Earlier this year I had the opportunity to meet with a company managing an operational technology (OT) environment governed by Food and Drug Administration (FDA) regulations. The environment included end-of-life (EOL) devices that urgently needed replacement. However, the challenge was that the software running on these devices would not function on modern operating systems.
Approaching this initially from an IT perspective, I asked myself whether it was possible to digitise the device and move it onto VMWare, thereby implementing segmentation and redundancy. It was at this moment that we learned a critical distinction between Information Technology (IT) and OT governance. From an IT perspective, the solution appeared to be a logical way to remediate an IT cyber concern. However, the FDA’s strict guidelines for approval and validation posed a significant challenge. Even a relatively simple security enhancement could disrupt production for an undefined period due to the extensive approval process required.
This interaction highlighted the challenges of securing OT environments. What’s more, it emphasised the need to understand the broader implications of proposed solutions.
Another example of this dynamic in action was the Colonial Pipeline ransomware attack. A breach that began in cyberspace, its impact was soon felt in operational technology. A compromised Virtual Private Network (VPN) password—without multifactor authentication—allowed attackers to infiltrate Colonial’s IT network. In response, operators proactively shut down OT systems to prevent contagion, halting fuel distribution across the southeastern United States.
This isn’t an isolated case. Cybercriminals are exploiting the widening gap between IT and OT security strategies. In 2021, Gartner predicted that, by as early as this year, hackers will have tools at their disposal sophisticated enough to successfully kill their fellow man. What’s more, it seems that swathes of the private sector are blind to this risk, with industrial environments that once relied on air-gapping for security now being routinely connected to IT networks, cloud services, and remote management platforms.
Attackers have already combined IT and OT in their strategies. Now organisations must do the same. It’s time to merge these two paradigms into a single security discipline—one that treats the entire organisation, from cloud to factory floor, as a unified attack surface.
Regulatory complexities in IT-OT integration
In industries governed by stringent regulations such as manufacturing and healthcare, the IT-OT convergence presents additional challenges. For example, changes to computing environments in production lines, as mentioned above, often trigger reassessments by regulatory bodies like the FDA.
FDA Quality System Regulation (QSR) – 21 CFR Part 820 requires manufacturers to validate software and systems in production while ensuring that modifications do not compromise product quality. Altering OT systems without appropriate validation can lead to production halts until compliance is demonstrated. The double edge of this oversite is that companies are tied to the existing environments as changes, even for security’s sake, are hindered. Non-compliance can have the same effect as a cyber incident: shutdowns that can extend months.
For IT and OT leaders in highly regulated industries, these requirements illustrate the importance of seamless integration between cybersecurity, operational risk, and compliance management. Managers in the former camp need to recognise that availability and physical safety are as critical as data protection, while they additionally need to adapt risk assessments to account for operational risk, not just data loss. Meanwhile, any outlook on OT needs to adapt to the risk of a cybersecurity incident being as disruptive to an organisation or supply chain as equipment failures. As such, it’s becoming increasingly important to build cybersecurity into operations rather than seeing it as an outgrowth of a post-failure response.
Fixing the IT-OT talent gap
Bridging the divide between IT and OT priorities should also involve addressing a yawning skills shortage. IT and OT teams must undergo structured cross-training to develop a shared understanding of security risks and operational priorities. IT professionals should learn Industrial Control Systems (ICS) security principles, physical process constraints, and the risks of unplanned downtime, while OT teams should receive cybersecurity fundamentals, modern authentication training, and exposure to real-world attack scenarios.
IT security experts should also be paired with experienced industrial engineers, allowing both groups to learn from each other’s perspectives. IT professionals would gain operational context, while OT engineers build practical cybersecurity expertise—bridging a cultural and technical divide that has traditionally kept these teams separate.
Organisations should additionally collaborate with universities to shape next-generation security training programs that reflect the realities of IT-OT integration. For its part, Honeywell has partnered with institutions to develop ICS-specific cybersecurity curricula, ensuring that new graduates enter the workforce with expertise in both disciplines.
Emerging Trends are making IT-OT integration even more urgent
The Colonial Pipeline attack demonstrated how attackers could potentially exploit gaps between IT and OT. But those events were just the beginning. The next generation of cyber threats is accelerating the risks that made those attacks a possibility—expanding attack surfaces, automating threat execution, and increasing regulatory pressure on organizations that have yet to fully merge IT and OT security strategies.
In the near future, AI-driven attackers could potentially analyse ICS environments faster than humans, identifying zero-day vulnerabilities and process automation weaknesses with machine-speed precision. This means what took months for attackers to achieve can now happen in days or even hours. The long-standing lack of cybersecurity expertise in OT teams makes them particularly vulnerable to AI-enhanced reconnaissance and automated exploits.
As such, a zero-trust approach to cybersecurity is no longer optional. While many IT environments have been moving toward Zero Trust Architecture (ZTA) for years, most OT networks still operate on implicit trust models. That means attackers don’t even need advanced exploits—stolen or weak credentials alone can give them access to critical industrial systems. In the Colonial Pipeline attack, all it took was one compromised VPN credential without MFA to force an entire OT shutdown. With OT systems still lagging in authentication controls, these types of breaches will become even easier for attackers.
New and evolving compliance mandates, such as ISA/IEC 62443 and NIST SP 800-82, are forcing organizations to prove they have a security strategy that spans both IT and OT environments. This means organizations can no longer treat IT-OT integration as an aspirational goal—it is a compliance requirement with financial and legal consequences for failing to act.
These developments don’t just make IT-OT integration more urgent—they expose how outdated security models are actively making industrial environments more vulnerable every day. The attacks that once required nation-state-level resources and patience are now accessible to criminal groups armed with AI-driven tools, weak authentication exploits, and regulatory loopholes that allow security blind spots to persist.
If the threats of yesterday—like Colonial Pipeline—were possible because of fragmented IT-OT security, then the threats of tomorrow will be unavoidable for any organization that has not already merged its security strategies.
Heather Case-Hall is a senior security solutions architect at Myriad360.
Read more: Achieving digital resilience was always a matter of understanding your third-party dependencies. Now DORA is enforcing it.
