentication and authorization for all users and devices.

• Continuous monitoring. Using tools like Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) to detect and respond to threats in real time.

Comprehensive risk assessments. Organizations should perform regular risk assessments to identify vulnerabilities in their IT-OT environments. These assessments should include the following elements:

• Legacy systems. It should be anticipated that in any environment — both IT and OT — there will be legacy systems that are no longer supported by the manufacturer. These unsupported legacy systems provide a risk exposure that should be understood and mitigated.

• Entry points. IoT [25] devices, like smart meters, medical devices (heart monitors) and so on, and third-party connections, should be understood, securely configured and monitored.

Incident response plan. It is commonly understood by security professionals that regardless of the robustness of a cybersecurity program, a dedicated threat actor, with sufficient resources, will eventually access the protected environment. An incident response plan that is continually updated and tested through tabletop exercises (TTX) is best equipped to respond and mitigate impact from the inevitable breach. Incident response plans should be tailored to the unique requirements of IT-OT environments. These plans must address the following:

• Coordination between IT and OT teams within an organization

• Restoration of both IT and OT systems following an attack

• Communication with stakeholders, including regulatory authorities and the public

Workforce development. Bridging the talent gap requires investment in training programs and certifications focused on IT-OT cybersecurity. Cross-training IT and OT professionals can help build a workforce capable of addressing the challenges of convergence.

Leverage industry standards and frameworks. Organizations should adopt established cybersecurity standards and frameworks to guide their security strategies. IEC 62443, for example, provides specific guidance for securing industrial automation and control systems [26].

Cyberthreat information sharing. Collaboration is critical in the fight against cyberthreats. Organizations should participate in information-sharing initiatives, such as Information Sharing and Analysis Centers (ISACs), to stay informed about emerging threats and best practices [27]. The American Chemistry Council (ACC; Washington, D.C.; www.americanchemistry.com) provides ISAC service for the chemical manufacturing sector through its Chemical Information Technology Center (ChemITC) [28]. CISA has dedicated threat intelligence and threat hunting resources, as well as incident response, and other resources available to organizations with industrial control systems [29].

Resilience and business continuity. The ability to recover and restore operations from a breach is a critical requirement for all organizations. Developing, implementing and practicing resiliency and business continuity will make the different between success and failure.

Emerging technologies

A number of emerging technologies are poised to have a large effect on IT-OT security. A few of these technologies are mentioned here.

Artificial intelligence and machine learning. AI and machine learning can enhance cybersecurity by detecting anomalies and predicting potential threats (Figure 5). These technologies can analyze vast amounts of data from IT and OT systems to identify patterns indicative of cyberattacks. While AI has tremendous capabilities, the technology is still new and will take time to mature and adapt effectively in an OT environment.

Blockchain for secure transactions. Blockchain technology can improve the security of IT-OT environments by providing tamper-proof records of transactions and communications. This can be particularly useful in supply-chain management and ensuring data integrity. Like AI, adaptation will take time as organizations identify use cases that will be practical for implementation.

Digital twins. Digital twins — defined as virtual replicas of physical assets or systems — can be used to simulate and test the impact of cybersecurity measures on OT systems without risking actual operations. It is, and continues to be, difficult to properly access an OT environment to evaluate vulnerabilities that a threat actor could leverage to cause harm. Digital twins offer the organization an environment where security assessments can take place to determine vulnerabilities and risk mitigation.

Concluding remarks

The convergence of IT and OT is a double-edged sword. While it offers transformative benefits, it also exposes organizations to significant cybersecurity risks. Protecting these interconnected systems requires a holistic approach that bridges the gap between IT and OT priorities, technologies and cultures. Cyberattacks against critical infrastructure will continue to evolve in their pervasiveness and sophistication. The examples here are indicators of what organizations should bear in mind as they build resilience in their infrastructure.

Organizations must invest in advanced security technologies, workforce development and collaborative initiatives to navigate this complex landscape. By adopting proactive cybersecurity strategies and leveraging industry standards, they can harness the potential of IT-OT convergence while safeguarding their operations, customers and communities. As industries continue to evolve, cybersecurity must remain a cornerstone of IT-OT integration efforts. The stakes are high, but so are the rewards for those who get it right.

Edited by Scott Jenkins

 

References

1. Computer Security Resource Center, Glossary, NIST, csrc.nist.gov/glossary, term definition.

2. Computer Security Resource Center, Glossary, NIST, csrc.nist.gov/glossary https://csrc.nist.gov/glossary, term definition.

3. Palo Alto Networks, State of OT Security 2024, report, www.paloaltonetworks.com/resources/research, 2024.

4. Cybersecurity and Infrastructure Agency (CISA), Critical Infrastructure Security and Resilience, Guidance, www.cisa.gov/topics, accessed January 2025.

5. Hay-Newman, L. Under Trump, U.S. Cyberdefense Loses its head, Wired magazine, Jan. 23, 2025.

6. Greig, J., CISA confirms hackers may have accessed data from chemical facilities, The Record, from Recorded Future News, June 24, 2024.

7. McGinnis, D., What is the 4th industrial revolution, Salesforce blog, July 5, 2023.

8. Computer Security Resource Center, Glossary, NIST, csrc.nist.gov/glossary, term definition.

9. Kushner, D., The Real Story of Stuxnet, IEEE Spectrum, February 2013, www.ieee.org

10. Palo Alto Networks, State of OT Security 2024, report, www.paloaltonetworks.com/resources/research, 2024.

11. Crowdstrike Inc., Threat Hunting Report, 2024, www.crowdstrike.com, 2024.

12. U.S. Government Accountability Office (GAO), Solarwinds Cyberattack demands significant federal and private-sector response, Blog post, April 22, 2021, www.gao.gov/blog.

13. Bleeping Computer LLC, News, Chemical distributor pays 44 million to darkside ransomware, www.bleepingcomputer.com.

14. Fisher, W. and others, Data Confidentiality, National Institute of Standards and Technology, Special Publication 1800-28, February 2024.

15. CISA, Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure, Cybersecurity Advisory Notice, Sept. 5, 2024. www.cisa.gov.

16. CISA, Risk-Based Performance Standards Guidance, CFATS, May 2009, www.cisa.gov/sites/default/files/publications/cfats-rbps-guidance_508.pdf

17. Idaho State University, Industrial Cybersecurity Engineering Technology Program, www.isu.edu/industrialcybersecurity/

18. Duke University, Industrial Security Certificate Program, cisoeducation.duke.edu/industrial-security-program/

19. Matishak, M., DHS asked to consider potentially devastating impact of hacks on rural water systems, The Record from Recorded Future News, April 25, 2024.

20. Gallagher, G. and others, Clorox audit flagged systemic flaws in cybersecurity at manufacturing plants, March 26, 2023.

21. Homeland Security Digital Library (HSDL), Timeline, 2021 Colonial Pipeline Ransomware Attack, www.hsdl.org.

22. U.S. Federal Bureau of Investigation (FBI) Cyber Division,Private Industry Notification, March 24, 2022. www.ic3.gov.

23. Zetter, K., Inside the Cunning Hack on Ukraine’s Power Grid, Wired magazine, March 3, 2016.

24. Rose, S. and others, Zero Trust Architecture, NIST Special Publication 800-207, August 2020.

25. IBM, What is the Internet of Things, web post, May 12, 2023, www.ibm.com/think/.

26. International Electrotechnical Commission (IEC) Standard 62443, www.iec.ch.

27. National Council on ISACs, www.nationalisacs.org.

28. American Chemistry Council, Chemical Information Technology Center (ChemITC), www.americanchemistry.com.

29. CISA, Cyber Threat Information Sharing, www.cisa.gov.

Authors

Art Ehuan is the executive director and adjunct professor of the Duke University Master of Engineering in Cybersecurity program and the Duke Chief Information Security Officer (CISO) Executive Certificate program (3459 Fitzpatrick Center, Durham, NC 27708; Email: [email protected]; Phone: 571-331-7763). Ehuan was previously a vice president of Palo Alto Networks, Unit 42 Security Consulting practice. He joined PAN after running the Global Cyber Risk Services practice at the global professional services firm Alvarez & Marsal. Ehuan was previously a CISO for a Fortune 200 financial/insurance services firm and has served as an interim CISO for several organizations. Ehuan served as a lecturer for the U.S. State Department’s Anti-Terrorism Assistance Cyber Training Program and has worked as a Supervisory Special Agent with the FBI and a Special Agent for the U.S. Air Force Office of Special Investigations. He has been retained as an expert on several prominent data breaches.

 

Gurdeep Kaur is the global industry lead and CXO advisor at DigitalXForce (578 Kimball Ave., Southlake, TX 76092; Email: [email protected]). Previously, she served as CISO at PSEG, where she led cybersecurity risk management and compliance across IT and OT environments. Before that, she held leadership roles at Horizon BCBSNJ and AIG, with a focus on cybersecurity compliance and security architecture, including spearheading the development of a comprehensive security framework. Kaur serves on the Technology and Data Governance Committee for the Board of Hackensack Meridian Health and is the Energy Sector Chief for the InfraGard NJ Chapter. She previously served as co-founder and president of the ISC2 New Jersey Chapter, co-chair of the ISC2 North American Advisory Council, and a member of the Cloud Security Alliance (CSA) Global Enterprise Advisory Board. She holds a bachelor’s degree in electrical engineering from Delhi College of Engineering (India), along with multiple security certifications, including CISSP-ISSAP and NIST Cybersecurity Practitioner.