By Stu Long, Chief Technology Officer, Orro
Last month, I had the opportunity to present at Info-Tech Live in Brisbane — a well-attended event bringing together CIOs, CTOs, and senior technology leaders from across Australia and the region. The breakout session I led was focused on IT/OT convergence, and the room was full. That itself tells you something about where this topic sits on the agenda right now.
The conversation we had was substantive enough that I want to share the substance of it here — because the decisions being made (or deferred) around IT/OT convergence will define the operational and security posture of Australian organisations for the next decade.
The architecture most organisations inherited isn’t the architecture they need
The dominant reality I encounter in conversations with technology leaders across energy, mining, manufacturing, utilities, and logistics is what I’d call accidental architecture. Systems that were never designed to talk to each other have been connected incrementally, usually driven by business requirements — production optimisation, remote monitoring, cloud-based analytics — without a security-first design philosophy underpinning those decisions.
The result is a landscape that looks, from the outside, like convergence, but operates, from the inside, like a flat, poorly segmented network where IT and OT systems share space without meaningful boundaries between them. The operational technology layer — the PLCs, SCADA systems, historians, and industrial controllers that keep physical processes running — sits in the same network environment as enterprise applications, email, and internet-facing services.
This matters because the threat model for OT environments is fundamentally different from the IT threat model most security architectures were designed to address. In OT, the primary risk isn’t data exfiltration. It’s operational disruption. A compromised industrial controller doesn’t leak information — it stops a production line, shuts down a water treatment process, or disables a power distribution system.
The architecture decisions organisations made during the first wave of digital transformation — connecting what needed to be connected without rethinking the underlying network design — are now the exposure that keeps security teams up at night.
Convergence is accelerating, and so is the risk
The integration of IT and OT environments is not slowing down. The economics of digital transformation — better data, faster decisions, more efficient operations — make connectivity between the enterprise and the plant floor commercially necessary. The question is not whether to converge, but how to do it without inheriting the security liabilities that come with doing it poorly.
The scale of that risk is significant and well-documented. Dual IT/OT convergence attacks — where adversaries breach the corporate IT environment and use that access to reach OT systems — cost organisations an average of USD $4.56 million per incident, according to Claroty’s Global State of CPS Security 2024 report.
Evidence Snapshot
USD $4.56 million — Average cost of dual IT/OT attacks, where adversaries use IT network access to reach and disrupt OT systems. (Claroty, 2024)
87% — Increase in ransomware attacks targeting industrial organisations in 2024. (Dragos, 2025)
The architecture shift: from parallel silos to unified design
What does better IT/OT convergence architecture actually look like? The session I ran in Brisbane walked through this in some detail, because it’s the structural response that generates the most practical interest.
The architecture that replaces the Purdue Model is a unified, zone-based design: a Unified Namespace (UNS) at the data layer, supported by meaningful network segmentation that separates IT and OT domains while enabling controlled, auditable data flows between them. The MQTT broker at the centre of the UNS acts as the single source of truth for operational data — decoupling producers (PLCs, sensors, historians) from consumers (ERP systems, analytics platforms, AI engines) without requiring direct connectivity between them.
Security convergence is now a board-level obligation
Australia’s Security of Critical Infrastructure Act — and its 2024 amendments — has moved the obligations of critical infrastructure operators from voluntary guidance to legislated requirement. The Critical Infrastructure Risk Management Program (CIRMP) is now mandated across 11 sectors.
What this means in practice is that technology leaders can no longer treat IT/OT convergence as a purely technical programme. These decisions are now board-level artefacts. Directors have a fiduciary duty to manage cyber risk across both environments with the same rigour they apply to financial risk.
Making convergence deliver: from connectivity to intelligence
The commercial case for IT/OT convergence has always been about data. Raw telemetry from industrial systems is often unlabelled and inconsistent. Enriched, contextualised data is what enables the sensor-to-balance-sheet data flows that the convergence business case promises.
When the architecture is right — segmented, visible, and semantically coherent — the payoff is genuine. AI-driven anomaly detection and predictive maintenance models become actionable. Operations teams can detect deviations from normal behaviour before they become failures.
Orro delivers end-to-end IT/OT convergence services across assessment and roadmap, network modernisation, protocol integration, data platforms, AIOps, and managed security — helping Australian organisations bridge the gap between industrial operations and enterprise IT.
To discuss your environment, contact our team at orro.group/contact.
