Why IT/OT Convergence Fails Without Governance

Introduction

CISA, NIST, and the ISA/IEC 62443 standards have long articulated the growing necessity of tighter integration across IT (Information Technology) and OT (Operational Technology) domains. This convergence is central to modernizing industrial and critical infrastructure, improving operational efficiency, and, critically, enhancing the security posture of organizations. Yet, for many CISOs, IT Directors, Network Engineers, and Operators, the promise of IT/OT convergence can turn into disillusionment and risk if core elements of governance are overlooked.

Historical Context: The Genesis of IT/OT Silos

To understand the challenges of convergence, it is important to reflect on the separate histories of IT and OT.

• IT Systems: Traditionally, IT environments were designed for confidentiality and integrity, emphasizing data security, access control, and interconnectedness over large, distributed networks built on the OSI model. The rapid adoption of TCP/IP, Ethernet, and later, identity-centric models paralleled the spread of enterprise resource planning (ERP) and business systems.

• OT Systems: Conversely, OT environments (PLCs, DCS, SCADA) originated with isolated, deterministic, and sometimes proprietary protocols (Modbus, Profibus, DNP3). Until very recently, these systems were air-gapped for reliability and physical safety reasons, with communications protocols and physical network topologies purpose-built for real-time process control—not resilience against internet-borne threats.

The result is two fundamentally different ecosystems: IT emphasizing data and users, OT emphasizing process and uptime.

Drivers of IT/OT Convergence—and Its Failure Modes

The rationale for convergence is clear: digital transformation, rising efficiency demands, predictive maintenance via data analytics, and the need to protect both IT and OT assets from evolving cyber threats. However, the lack of governance turns convergence from a force multiplier into a liability.

Common Failure Modes

1. Ambiguous Ownership and Processes: Without clear governance, who owns cybersecurity policy in converged networks? Who is responsible for patching a Windows-based HMI controlling a critical process?

2. Conflict of Priorities: IT teams may prioritize rapid patching and authentication upgrades. OT operations may refuse downtime at any cost, prioritizing safety and continuous operation. Without governance, clashes result, and both sides become risk-averse or even combative.

3. Inconsistent Visibility and Control: IT often lacks visibility into legacy OT devices and their network traffic. OT teams may possess deep asset knowledge but little understanding of cyber risk. Governance mechanisms are essential to establish shared visibility and controls.

4. Vulnerable Network Architectures: Unstructured convergence leads to flat networks, poorly segmented zones, and undocumented pathways between IT and OT. The result: ransomware propagation, lateral movement, and compliance failures.

Networks, Boundaries, and the Architecture of Convergence

Legacy Architectures

Historically, the Purdue Enterprise Reference Architecture (PERA) provided the de facto model for industrial networks: Level 4 (IT), Levels 3–1 (OT), and Level 0 (process/field devices) with DMZs acting as boundaries. However, the rise of IIoT (Industrial IoT) and cloud platforms has complicated this model, introducing new interfaces and endpoints that must be governed.

Modern Segmentation Approaches

• Zone and Conduit (62443): The ISA/IEC 62443 standard formalized the granularity needed for risk-based segmentation—dividing assets into zones (based on criticality and function) and controlling inter-zone traffic via conduits (firewalls, proxies, data diodes).

• Zero Trust for OT: Modern architectures borrow from Zero Trust principles: continuous verification (micro-segmentation, deep attestation), least-privilege access, and pervasive monitoring—not just perimeter defense.

Crucially, technical controls mean little without governance: asset inventory, change management, access review, and incident response responsibilities must all be well-defined and enforced.

Security, Connectivity, and the Governance Gap

Role of Collaborative Governance

Successful convergence hinges on establishing shared governance spanning both IT and OT domains. Key elements include:

• Joint Policy Frameworks: Unified policies that consider uptime, safety, and cybersecurity—recognized as equivalent criteria, informed by cross-disciplinary teams and maintained via regular board-level oversight.

• Asset and Risk Management: Centralized, regularly updated inventories and risk registers. OT assets must be tracked with the same rigor as IT endpoints, and risk tolerance must be set at the organization—not department—level.

• Change and Incident Management: Predefined, tested processes for network changes, including emergency response plans that don’t compromise safety. Joint DR/BC (Disaster Recovery/Business Continuity) exercises that include both IT and OT scenarios.

• Identity and Access: Role-based access control that aligns with both operational needs and security imperatives. Credentials for critical OT systems should not be a security afterthought or bypassed for convenience. MFA and auditing should be adapted for OT realities.

Case Study: Where Governance Succeeds

Consider a global energy company with a mature IT/OT governance structure. Governance boards include both CIO/CTO leaders and operations managers; network changes (for example, adding remote monitoring for turbines) require documented business justification and cross-team review. Policy is enforceable—remote access to OT networks is limited by technical controls (jump hosts, VPN with posture checks), but also by policy, with reporting lines if deviations occur. Shared incident response protocols ensure that both IT and OT assets are included in threat hunts and post-incident reviews.

Contrast this with organizations that bolt on IIoT gateways or permit “temporary” remote vendor access without risk appraisal, documentation, or approval. The former builds resilience and trust; the latter risks safety incidents and regulatory penalties.

Conclusion

While technology advances rapidly, organizational behavior is slower to adapt. IT/OT convergence is not a technical switch, but a transformation of responsibility, accountability, and visibility. Network architecture decisions, secure remote connectivity, and segmentation all flow from governance—without it, convergence is brittle and dangerous. As industrial and critical infrastructure leaders, it is imperative to prioritize governance as the keystone for any IT/OT project.

Recommendations and Next Steps

• Establish a joint IT/OT security governance board, with C-level sponsorship.

• Adopt standards (ISA/IEC 62443, NIST SP 800-82) and map them to specific governance processes.

• Mandate continuous asset discovery and risk assessment across IT and OT domains.

• Define access, change, and incident management processes with clear lines of authority.

• Invest in tabletop exercises simulating IT/OT incident scenarios, reviewing both technical controls and governance procedures.

With robust governance as the backbone, IT/OT convergence can realize its promised efficiencies—without introducing unmanageable risk.