For a lot of organizations, it has been greatest apply to maintain issues separate. Manufacturing facility tools, energy grids, water remedy amenities, medical programs and different important infrastructure have lengthy been walled off from IT programs. As a result of these environments deal with important operational duties, they’ve remained remoted and air-gapped from enterprise software program and outdoors networks.
However as organizations search for methods to dial up effectivity and minimize prices, operational know-how (OT) is getting a makeover. Linked sensors, AI and cloud-based analytics are quickly transferring onto the plant ground. In consequence, what was as soon as a extremely safe, one-way knowledge circulate has change into a dynamic, bidirectional alternate.
This shift introduces outstanding features, however it additionally amplifies cyber-risk.
“OT wasn’t constructed with safety in thoughts. Usually, it was designed to be a trusted enclave,” stated Paddy Harrington, senior analyst at Forrester Analysis. Many industrial programs nonetheless run on outdated OSes, proprietary protocols and flat networks which are troublesome to section and patch. Taking a controller offline can halt manufacturing or interrupt important programs.
“Now we have witnessed a dramatic enlargement in connectivity with out a corresponding enhance in safety maturity,” stated Pia Capra, director of OT cybersecurity for Booz Allen’s industrial enterprise. “It took a long time for organizations to cautiously join OT programs to enterprise IT. Now, in simply the previous couple of years, many have leapfrogged straight into cloud-connected and AI-enabled environments.”
The takeaway? CIOs, CISOs and others managing cybersecurity should toss the normal playbook in the case of asset visibility, community segmentation, vendor belief and incident response. Even a comparatively small hole or breakdown may end up in downtime, broken tools and — in a worst-case situation — bodily hurt.
“Now we have witnessed a dramatic enlargement in connectivity with out a corresponding enhance in safety maturity.” — Pia Capra, director of OT cybersecurity, industrial enterprise, Booz Allen
Connections deliver dangers for OT programs
Traditionally, securing industrial programs meant locking the door and dropping the important thing. The know-how inside — programmable logic controllers (PLCs), sensors, actuators and software program — ran on proprietary protocols that had been walled off from IT programs. This framework, based mostly on the Purdue Mannequin, established a hierarchy of zones with controllers that usually did not work together with exterior networks.
Ethernet and IP-based protocols have steadily crept onto plant flooring. This has launched novel dangers for OT programs, together with broadly used supervisory management and knowledge acquisition (SCADA) programs. In 2010, the Stuxnet worm infiltrated a Siemens PLC that Iran was utilizing to complement uranium. The malware destroyed about 1,000 centrifuges. In Could 2021, Colonial Pipeline proactively shut down on account of ransomware that hit the agency’s IT programs. The occasion triggered gas shortages and panic shopping for throughout the japanese U.S.
Right now, the assault floor is increasing as a result of ubiquitous sensors, cameras, related gadgets and AI-enabled instruments. “IoT gadgets are destroying the air hole sooner than another factor we have seen,” stated Sean Tufts, area CTO at safety agency Claroty. A long time-old OT programs amplify the issue; they had been by no means designed for the web and AI. “What looks like a innocent sensor can open a backdoor into the surroundings,” he stated.
The truth is, a 2025 Forrester examine commissioned by Schneider Electrical, discovered that 91% of the 262 world important infrastructure organizations surveyed have skilled not less than one OT breach or failure over the previous 18 months. The examine additionally discovered that 51% nonetheless depend on conventional IT practices to safe OT environments, and solely 40% have 24/7 monitoring in place.
AI raises the dangers
Introducing AI to OT programs is especially dangerous. Not like static sensors that acquire knowledge and route it to the cloud, AI always interacts with the cloud — whereas nonetheless counting on a Nineties OT infrastructure. This surroundings renders firewalls and traditional safety largely ineffective. Agentic AI extends the dangers by stringing collectively actions that stretch throughout IT and OT.
“Brokers with unfettered entry can take down all the community in a blink,” Harrington stated.
Expertise is not the one problem, nonetheless; there are additionally governance issues Traditionally, it has been the job of engineers to supervise SCADA programs and different controls. The issue? These groups sometimes lack particular data about IT safety and trendy threats. For a lot of organizations, this results in a governance hole: OT specialists do not perceive the dangers their environments create, whereas IT groups overlook the truth that cybersecurity rooted in IT is basically totally different from cybersecurity rooted in OT.
Nonetheless one other problem is managing the complexity of blended OT-IT environments and the publicity that prolonged provide chains introduce. It is more and more frequent for contractors and third events to have entry to programs, to enhance visibility and effectivity. However the ensuing distant upkeep, shared credentials, unmanaged gadgets, and shadow IT additional enhance the danger footprint.
Says Tufts: “Third-party danger is a brand new perimeter.”
“Brokers with unfettered entry can take down all the community in a blink.” — Paddy Harrington, senior analyst, Forrester Analysis
How the CIO and COO have an effect on OT
CIOs will play an essential position in dismantling the wall between OT and IT, however they should transfer strategically. “The dialogue must shift from CIOs taking management of OT to creating shared accountability with out disrupting operations,” Capra stated. This “shifts the dialog away from a turf battle and towards alignment with enterprise priorities.”
What usually flies below the radar of each IT and OT specialists is that each teams are in pursuit of the identical outcomes, however for various causes, Capra stated. Whereas a CIO could be centered on “understanding threats and decreasing cyber-risk,” a COO is usually buried in “troubleshooting, change administration and enabling extra superior capabilities like sensible manufacturing,” she added.
This results in refined variations in the way in which groups sometimes reply to threats and safety incidents, Capra stated. In IT, step one is usually to isolate or shut down a system, whereas in OT, pulling the plug can create unsafe circumstances and harm tools. “In some circumstances, the appropriate determination is to let a course of proceed or run to a secure stopping level, if there isn’t any danger to security or additional unfold of the malware,” she stated.
With out clear communication, OT and IT groups could conflict over opposing response techniques. This makes cross-functional collaboration paramount. Doing this successfully requires figuring out key operational priorities — and constructing in the appropriate metrics. For OT groups, this usually consists of uptime, security and reliability. For IT, essential components embrace defending belongings, important instruments and general visibility. “Governance can’t be imposed in a manner that dangers disrupting manufacturing,” Capra stated.
Gaining visibility into OT programs
The query is not whether or not OT and IT will change into inextricably related. It is find out how to transfer ahead and unlock the advantages of an built-in OT-IT surroundings.
In line with Tufts, the overarching objective is to construct broad and deep visibility into an OT-IT framework by asset discovery, communication mapping and passive monitoring. AI used successfully may also support in menace evaluation, anomaly detection, knowledge routing, predictive upkeep and smoother operations and safety workflows.
CIOs should acknowledge, nonetheless, that it is not a good suggestion to replace ageing OT programs in a single day. Some carry upward of 25 years of technical debt. As an alternative of dashing into end-to-end motion, a sensible method facilities on first figuring out the adjustments that cut back danger the quickest and make the largest influence. Then organizations can transfer on to different programs, instruments and workflows, Tufts stated. This usually interprets to just-in-time entry, stronger identification controls, the power to view vendor periods and tighter controls over contractors and their gadgets.
There’s no fast repair, however when organizations get issues proper, there is a real upside: sooner menace detection, extra resilient operations and a basis for IoT and AI that enhances enterprise efficiency whereas decreasing danger.
Concluded Harrington: “All the principles change fully in in the present day’s surroundings.”
