The Convergence Risk: OT/IT Security Visibility Gap

OT IT convergence security Australia

By Stu Long, CTO, Orro

Key Points

  • OT/IT convergence delivers genuine operational value, but connecting previously isolated operational systems to broader networks creates a category of security risk that most organisations cannot currently see.
  • Operational technology environments have fundamental characteristics (legacy operating systems that cannot be patched, devices with no authentication capability, proprietary protocols that IT tools cannot inspect) that make them vulnerable in ways IT security architecture was not designed to address.
  • The visibility gap is the specific and urgent problem: most organisations with converged environments have reasonable IT security visibility and very little OT security visibility, leaving a significant portion of their attack surface unmonitored.
  • Australian critical infrastructure sectors have been explicitly identified as targets for state-sponsored and criminal threat actors who specifically seek to exploit the OT/IT boundary.
  • Continuous Threat Exposure Management applied only to IT environments provides a partial picture of risk in any organisation that has connected operational systems to broader networks: partial pictures lead to misallocated security investment.

The conversation usually starts with a legitimate business problem. Production data that lives on the plant floor needs to reach the enterprise systems that analyse it. Remote monitoring promises to reduce unplanned downtime. Predictive maintenance algorithms need sensor feeds from equipment that was never designed to provide them. And so the connection gets made: a gateway between the operational network and the corporate network, or directly to a cloud platform, or through a remote access solution that lets maintenance engineers log in from anywhere. The operational case is sound. The efficiency gains are real. What changes in that moment (from a security standpoint) is rarely part of the same conversation.

I have been in enough of these environments to know that the convergence decision is almost never made recklessly. It is made by people who understand their operations deeply, who have thought carefully about the production benefits, and who have implemented what they believe to be adequate controls. The problem is not intent. The problem is that the security architecture most organisations have invested in was designed for IT environments — and OT environments operate by fundamentally different rules.

What OT/IT convergence has actually changed

Operational technology (the industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, programmable logic controllers, and distributed control systems that run physical processes) was designed from the ground up for availability and safety, not security. For most of its history, it operated on isolated networks running proprietary protocols, separated from corporate IT by design. That separation was not a security strategy exactly, but it functioned as one. Attackers who wanted to reach OT systems had to be physically present.

The Industrial Internet of Things (IIoT) changed that architecture systematically and, in most cases, irreversibly. The business case for connecting operational data to enterprise analytics, cloud platforms, and remote access solutions was compelling enough that organisations across mining, utilities, manufacturing, healthcare, and critical infrastructure made the connection. Many made it gradually, adding integrations and remote access points over years, without a single moment at which someone assessed the aggregate change to the attack surface.

The security architecture they already had — endpoint detection, security information and event management (SIEM) platforms, vulnerability scanners, log aggregation — stayed largely unchanged. It was built for the IT environment. The OT environment was implicitly assumed to be separate. That assumption is no longer valid for most asset-intensive organisations operating today.

Why OT environments are different — and why that matters for security

The single most important thing for technology and operations leaders to understand about OT security is this: you cannot simply extend IT security practices into OT environments and expect them to work. The constraints are categorically different.

Take patching. In an IT environment, patching a vulnerable system is operationally disruptive but manageable. In many OT environments, patching requires taking the system offline: which may mean stopping a production line, shutting down a water treatment process, or halting a mining operation. The cost of downtime in a continuous production environment often far exceeds the cost of leaving a known vulnerability unpatched. These are not decisions made out of negligence. They are rational operational trade-offs made by people who understand the consequences of unplanned downtime far better than most security practitioners do.

The authentication problem is equally specific. Many OT devices (particularly older PLCs and sensors deployed a decade or more ago) have no authentication capability at all. They were not designed to be challenged by a network they were never expected to be connected to. When those devices are placed behind a corporate network that connects to the internet, their lack of authentication becomes an attacker’s direct path in.

Add to this the proprietary industrial protocols (Modbus, DNP3, PROFINET, EtherNet/IP) that most IT security tools cannot inspect or interpret, and the operational availability requirements that make the standard IT security playbook (detect, isolate, remediate) functionally unacceptable in environments where isolation means stopping production or, in extreme cases, creating physical safety risks. The OT environment is not a variant of the IT environment. It is a different operating context with different risk tolerances, different failure modes, and different consequences.

The visibility gap: what you cannot see in your converged environment

The visibility gap is the specific problem that makes OT/IT convergence a security emergency rather than simply a security challenge. Put plainly: it is the portion of your converged attack surface that your security team cannot see, because the tools and processes they use were designed for IT environments, and OT assets do not behave like IT assets.

In practice, this looks like: OT assets that do not appear in IT asset inventories, because they were never registered in the same management systems and do not respond to the discovery methods IT scanners use. OT network traffic that is not captured by IT monitoring tools, because the protocols are proprietary and the monitoring agents that work in IT environments cannot be deployed on OT devices without risk of disrupting the processes they control. OT vulnerabilities that are not surfaced by IT vulnerability scanners, because the scanners were not designed to understand the risk context of a SCADA system or a PLC. The result is a significant and growing portion of the attack surface that is effectively dark to the security team — while being actively mapped and explored by threat actors who understand exactly where that darkness lies.

The attack patterns that exploit this gap are well-established. Lateral movement from the IT network into the OT network through integration points and remote access solutions that were configured for operational convenience, not security isolation. Living-off-the-land techniques (using legitimate tools already present in the OT environment) that leave minimal traces in IT-focused monitoring. Exploitation of the remote access solutions used by maintenance engineers and third-party vendors, which often receive less security scrutiny than primary network access paths.

The 2021 Oldsmar, Florida water treatment incident is the canonical example: an attacker gained access to the facility’s OT systems through a remote desktop connection, and the attempt to alter sodium hydroxide levels was only caught because an operator happened to be watching the screen. The detection mechanism was a human being, not a security system. Australian critical infrastructure operators are not immune to this pattern, and the ASD/ACSC’s most recent Annual Cyber Threat Report makes clear that both state-sponsored and criminal actors are actively targeting the OT/IT boundary in Australian sectors including energy, water, and resources.

What closing the visibility gap actually requires

Closing the OT visibility gap is not a single project. It is a programme, and it starts at the beginning: asset discovery. The principle is not complicated: you cannot protect what you cannot see. But in OT environments, asset discovery is genuinely difficult. OT devices often cannot tolerate the active scanning techniques that IT asset discovery relies on. Passive monitoring (observing network traffic to identify devices and map communication patterns) is typically the safer and more effective approach in OT contexts, but it requires tools and expertise that are different from the IT scanning toolsets most organisations already have.

Asset discovery gives you inventory. The next step is OT-specific vulnerability assessment: understanding which of your discovered assets carry known vulnerabilities, which of those vulnerabilities are actually exploitable in your specific environment, and which pose the highest operational risk given your production context. This is where the operational constraints become central to the analysis. The patch-and-close model that works in IT environments is not available in most OT contexts. The response programme in OT is primarily about prioritisation and compensating controls: network segmentation, monitoring for anomalous behaviour, and access restrictions that reduce the blast radius of an eventual compromise.

The culmination of this programme is integrated monitoring: security visibility that covers both the IT and OT environments simultaneously, so the security team can see lateral movement attempts before they succeed, detect anomalous communication patterns in the OT network before they reach critical systems, and respond to OT incidents with the same speed and coordination they bring to IT incidents. Orro’s OT/IT security capability, including coverage of OT environments through the National Cyber Defence Centre and OT-specific asset visibility through our Claroty partnership, is built on exactly this programme model. For organisations looking to understand their current OT threat exposure, Orro’s threat hunting capability provides active threat detection across both environments.

The organisations that entered this financial year with connected OT environments and no OT security visibility are carrying a risk they cannot quantify. They know their IT attack surface. They do not know their OT attack surface. They have security tools that give them confidence in one half of their environment and silence on the other. FY27 is the year to close that gap, starting with asset discovery, extending to exposure assessment, and building toward the integrated visibility that makes the converged environment genuinely defensible. The gap does not close by itself. It grows.

Expose the blind spots in your industrial environment

You cannot manage exposure you cannot see. For organisations operating converged OT/IT environments, Orro’s Security Maturity Assessment includes OT environment visibility as a core assessment dimension, giving you an independent view of where the gaps are before they become incidents.

GET YOUR ASSESSMENT

Further Reading & Sources

Related Insights

15 October 2024

Bridging the Great Divide: The Benefits of IT and OT Convergence

IT is data-centric. OT is process-centric. Together, they can create an organisation that’s future-centric. Read on to learn how integrating IT and OT systems can unlock a whole new world of efficiency
20 January 2025

Modern Infrastructure for Northern Minerals

3 September 2021

IoT Network Architecture Strategy for a Regional Council

Learn how Orro helped a large regional Council realise an IoT network architecture strategy document to best assess and integrate IoT products and services for their “Smart City” initiatives.