Common Language: How IT and OT Teams Can Align

Introduction: The Silos That We Built

Industrial and critical environments have long been marked by pronounced divisions between Information Technology (IT) and Operational Technology (OT) teams. While IT is tasked with managing data, business systems, and cybersecurity, OT has historically stewarded the machinery, control systems, and processes that make physical production possible. But as automation grows and industrial systems become networked—often directly connected to the corporate enterprise and even the Internet—these silos threaten not only efficiency but also security and reliability.

Historical Perspective: Origins of the Great Divide

IT and OT architectures evolved under distinctly different priorities. IT, grounded in standards such as TCP/IP and OSI models, focused on interoperability, centralization, and security. OT, meanwhile, was shaped by protocols designed for determinism, low latency, and physical-world reliability: think Modbus (1979), PROFIBUS (1989), and DNP3 (1990s). Until recently, isolation (the so-called "air gap") was considered sufficient OT security.

The last two decades, however, have seen rapid convergence. OT systems adopted Ethernet-based communications, while digitization and Industry 4.0 initiatives forced connectivity with enterprise IT. This convergence brought crucial advantages, but also exposed previously isolated control networks to new cyber risks and increased the complexity of troubleshooting, change control, and incident response.

Different Languages, Different Concerns

Alignment is difficult because the two disciplines not only use different technical vocabularies but also frame problems differently:

• IT's Priorities: Confidentiality, integrity, availability (the classic CIA triad). Focused on data protection, compliance, uptime, and rapid patching/upgrades.

• OT's Priorities: Safety, reliability, deterministic process control, and very high availability. Patching and change are seen as potential risks to continuity.

For example, the notion of "availability" means different things. For IT, downtime of minutes or hours may be tolerable; for OT, milliseconds can matter, and outages can cost millions or even endanger lives.

Toward a Common Language: Technical and Organizational Strategies

1. Shared Reference Models and Standards

Adopting industry frameworks such as ISA/IEC 62443 can bridge the gap. These standards codify security requirements in terms understood by both IT (“zones” and “conduits,” for example) and OT practitioners. The Purdue Model, developed in the 1990s, remains an effective visual tool for segmenting enterprise, DMZ, and control layers in a plant or facility.

• Purdue Enterprise Reference Architecture (PERA): Defines Zones 0-5, from field devices up to corporate IT, enabling both teams to visualize and agree on trust boundaries and necessary controls.

• IEC 62443: Reframes security in lifecycle and risk-based terms, promoting asset inventory, security baselining, and incident response that incorporates both worlds.

2. Network Segmentation: More Than Just Firewalls

True IT/OT alignment is impossible without robust segmentation. VLANs, firewalls, and DMZs provide the starting point, but microsegmentation (down to the device or function level) is becoming best practice. Technologies such as software-defined networking (SDN) and zero-trust architectures can enforce granular policy, but only when both teams coordinate on access needs and traffic flows.

Concrete Steps:

• Extensive asset and protocol inventory is non-negotiable. Both sides must share knowledge of every communicating endpoint and service.

• Implement network maps that are jointly maintained and accessible to both IT and OT.

• OT networks should never have uncontrolled direct paths to the public Internet or enterprise networks.

3. Incident Response: Joint Playbooks

An incident in modern industrial networks rarely remains contained in either the IT or OT domain. Ransomware, for instance, can jump from a corporate file server to programmable logic controllers (PLCs) given the right conditions.

• Develop response plans that address not only endpoints but also process impact analysis, restoration of trusted operations, and communication with regulators or industrial safety authorities.

• Tabletop exercises must include both IT and OT stakeholders—running threat scenarios that “cross the fence.”

4. Walls Come Down with Cross-Training and Embedding

Embedding IT staff in manufacturing environments and vice versa is proven to encourage a common technical vocabulary. When OT personnel learn about Active Directory or PKI, and IT learns about HMI, SCADA, or fieldbus protocols, both develop an appreciation for each other's constraints and challenges.

Best Practices:

• Regular, formal cross-training sessions. Use deep dives, not superficial overviews.

• Establish "translators"—personnel conversant in both domains, ideally with hybrid roles.

5. Governance and Leadership Commitment

Ultimately, alignment requires a single cross-functional governance structure. Creating a joint IT/OT security review board, or at least task forces for key initiatives, ensures all voices are heard and no technical corner is overlooked. The CISO role has evolved to cover not only digital assets but also plant floor safety and resilience—this is now an imperative, not an option.

Conclusion: No Silver Bullet, But Progress is Non-Negotiable

IT/OT convergence is here to stay, driven by digital transformation, remote operations, and the realities of modern adversaries. The lessons of the last decade—from Stuxnet (2010) to the waves of ransomware targeting industrial firms—underscore that technical and cultural bridges between IT and OT are no longer optional.

Attaining a common language is less about deploying a new technology stack and more about persistent, structured collaboration. Cross-education, standardized frameworks, and formalized policy sharing are foundational. Above all, leadership must recognize that these worlds are not merging—they are entwined, and only their deliberate alignment will support the cyber-physical resilience demanded by today’s critical infrastructure.

References and Further Reading

• ISA/IEC 62443 Industrial Automation and Control Systems Security

• Purdue Enterprise Reference Architecture (PERA)

• NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security

• CISA Cross-Sector Cybersecurity Performance Goals

• Sandia National Laboratories: IT/OT Convergence: Bridging the Divide