ISA Interchange

IT/OT Convergence at the ISA OT Cybersecurity Summit

Written by Scott Reynolds | Jul 9, 2025 11:00:00 AM

At the ISA OT Cybersecurity Summit, I moderated a panel on the cybersecurity risks around IT/OT convergence. First, I want to thank Dr. Ric Derbyshire, principal security researcher, Orange Cyberdefense; Jos Wetzels, founding partner, Midnight Blue; and Dr. Marina Krotofil, cybersecurity engineer, mk|security for creating a very lively discussion around this. It was the most fun I've had moderating a panel.

From that panel, I took away a few different definitions of what IT/OT convergence means, and there are different implications to the security and functionality of the control systems from each one.

Scott Reynolds, 2025 ISA president, moderates the panel discussion titled "IT/OT Convergence: Paving the Way for Industrial Automation" at the 2025 ISA OT Cybersecurity Summit.

IT Systems Used on OT Networks

This is one definition that was brought up, but I think we've been doing this longer than the term "OT" even existed.  We have been leveraging Ethernet and Windows Operating Systems for decades now. Why did we decide to start using Ethernet, a protocol that is intentionally designed around unpredictable collisions and communications errors?

We somewhat know the answer: It's cheaper, faster and good enough for what most systems are doing. Also, commercial off-the-shelf (COTS) solutions are easier to obtain for more companies. To respond to this migration to IT systems, and still work on the time dependencies of some applications, protocols were created to address systems such as servo motors.

Security risks from this definition: 

  • This is where the IT security risks all bleed into the OT network. If there's an IT risk, there is mostly likely also an OT Risk.
  • The most common threat to OT networks is ransomware coming from a vendor or the IT network; this enables that ability.
  • IT thinks they understand the IT systems on the OT network and treat them like IT systems, AKA the "I'm from IT and I'm here to help" problem.

Risk reduction from this definition:

  • Security professionals understands and can better secure COTS solutions.
  • COTS are more widely used and tested more for vulnerabilities.

IT Taking Over OT Networks

So this came from all three panelists, and I totally feel like I was being attacked as a person who works in the IT department. With that said, there are valid points here. IT takes over the OT networks and treats it like IT systems with patching and network communications.

Security risks from this definition:

  • IT breaks stuff: IT starts patching things that cannot be patched or need to have production downtime to patch them. They flood the network with backup traffic, causing an outage. They back up databases improperly.
  • IT makes things less secure: Windows domain forest either having one across IT and OT, or having trust between them. We generally want to start in the world of security by not trusting the IT network and assuming it's comprised. How do we continue to be comfortable operating while IT is having an incident?

Risk reduction from this definition:

  • IT can help discover misconfigured or misconceptions about how IT systems work (HA vs. backups).
  • IT can help discover insecure shadow IT solutions (sneaking in remote access directly to the process control network).

Being Intentional on IT/OT Connections

This is where I think ISA-95 is a good example. How do we get the data between our control system and our ERP system? What parts of the MES system do IT own and are on an IT network, and what parts of MES do the engineers own and are on the OT network? We need clearly defined roles for each team and owners for each part of the system.

Security risks from this definition:

  • Sometimes a black box is created on either side: IT doesn't know what's behind the firewall on the OT network, and OT doesn't know what the firewall's even doing. This creates a lack of awareness of how to properly secure the entire system.
  • The risk reductions from the "IT taking over OT networks" definition are missing.

Risk reduction from this definition:

  • Clearly defined roles and owners to respond to security risks.
  • Everyone stays in their own lane and doesn't create more problems by focusing on the wrong priorities for each network.

Now My Sales Pitch: IT/OT Collaboration

From above, you can see that there are clear issues with IT taking over the OT network. There are also opportunities to learn and leverage the skillset the IT team has and apply some of it to the OT network. Both IT and OT professionals have a lot to learn from each other. Yes, we have examples of IT not prioritizing safety and availability on the controls system. We also have examples of the control systems team trying to recover a Windows 2000 machine on a new desktop, or not having immutable backups of windows systems.

Security risks from this definition:

  • Collaboration can sometime slow things down, but you are also more likely to move further in the right direction.

Risk reduction from this definition:

  • I consider this the best of both worlds. IT and OT are working tother to find the best opportunities and then implementing them with both the IT and OT perspectives in mind.

To wrap this up, let's remember that everyone in the business should have the same goals in mind, and should align on those and work together to accomplish them. This can be to grow, be more efficient, increase agility and/or reduce risks. An organization where the departments are aligned on what success looks like will make this concept of IT/OT collaboration possible, and hopefully, collaboration drives IT/OT working together to drive change and be an enabler of business priorities.

Further Reading
View full post