When IT/OT convergence went somewhat mainstream in the 2010s, the driving force behind the movement was a need to pull data from the IIoT sensors and industrial control systems (ICS) acting as the brains of factories, utilities, water plants, and other sectors deemed critical infrastructure. We wanted to know how efficient our industrial processes were and where we could improve. This meant throwing a NIC card on everything, and feeding hungry analytics systems with all this new information for processing.
We did so, also absorbing a good amount of newfound risk.
Convergence meant that IT and OT were to be integrated and event, process, and device data could be used to adjust operations, make factories run smoother, and improve the bottom line. But the concepts of IT cybersecurity and the protection of OT and cyber-physical systems were soon at loggerheads. There were differing priorities butting heads here, with confidentiality, integrity, and availability guiding IT security, and safety and reliability at the forefront of OT and CPS protection.
Experienced IT security teams see a vulnerability and instinctively want to patch it. OT teams of asset operators and engineers could live with the exposure and risk of an unpatched vulnerability if it meant not jeopardizing the reliability and availability of a process.
In 2025, convergence is a fact of life. Many security operations centers (SOCs) oversee these vastly different and complex environments, and I have to believe that convergence, while time-consuming and difficult, has improved critical infrastructure cybersecurity and our national security as a result.
For more than a decade, adversaries have increasingly targeted OT and cyber-physical systems within critical infrastructure sectors. Advanced attackers, many of whom are state-sponsored, have successfully impacted power generation and delivery in Ukraine, set off global malware infections by hitting supply chain providers such as Solar Winds and M.E.Doc (NotPetya), and have embedded offensive cyberweapons on U.S.-based CI to be activated in the event of kinetic conflict (VoltTyphoon). Hundreds of hospitals have been disrupted by ransomware, putting patients at risk in the process. And fuel delivery on the East Coast of the U.S. was severely disrupted during the Colonial Pipeline ransomware attack.
Enterprises heavily invested in OT or cyber-physical systems that have already implemented converged IT/OT environments understand the cybersecurity benefits—and challenges—brought by convergence initiatives. Let’s look at a few:
Integrated SOCs have a host of tools consuming data from OT assets and control systems. SOAR, SIEM, EDR, and other centralized management systems are vital in the defense of cyber-physical systems on a number of fronts. Not only can monitor for malicious activity, network anomalies, and other indicators of compromise, but administrators can uniformly apply security policies from these platforms to ensure a consistent level of protection.
Bolstered by established threat intelligence feeds already familiar to the SOC, OT environments are no longer operating in an air-gapped vacuum with regard to threats. Converged environments apply enhanced monitoring, logging, and detection capabilities to OT, and provided organizations have a relatively complete OT asset inventory, process-heavy organizations can fend off debilitating attacks that impact reliability and safety.
Software and firmware vulnerabilities, insecure remote connectivity to OT, the reliance on legacy equipment and protocols, shoddy access controls, and less-than-adequate configuration management leave OT and cyber-physical systems exposed to a number of threats. Managing these exposures centrally using vulnerability scanning, role-based access controls, and other available tools in converged environments ensures a smoother path toward resilient systems that can withstand incidents and maintain necessary availability, reliability, and safety standards.
Converged environments can really shine with regard to incident response. Playbooks familiar to IT can be extended to OT; these playbooks define roles and responsibilities, as well as escalation procedures as incidents are discovered and unfold. Playbooks are a vital strategy and should be mapped out to cover both IT and OT, and ensure that public safety, operator safety, and process reliability are accounted for with regard to cyber-physical systems. It’s here where the above benefits converge. For example, visibility enables so much of the monitoring that informs response activities. Monitoring and logging are crucial during an incident and after during forensic investigations. Playbooks should also lay out containment strategies where key network assets are isolated or unplugged from the network. And of course, all of this should be tested regularly with all stakeholders involved.
OT continues to run largely on legacy equipment, software and firmware that’s often no longer supported by their respective vendors with security or feature updates. Connecting these systems compounds the risk for enterprises given that much of OT was designed to be in place for decades, and was certainly not built with connectivity or cybersecurity in mind.
Convergence has absolutely increased the attack surface available to threat actors, and added to the complexity of OT and its different standards, frameworks, and proprietary protocols and technologies that don’t readily align with IT and can easily be misconfigured.
Organizations, however, are being forced to embrace convergence. Competitively it makes sense as enterprises must keep up with the advanced analytics and other benefits companies are reaping from converged environments.
I urge enterprises, however, to embrace the challenge and never waste an opportunity to improve. Look at convergence as an opportunity to bring cybersecurity best practices such as multifactor authentication, encryption, and role-based access controls to OT and cyber-physical systems. Apply monitoring and threat detection to these connected physical processes, and concentrate on mitigating newfound risks across the CI sectors. Convergence is a challenge, but it also opens many doors once closed to OT around risk management.
U.S. Navy Adm. (Ret.) Michael Rogers served as the 17th Director of the National Security Agency and the 2nd Commander of U.S. Cyber Command. Adm. Rogers presided over the activation of the Pentagon's Cyber Mission Forces and the elevation of U.S. Cyber Command to unified combatant command status. He is currently the chairman of Claroty’s Board of Advisors.
