Why companies must solve the IT/OT challenge  

COMMENTARY: SANS Research recently found that the responsibilities of information technology (IT) and operational technology (OT) teams have converged: IT roles now include responsibilities previously handled by ICS/OT teams, but traditional IT security practices can disrupt engineering practices in OT environments and result in real safety consequences.

These challenges show why organizations need to change existing cybersecurity practices and adopt practices and technologies designed for today’s critical infrastructure environments.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

The 2025 SANS ICS/OT Cybersecurity Budget Report showed that 58% of organizations experienced at least one security incident involving ICS/OT systems. It's time for organizations to address IT/OT challenges and find ways to improve cyber protection together.

Why applying IT security controls directly doesn’t work

Applying IT security tools and practices directly to OT environments can result in unacceptable operational instability. There are a few reasons for this, including the use of ICS/OT systems that use outdated or proprietary operating systems, such as Windows XP or embedded platforms, creating serious cybersecurity risks. But updating these systems isn’t easy, both because of cost concerns and difficulty meeting compatibility requirements for specialized industrial hardware and software.

Proprietary systems sometimes also lack vendor support, making patching efforts far more difficult. In addition, many of these systems weren’t designed for today’s interconnected IT/OT environments, so they are more susceptible to ransomware, malware, and lateral movement. Most don’t include antivirus support or have the ability to monitor for anomalous activity, making it harder to identify or block malicious activity. Compounding the problem, many organizations only patch or upgrade systems during annual maintenance windows, leaving them exposed to vulnerabilities months after disclosure.

Unfortunately, replacing legacy systems often isn’t practical. As long as these systems are still producing well and uptime is high, there’s no incentive to change these older yet functional pieces of equipment. Organizations can begin reducing existing security risks in a few ways, such as:

Teams find it difficult to bridge the gaps

OT and IT teams have different cultures and are driven by inherently different priorities. OT teams prioritize human safety and operational continuity, while IT teams concentrate on protecting data integrity and confidentiality and digital systems. A good example: an OT team rejecting an IT-recommended firewall update because they’re worried that the update will impact a Supervisory Control and Data Acquisition (SCADA) system, resulting in degraded performance or unexpected behaviors that put critical processes at risk.

A skills gap amplifies such challenges. Many OT engineers have no cybersecurity training, and most IT teams don’t understand industrial protocols, such as Modbus or Distributed Network Protocol version 3 (DNP3). Cross-training programs, where IT staff members observe OT operations to understand safety and continuity concerns, are often the best way for organizations to address these cultural and skills gaps and build cross-team understanding. This benefits the organization, and it’s a great career development plan for employees.

Beyond bridging these gaps, organizations must work to integrate their processes, workflows, and governance frameworks. Unified frameworks, such as NIST SP 800-82 Rev 3. and SANS’ Five ICS Cybersecurity Critical Controls, can help teams bridge many technical gaps. A few ways to close them include:

Taking these steps can help IT and OT team members minimize inefficiencies and strengthen the organization’s overall cyber resilience.

How to build collaborative teams

Making IT/OT work together effectively requires an approach where engineering teams lead OT-based decisions, and IT offers security expertise in support of those decisions. During a ransomware attack at a manufacturing plant, OT engineers could isolate affected machines while IT traces the entry point.

Cross-functional teams need to adopt proactive strategies. That means conducting tabletop exercises that simulate attacks on OT systems, deploying non-disruptive asset discovery tools to conduct risk assessments, and aligning with relevant regulations. Two of the most important regulations are North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), a set of mandatory cybersecurity standards designed to secure the assets required for operating North America’s Bulk Electric System (BES), and ISA/IEC 62443, a globally recognized series of standards developed to address cybersecurity for industrial automation and control systems (IACS). These frameworks help establish common goals and create shared language and security concepts for IT and OT teams.

While these transitions are often rocky, IT/OT convergence isn’t doomed to fail. Organizations that address IT and OT concerns and bridge gaps can secure critical infrastructure while still maintaining operational safety. It may even create opportunities to improve operational efficiency, find cost savings, and update security protocols in OT environments. In an era of evolving threats and technologies, this convergence may present an opportunity to secure critical infrastructure more effectively.

Matt Wiseman, director of product marketing, OPSWAT

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.