OT/IT convergence is the integration of operational-technology networks with enterprise IT — shared authentication, shared historians, shared remote access, shared cloud analytics. The motivation is operational: predictive maintenance, real-time telemetry, MES integration, remote expert support. The consequence is that every IT attack path now has at least one reachable path into OT.
The attack paths that convergence creates
Six attack paths show up repeatedly in post-incident reviews of converged environments:
1. Active Directory pivot from IT to OT. Engineering workstations authenticate against corporate AD. A credential-theft compromise on the IT side — phishing, Kerberoasting, DCShadow — yields valid credentials that reach OT resources. The Colonial Pipeline and Maersk (NotPetya, 2017) incidents both exhibited this pattern.
2. Historian as a traversal point. Historians sit at Purdue Level 3 and push data to IT analytics at Level 4. They run standard Windows servers with SQL or InfluxDB backends. An IT-side compromise reaches the historian through its data-egress path, then pivots back down to Level 2 or 1 using the historian's collection credentials.
3. Ransomware traversing via file shares. A shared file server between IT and OT — often hosting G-code, production orders, or machine configurations — is an encryption target that halts OT even when OT assets are untouched. Norsk Hydro followed this pattern.
4. Remote-access VPN as a credential single point of failure. A contractor VPN for remote-maintenance access often provides the same network-level reach as a local operator. A phished contractor credential becomes a remote PLC session.
5. IIoT gateway lateral movement. IIoT devices installed for predictive maintenance often bridge cellular or Wi-Fi links to OT networks without going through the iDMZ. A compromise of the IIoT vendor's cloud platform propagates to every deployed gateway.
6. Engineering laptop as a dual-homed bridge. A single workstation on both the corporate network and the plant network provides a routable path whenever it is online. Most plants have several.
Concrete example: IT ransomware reaches OT historian
A defense manufacturer's IT network is hit with ransomware delivered via a phishing email to the HR department. The ransomware spreads through AD and encrypts file shares. One of those file shares is mounted by the MES system at Purdue Level 3. When MES attempts to write the next shift's production schedule, the write fails. OT operators at Level 2 lose access to the work queue. The plant stops, not because OT was compromised, but because OT depends on an IT service that was.
This is the convergence incident shape: the attack never touches a PLC, but production stops anyway.
What reduces convergence risk
Three structural controls consistently reduce blast radius:
- Identity isolation between IT and OT. Separate IdP for OT access. A compromise of corporate AD does not automatically grant OT access.
- Identity-bound network enforcement. Rules bind to authenticated users and device identities. IT hosts cannot reach OT assets by default, regardless of IP.
- Stateful observation at the convergence points. Historians, file shares, and remote-access gateways get session-level audit. Anomalous patterns are detectable even when endpoints are compromised.
Compliance context
NIS2 Article 21 requires network segmentation and access control for converged environments. IEC 62443 zones-and-conduits explicitly addresses the convergence boundary (Level 3.5 iDMZ). CMMC Level 2 inherits NIST SP 800-171 Rev 2 control 3.13.1, which requires monitoring and control at key internal boundaries — the IT/OT boundary is the canonical example.
Related terms
Access Gate connection
Access Gate enforces identity-bound boundaries across the IT/OT convergence points — historian, file shares, remote access, engineering workstations — so that a compromise on the IT side does not produce a reachable path into OT. See CMMC Compliance with Trout Access Gates.
