Bridging the IT-OT security gap with easy to deploy measures
Prayukth KV
23. Oktober 2025
Bridging the IT-OT security gap with easy to deploy measures
As a Chief Information Security Officer (CISO), I am sure you have mastered the art of defending the enterprise across levels. You protect data, manage cloud risk, ensure compliance and secure endpoints. Segmenting networks and ensuring the application of security measures specifically for OT networks and systems presents another set of challenges altogether.
For a CISO, convergence of OT and IT opens a Pandora's box of high-stakes risks. An attack on the IT network might lead to a data breach or loss of data. But an attack on the OT network could lead to a factory shutdown, loss of market share, an environmental disaster, massive regulatory fines or even loss of life.
The stakes are different from a governance, business impact and operational priority perspective. The technology is different and so should your approach be. Your security playbook must be different. This is your roadmap to bridging the gap.
Read all about the Asahi Brewery cyberattack here.
The IT vs. OT security gap: Why does it matter?
You can't protect what you don't see or understand. The core challenge for CISOs is that IT and OT systems are built on and operate with fundamentally different philosophies. Further, aspects like visibility of assets is something that is taken for granted on the IT side but on the OT network, the level of OT visibility may not be up to the mark. How do you then bring your OT security to the level of security your IT networks currently operate with?
It is essential to remember that applying IT security logic to an OT environment is not just ineffective; it is downright dangerous.
Let me break this down further for you
Factor | Information Technology (IT) | Operational Technology (OT) |
Primary goal | Confidentiality & Integrity (The "CIA" Triad) | Availability and safety (The "ASA" Triad) |
Top priority | Protect data | Keep the physical process running safely, compliance (for critical infrastructure operators) |
Downtime | Acceptable for patching and maintenance (e.g., "Patch Tuesday") | Unacceptable. Can cost millions per hour and create safety risks. |
System lifecycle | 3-5 years. Regular updates and replacements. | 15-25+ years. "If it ain't broke, don't fix it" mentality. |
Environment | Climate-controlled data centers | Harsh, rugged industrial floors (heat, dust, vibration) |
Protocols | Standardized (e.g., TCP/IP, HTTPS) | Often proprietary and unencrypted (e.g., Modbus, Profinet) |
Impact of attack | Data loss, financial theft, reputational damage | Physical disruption, equipment damage, regulatory fines, environmental spills, human injury, or death. |
Asset visibility | High | Average to low |
This gap matters because your greatest IT security strength can be your worst OT weakness.
The pitfalls: Why "copy-pasting" IT security doesn’t work on OT
Trying to force their IT security controls onto the OT network is a recipe for failure. This strategy almost always backfires chiefly due to the reasons mentioned in the earlier part of this post.
Vulnerability scanning disrupts things: An active port scan from your favorite IT vulnerability scanner can overwhelm the fragile, low-bandwidth processor of a 20-year-old Programmable Logic Controller (PLC) in a jiffy, causing it to crash and shut down a production line.
Patching chaos: You can't just reboot a power grid turbine or a pharmaceutical batch reactor to apply a patch. OT patch management must be meticulously planned during scheduled maintenance windows, which might only happen once or twice a year. Further, the patch has to be tested before deployment.
Antivirus cripples performance: Traditional endpoint antivirus running on a Human-Machine Interface (HMI) that controls a high-speed process can consume plenty of critical CPU cycles, introduce latency, and even disrupt real-time operations.
Zero Trust? While a vital concept, implementing Zero Trust in an environment packed with legacy devices that don't support modern authentication is a massive challenge. You simply cannot put a multi-factor authentication prompt on a sensor.
Superimposing IT security on OT just disrupts things as I mentioned before.
Your roadmap: Where to commence the OT Security Journey
For many CISOs, an OT environment is often a black box. Your journey must begin with the most basic of all OT security requirements that is visibility. You simply cannot secure what you can't see.
Where to start?
Build bridges and not walls (People and governance)
Your first step isn't technical. It's cultural. The plant managers and control engineers in the OT world have been running these systems for decades. They speak a different language (PLCs, not APIs) and have different priorities (uptime, not patches).
Partner with the Plant Manager: Go to the plant floor. Wear the hard hat. Ask them: "What keeps you up at night?" and "What would be the worst-case scenario here?"
Form a Cross-Functional Team: Create an IT-OT security governance committee. Include the CISO (you), the Head of Engineering or Operations, plant managers, and IT network leads.
Establish a Shared Goal: Your goal isn't just "security." It's "safe and reliable operations." Frame every decision around this shared objective.
Create a "Crown Jewel" asset inventory
You just cannot start with a vulnerability scan. You must start with a passive asset inventory. Use a network detection and remediation and monitoring tool designed for OT networks that listens to traffic without actively polling devices such as Shieldworkz.
Your goal is to answer:
What devices are on my network? (PLCs, HMIs, VFDs, sensors)
Who are they talking to? (What's normal behavior?)
What protocols are they using?
What are their vulnerabilities? (This is done by matching device/firmware versions to a vulnerability database, not by active scanning).
Identify your "crown jewels" for the most critical processes. A breach of which system would cause a safety incident or a total shutdown? Focus your efforts there first.
Conduct a consequence-based Risk Assessment
Forget the IT-centric "High/Medium/Low" risk matrix based on CVSS scores. In OT, risk is not just about vulnerability; it's about consequence.
A low-level vulnerability on a non-critical IT server is a minor issue. That same vulnerability on the PLC controlling a boiler's pressure? That's a critical, life-threatening risk.
Ask these questions for your critical assets:
What is the worst-case physical outcome? (e.g., explosion, toxic release, assembly line halt)
What is the operational impact? (e.g., 1 hour of downtime vs. 3 days)
What is the financial impact of that downtime?
This new risk model will immediately show you where to prioritize your limited budget and resources.
Using the IEC 62443 standard as a North Star
You don't need to reinvent the wheel. The IEC 62443 series is the global gold standard for Industrial Automation and Control Systems (IACS) security.
Think of it as the "NIST CSF for OT." It's a comprehensive, risk-based framework for asset owners, system integrators, and product suppliers. For a CISO, it provides a clear language and structure for your program.
Key concepts from IEC 62443 to adopt immediately:
Zones and Conduits: This is the heart of the standard. Don't try to secure a flat, open OT network. Logically group your assets into Zones based on their function and criticality (e.g., "Boiler Control Zone," "Packaging Line Zone"). All communication between these zones must pass through a defined Conduit (like a firewall) where you can enforce security policies.
Security Levels (SLs): IEC 62443 defines four Security Levels (SL 1-4) based on the attacker's skill and motivation. Instead of asking "Is this secure?", you can ask, "What is the target Security Level (SL-T) for this zone?" This helps you apply appropriate controls, not all controls.
Using this framework aligns your efforts with global best practices and gives you a defensible standard to build against.
Building a separate OT security policy
Your existing IT security policy is not fit for purpose in the OT environment. You must develop a dedicated OT Security Policy built in partnership with your engineering and operations teams.
This policy should be clear, concise, and focused on operational realities.
IT Policy Example | OT Policy Equivalent |
"All systems must be patched within 30 days of vulnerability disclosure." | "Patches for OT systems will be tested in a non-production environment and applied by authorized engineering staff during the next scheduled plant maintenance window." |
"All user accounts require password rotation every 90 days." | "System-level accounts on critical HMIs will use long, complex passphrases. Remote access is prohibited by default and only enabled for specific vendors for a limited time via a secure, monitored gateway." |
"Removable media (USB) is disabled on all endpoints." | "Only company-approved, verified, and scanned USB devices may be used by authorized personnel. A dedicated 'USB scanning station' will be available at the plant entry." |
Your policy should explicitly cover:
Remote Access: Who, how, when, and why. This is a top attack vector.
Network Segmentation: Mandate the "Zones and Conduits" model.
Change Management: How are PLC logic, HMI screens, and firewall rules changed, and who must approve it?
Incident Response: An OT-specific plan. (See below)
How to track your OT security progress (Just the metrics that matter)
Your board understands money and risk, not packet captures. You need to translate your OT security progress into business-relevant metrics.
Move beyond basic IT metrics and adopt a balanced scorecard.
Operational metrics (For the team)
Asset Inventory Coverage: percentage of OT assets identified and classified.
Network Visibility: percentage of network segments monitored for anomalous behavior.
Mean Time to Detect (MTTD): How fast do you detect a malicious command or unauthorized remote connection? This is more important than MTTR.
Patch/vulnerability status: Not "number of unpatched systems," but rather "the percentage of critical vulnerabilities with a compensating control in place" (like network segmentation or virtual patching).
Strategic metrics (For the Board)
Risk reduction: Show the "before" and "after" risk score for your crown jewel processes based on your consequence-driven assessment.
Security Level (SL) attainment: Show progress: "Last year, 10 percent of our critical zones met their Security Level Target as per IEC 62443. This year, we are at 40 percent."
Incident response readiness: percentage of plants that have completed an OT-specific tabletop exercise in the last 12 months.
Quantified Risk Exposure: Use models (like FAIR) to attach a dollar amount to OT risk. "By implementing network segmentation, we have reduced our potential loss (or even risk) exposure from a plant-wide shutdown by $XX million."
CISO's OT security checklist: A year long plan
I have put together a checklist that will help you run your OT security program smoothly? Feel free to add additional points.
Phase 1: Assess and govern (Months 1-3)
[ ] Build the Team: Establish the IT-OT security governance committee.
[ ] Do a site visit: Visit the plant floor. Listen to the engineers.
[ ] Deploy a Passive Asset Inventory Tool: Start getting visibility.
[ ] Identify 3-5 "Crown Jewel" Processes: Find what matters most.
[ ] Conduct a High-Level Risk Assessment: Focus on worst-case consequences.
Phase 2: Secure and segment (Months 4-9)
[ ] Draft v1.0 of the OT Security Policy: Co-author it with Operations.
[ ] Design Your "zone and conduit" Architecture: Start with your crown jewels.
[ ] Implement your first conduit (if not already done): Install a firewall to protect your most critical zone.
[ ] Establish Secure Remote Access: Get rid of all rogue modems and unsecured VPNs. Create one secure, monitored gateway.
[ ] Develop an OT Incident Response Plan: Define who does what when a PLC is compromised.
Phase 3: Monitor & Mature (Months 10-12)
[ ] Deploy Network Monitoring: Start actively monitoring for anomalous traffic and threats.
[ ] Run Your First OT Tabletop Exercise: Simulate a realistic attack (such as ransomware on an HMI).
[ ] Build Your Metrics Dashboard: Start tracking your progress (Asset coverage, Risk Reduction).
[ ] Train your teams: Conduct basic security awareness training tailored for plant-floor staff.
Talk to our OT security program expert
Learn more about securing your crown jewels with Shieldworkz’ NDR solution.
Read for an IEC 62443-based risk assessment? Talk to us now.
Learn all about the Europe airports cyberattack. Here
