OT and IT convergence: what the industrial CIO needs to prepare for
Sensors, MES, ERP, and remote support are merging into a single risk perimeter - and most industrial IT directors are not ready for that yet.
Industrial companies have long lived in two parallel worlds. Operational technology - controllers, sensors, SCADA systems, shop-floor equipment - existed separately from corporate IT infrastructure. The separation was almost physical: different networks, different people, different priorities.
That separation is disappearing now. Not because someone made a decision to merge them, but because pressure is arriving from several directions at once.
Where the convergence pressure comes from
Several forces are pushing OT and IT toward each other.
Business wants production data in real time - in ERP, in reports, on executive dashboards. That means integrating MES with corporate systems, which means a channel between the shop-floor network and the corporate one.
Equipment manufacturers are moving to remote diagnostics and support. This is convenient: the vendor's engineer sees a problem before it becomes a stoppage. But it also means there is now an external channel into your equipment.
The cost of industrial computers has fallen and their networking capabilities have grown. Controllers that used to be isolated devices now have Ethernet ports and run standard operating systems.
All of this happens gradually, often without any explicit decision at the CIO level. At some point the company finds it has ended up with a single converged network that nobody designed.
What "a single risk perimeter" means
In a separated architecture, a compromised corporate laptop does not shut down the production line. In a converged one, it might.
This is not a hypothetical scenario. Attacks on industrial systems had already happened by 2012 - Stuxnet being the most widely known public example. That attack moved through portable media, but the point was demonstrated: industrial controllers are vulnerable, and the attack vector can be unexpected. After Stuxnet, ICS segmentation became non-optional.
For most manufacturing companies the realistic risks are more mundane. They include:
- corporate malware accidentally reaching the shop-floor network through an integration channel;
- a compromised VPN account belonging to a vendor with access to equipment;
- outdated software on industrial workstations that nobody has updated in years;
- no monitoring at the boundary between the two environments.
None of these threats is new. What is new is that they have become relevant to companies that previously considered themselves outside that category.
Why the CIO often does not see the full picture
Industrial equipment has traditionally been the responsibility of production or engineering departments. The CIO sees the corporate network but not the shop-floor network. They know there is a SCADA somewhere but do not know what it connects to or how isolated it is.
This is not anyone's fault - it is how the organisational model developed. But in today's conditions it creates a blind spot exactly where the two perimeters meet.
The first step is an inventory of what actually exists. Not just corporate assets, but what is in the factory, what connects to what, and what external channels are in place.
How to start the internal conversation
The topic converges at a point where different people have different interests. Production does not want IT "touching" shop-floor systems. IT does not want to be responsible for something it does not understand. Vendors want to keep their support channels open.
The conversation is better started without the word "security" - it closes people down. A better starting point is questions:
- If something on the shop floor stops tomorrow because of a network problem, who finds out first and who investigates?
- Who currently knows what external connections to production systems exist?
- Do we have an asset list for the OT network, and who owns it?
These questions are uncontroversial. But the answers quickly reveal where the real gaps are.
A minimal practical checklist
If an industrial company's CIO wants to start working on this without committing to a large project:
- Map how shop-floor networks are physically connected to corporate ones.
- Find out what external channels exist (vendors, remote support) and who manages them.
- Identify who is responsible for industrial workstations and controllers in terms of updates and configurations.
- Agree on some form of joint monitoring at the boundary between the two environments - even a minimal one.
None of this requires a large budget. It requires a conversation between people who until now have worked in separate worlds.