For a lot of organizations, it has been finest follow to maintain issues separate. Manufacturing unit gear, energy grids, water therapy services, medical programs and different crucial infrastructure have lengthy been walled off from IT programs. As a result of these environments deal with crucial operational duties, they’ve remained remoted and air-gapped from enterprise software program and out of doors networks.
However as organizations search for methods to dial up effectivity and reduce prices, operational expertise (OT) is getting a makeover. Related sensors, AI and cloud-based analytics are quickly shifting onto the plant flooring. Consequently, what was as soon as a extremely safe, one-way knowledge stream has grow to be a dynamic, bidirectional trade.
This shift introduces outstanding positive aspects, however it additionally amplifies cyber-risk.
“OT wasn’t constructed with safety in thoughts. Usually, it was designed to be a trusted enclave,” mentioned Paddy Harrington, senior analyst at Forrester Analysis. Many industrial programs nonetheless run on outdated OSes, proprietary protocols and flat networks which can be tough to section and patch. Taking a controller offline can halt manufacturing or interrupt crucial programs.
“We have now witnessed a dramatic growth in connectivity with no corresponding enhance in safety maturity,” mentioned Pia Capra, director of OT cybersecurity for Booz Allen’s industrial enterprise. “It took a long time for organizations to cautiously join OT programs to enterprise IT. Now, in simply the previous couple of years, many have leapfrogged straight into cloud-connected and AI-enabled environments.”
The takeaway? CIOs, CISOs and others managing cybersecurity should toss the standard playbook relating to asset visibility, community segmentation, vendor belief and incident response. Even a comparatively small hole or breakdown can lead to downtime, broken gear and — in a worst-case state of affairs — bodily hurt.
“We have now witnessed a dramatic growth in connectivity with no corresponding enhance in safety maturity.” — Pia Capra, director of OT cybersecurity, industrial enterprise, Booz Allen
Connections convey dangers for OT programs
Traditionally, securing industrial programs meant locking the door and dropping the important thing. The expertise inside — programmable logic controllers (PLCs), sensors, actuators and software program — ran on proprietary protocols that had been walled off from IT programs. This framework, based mostly on the Purdue Mannequin, established a hierarchy of zones with controllers that usually did not work together with outdoors networks.
Ethernet and IP-based protocols have steadily crept onto plant flooring. This has launched novel dangers for OT programs, together with broadly used supervisory management and knowledge acquisition (SCADA) programs. In 2010, the Stuxnet worm infiltrated a Siemens PLC that Iran was utilizing to complement uranium. The malware destroyed about 1,000 centrifuges. In Could 2021, Colonial Pipeline proactively shut down on account of ransomware that hit the agency’s IT programs. The occasion triggered gas shortages and panic shopping for throughout the japanese U.S.
As we speak, the assault floor is increasing as a consequence of ubiquitous sensors, cameras, linked units and AI-enabled instruments. “IoT units are destroying the air hole quicker than some other factor we have seen,” mentioned Sean Tufts, subject CTO at safety agency Claroty. A long time-old OT programs enlarge the issue; they had been by no means designed for the web and AI. “What looks like a innocent sensor can open a backdoor into the surroundings,” he mentioned.
In reality, a 2025 Forrester research commissioned by Schneider Electrical, discovered that 91% of the 262 world crucial infrastructure organizations surveyed have skilled a minimum of one OT breach or failure over the previous 18 months. The research additionally discovered that 51% nonetheless depend on conventional IT practices to safe OT environments, and solely 40% have 24/7 monitoring in place.
AI raises the dangers
Introducing AI to OT programs is especially dangerous. In contrast to static sensors that acquire knowledge and route it to the cloud, AI always interacts with the cloud — whereas nonetheless counting on a Nineties OT infrastructure. This surroundings renders firewalls and traditional safety largely ineffective. Agentic AI extends the dangers by stringing collectively actions that stretch throughout IT and OT.
“Brokers with unfettered entry can take down your entire community in a blink,” Harrington mentioned.
Know-how is not the one problem, nevertheless; there are additionally governance issues Traditionally, it has been the job of engineers to supervise SCADA programs and different controls. The issue? These groups sometimes lack particular data about IT safety and trendy threats. For a lot of organizations, this results in a governance hole: OT specialists do not perceive the dangers their environments create, whereas IT groups overlook the truth that cybersecurity rooted in IT is basically completely different from cybersecurity rooted in OT.
Nonetheless one other problem is managing the complexity of blended OT-IT environments and the publicity that prolonged provide chains introduce. It is more and more widespread for contractors and third events to have entry to programs, to enhance visibility and effectivity. However the ensuing distant upkeep, shared credentials, unmanaged units, and shadow IT additional enhance the danger footprint.
Says Tufts: “Third-party danger is a brand new perimeter.”
“Brokers with unfettered entry can take down your entire community in a blink.” — Paddy Harrington, senior analyst, Forrester Analysis
How the CIO and COO have an effect on OT
CIOs will play an necessary position in dismantling the wall between OT and IT, however they should transfer strategically. “The dialogue must shift from CIOs taking management of OT to creating shared accountability with out disrupting operations,” Capra mentioned. This “shifts the dialog away from a turf conflict and towards alignment with enterprise priorities.”
What usually flies beneath the radar of each IT and OT specialists is that each teams are in pursuit of the identical outcomes, however for various causes, Capra mentioned. Whereas a CIO may be targeted on “understanding threats and decreasing cyber-risk,” a COO is usually buried in “troubleshooting, change administration and enabling extra superior capabilities like sensible manufacturing,” she added.
This results in refined variations in the best way groups sometimes reply to threats and safety incidents, Capra mentioned. In IT, step one is usually to isolate or shut down a system, whereas in OT, pulling the plug can create unsafe circumstances and harm gear. “In some instances, the precise choice is to let a course of proceed or run to a secure stopping level, if there is no danger to security or additional unfold of the malware,” she mentioned.
With out clear communication, OT and IT groups could conflict over opposing response techniques. This makes cross-functional collaboration paramount. Doing this successfully requires figuring out key operational priorities — and constructing in the precise metrics. For OT groups, this usually consists of uptime, security and reliability. For IT, necessary components embody defending property, crucial instruments and total visibility. “Governance can’t be imposed in a manner that dangers disrupting manufacturing,” Capra mentioned.
Gaining visibility into OT programs
The query is not whether or not OT and IT will grow to be inextricably linked. It is easy methods to transfer ahead and unlock the advantages of an built-in OT-IT surroundings.
In accordance with Tufts, the overarching objective is to construct broad and deep visibility into an OT-IT framework by way of asset discovery, communication mapping and passive monitoring. AI used successfully also can assist in menace evaluation, anomaly detection, knowledge routing, predictive upkeep and smoother operations and safety workflows.
CIOs should acknowledge, nevertheless, that it’s not a good suggestion to replace ageing OT programs in a single day. Some carry upward of 25 years of technical debt. As a substitute of dashing into end-to-end motion, a sensible method facilities on first figuring out the adjustments that scale back danger the quickest and make the largest influence. Then organizations can transfer on to different programs, instruments and workflows, Tufts mentioned. This usually interprets to just-in-time entry, stronger id controls, the flexibility to view vendor classes and tighter controls over contractors and their units.
There’s no fast repair, however when organizations get issues proper, there is a real upside: quicker menace detection, extra resilient operations and a basis for IoT and AI that enhances enterprise efficiency whereas decreasing danger.
Concluded Harrington: “All the foundations change completely in immediately’s surroundings.”
