Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

IT/OT convergence demands a new security mindset for critical infrastructure

(Department of Energy)

By Jerome Farquharson

Protecting critical infrastructure has never been more urgent as IT and operational technology (OT) systems continue to converge, creating a vastly expanded attack surface. In the past year alone, several high-impact ransomware incidents across energy, manufacturing and food processing have demonstrated how quickly operational disruptions can cascade into physical consequences, in some cases halting production for days and creating multimillion-dollar losses within hours.

This dramatic escalation reflects a broader trend that adversaries no longer need sophisticated capabilities to achieve disruptive effects. As Idaho National Laboratory’s Cyber-Informed Engineering (CIE) initiativeemphasizes, the traditional approach of retrofitting security onto existing systems is insufficient when facing adversaries who understand that OT environments prioritize availability over confidentiality, creating exploitable gaps in defensive strategies.

Visibility gaps and legacy constraints put OT at risk

The technical reality of IT/OT convergence presents unique challenges that surpass traditional security models. Legacy OT systems that use protocols such as Modbus, DNP3 and IEC 61850 were designed for isolated, air-gapped networks with implicit trust models. When these systems interface with modern IT infrastructure, they inherit vulnerabilities without gaining corresponding security capabilities. This mismatch creates blind spots that attackers increasingly exploit.

In many recent incident response engagements across the industry, identified OT vulnerabilities are located deep within internal networks, not at the perimeter – highlighting that traditional firewall-centric strategies overlook where adversaries now move. CISA’s guidance on OT asset inventory underscores this challenge, noting that organizations cannot protect what they cannot see. Yet, many facilities operate with incomplete visibility into their converged environments.

This lack of internal visibility also contributes to not prioritizing the greatest risks. In several real-world manufacturing and utilities investigations, organizations discovered that their highest risk vulnerabilities were not tied to perimeter exposure but to decades-old controllers, legacy engineering workstations or forgotten vendor-access pathways. Without unified IT/OT visibility, defenders often focus on the wrong problems, giving adversaries time to discover and weaponize overlooked weak points.

Network segmentation, long considered a cornerstone of OT security, proves insufficient against modern threats. Several recent industrial incidents revealed legacy vendor connections, undocumented remote-access methods and open maintenance tunnels that remained active long after deployment, sometimes discovered only after attackers exploited them. CISA’s industrial control systems guidance recommends implementing secure remote-access protocols, but the technical debt of legacy systems often makes this impractical without significant operational disruption.

Human factors and organizational silos undermine security

The human element remains one of the most persistent and overlooked drivers of OT risk. Converged environments now demand IT-grade discipline in systems that were never designed for it. In many industrial environments, the most consequential weaknesses are not advanced exploits but basic oversights: misconfigured firewalls controlling access to engineering workstations, default or hardcoded credentials left unchanged on legacy controllers, exposed HMIs or device interfaces reachable from corporate networks, and remote-access portals deployed for convenience rather than hardened for security. These are the conditions that allow low-sophistication attackers to gain a foothold and move laterally with little resistance.

Organizational silos amplify these risks. IT teams often assume OT assets follow the same patching, credential or configuration standards as traditional enterprise systems, while OT teams may be unaware of how exposed their interfaces become once connected, even indirectly, to broader networks. Routine tasks like updating firmware, securing vendor accounts or disabling unused services can fall through the cracks simply because no single team is accountable for the full life cycle of a converged asset. The result is an accumulation of small misalignments that, collectively, create material attack paths.

These issues also extend into increasingly complex supply chains. Third-party vendors frequently install equipment with default network settings or remote maintenance capabilities that remain enabled for years without review. Because OT environments operate on decades-long life cycles, organizations may inherit insecure configurations that predate modern security expectations and may not discover them until after an incident. Without governance structures that bridge IT and OT responsibilities, organizations remain vulnerable to the same preventable missteps that adversaries continue to exploit.

Building true operational resilience

The human and organizational dimensions of IT/OT security remain critical barriers to effective defense. The cultural divide between IT and OT teams, where IT prioritizes data protection and OT emphasizes safety and uptime, creates operational friction that adversaries exploit. Harvard Business Review (HBR) has also noted that organizational silos often prevent the cross-functional collaboration needed to secure converged environments, a sentiment echoed by Boston Consulting Group (BCG), which advocates for integrating IT/OT security strategies to align with business objectives. 

Governance structures must ensure that IT and OT teams operate from a shared understanding of risk. Most critically, organizations must develop security cultures that span from boardrooms to control rooms, with every stakeholder understanding their role in protecting critical infrastructure. The proliferation of OT-aware adversaries makes this transformation not just advisable but essential for survival in an increasingly connected and hostile digital landscape.

Moving forward requires fundamental changes in how organizations approach IT/OT security. Technical solutions must account for the unique constraints of industrial environments, including 24/7 availability requirements, safety-critical processes and decades-old equipment that cannot be easily patched or replaced. Security architecture must provide unified visibility across IT and OT infrastructure while respecting operational boundaries. 

The convergence of IT and OT systems has created a complex and challenging cybersecurity landscape for critical infrastructure. Ultimately, building greater resilience will depend on the ability to integrate people, processes and technology across both domains to achieve true operational readiness.

Click to listen highlighted text!