Definitions of IT/OT Convergence Shape OT Cybersecurity Risks and Solutions

Summary

At the ISA OT Cybersecurity Summit, 2025 ISA President Scott Reynolds moderated a panel on the cybersecurity risks related to the convergence of enterprise-level information technology (IT) systems and industrial operational technology (OT) systems. Reynolds is the senior security and network engineering manager at Johns Manville and has more than 19 years of industrial engineering and cybersecurity experience.

Panelists included Dr. Ric Derbyshire, principal security researcher at Orange Cyberdefense; Jos Wetzels, founding partner at Midnight Blue; and Dr. Marina Krotofil, cybersecurity engineer with mk|security. They created a very lively discussion and helped Reynolds discover a few different definitions of what IT/OT convergence means and the different implications for the security and functionality of control systems.

“IT systems used on OT networks” was one definition of IT/OT convergence mentioned, “but I think we've been doing this longer than the term ‘OT’ even existed,” Reynolds said. “We have been leveraging Ethernet and Windows Operating Systems for decades now.”

Reynolds asked, “Why did we decide to start using Ethernet, a protocol that is intentionally designed around unpredictable collisions and communications errors?” Because it's cheaper, faster and good enough for what most systems are doing, panelists said. Also, commercial off-the-shelf (COTS) solutions are easier to obtain for more companies.

“To respond to this migration to IT systems, and still work on the time dependencies of some applications, protocols were created to address systems such as servo motors,” Reynolds added. But there are security risks associated with this definition: 

• This is where the IT security risks all bleed into the OT network. If there's an IT risk, there is most likely also an OT risk.
• The most common threat to OT networks is ransomware coming from a vendor or the IT network; this enables that ability.
• IT thinks they understand the IT systems on the OT network and treat them like IT systems, AKA the “I'm from IT and I'm here to help” problem.

The risk reduction from this definition, the panel agreed, comes from the fact that security professionals understand and can better secure COTS solutions. COTS also are more widely used and are tested more for vulnerabilities.
 

Definition #2: IT taking over OT networks

Reynold said, “This [definition] came from all three panelists, and I totally feel like I was being attacked as a person who works in the IT department. With that said, there are valid points here. IT takes over the OT networks and treats them like IT systems with patching and network communications.” The security risks from this definition:

• IT breaks stuff. IT starts patching things that cannot be patched or need to have production downtime to patch them. They flood the network with backup traffic, causing an outage. They back up databases improperly.
• IT makes things less secure. Windows domain problems, either having one across IT and OT, or having trust between them. “We generally want to start in the world of security by not trusting the IT network and assuming it's compromised. How do we continue to be comfortable operating while IT is having an incident?” Reynolds said.

The risk reduction from this definition comes from the fact that IT can help discover misconfigurations or misconceptions about how IT systems work (HA vs. backups). IT also can help discover insecure shadow IT solutions (sneaking in remote access directly to the process control network, for example).
 

Definition #3: Being intentional with IT/OT connections

Being intentional with IT/OT connections “is where I think ISA-95 is a good example,” said Reynolds. “How do we get the data between our control system and our ERP system? What parts of the MES system does IT own and are on an IT network, and what parts of MES do the engineers own and are on the OT network? We need clearly defined roles for each team and owners for each part of the system,” he added.

The security risks from this definition include the fact that sometimes a black box is created on either side: IT doesn't know what's behind the firewall on the OT network, and OT doesn't know what the firewall's even doing. This creates a lack of awareness of how to properly secure the entire system.

Risk reduction from this definition involves clearly defined roles and owners to respond to security risks. Everyone stays in their own lane and doesn't create more problems by focusing on the wrong priorities for each network.

Panelists admitted that there are clear issues with IT taking over the OT network, and there are also opportunities to learn and leverage the skillset of the IT team. “Both IT and OT professionals have a lot to learn from each other. Yes, we have examples of IT not prioritizing safety and availability on the controls system. We also have examples of the control systems team trying to recover a Windows 2000 machine on a new desktop, or not having immutable backups of Windows systems,” Reynolds said.

Collaboration can sometimes slow things down, but you are also more likely to move further in the right direction, said Reynolds. “The best of both worlds is when IT and OT are working together to find the best opportunities and then implementing them with both the IT and OT perspectives in mind,” he said.

_{This news story also appears in Automation.com Monthly's 2nd Annual Cybersecurity Trends report (October 2025).}