OT and IT Security - Together or Separate?
IT vs OT differences - priorities, technologies, lifecycle - and how to build collaboration between security teams.
Józef Sulwiński 
In many industrial organizations, IT and OT departments operate as separate worlds. Historically, OT personnel viewed the IT layer as a necessary evil - some literally locked control cabinets to keep IT staff out. Not without reason: installing an operating system update could disrupt production process monitoring, taking down a SCADA system, for example.
But the world has changed. OT systems increasingly connect to corporate networks. Incidents such as the Colonial Pipeline attack or NotPetya demonstrate that treating IT and OT security as separate concerns creates gaps that attackers are eager to exploit.
This article discusses the key differences between these two worlds and explains why collaboration is essential.
TIP
In 2025, 52% of organizations placed OT security under the CISO - compared to 16% in 2022. The trend is clear: responsibility for OT security is shifting from maintenance departments to integrated cybersecurity teams. At the same time, only 35% of organizations report a mature, fully integrated IT-OT security operations model.
Differences Between IT and OT Environments
1. Working Conditions
IT servers operate in climate-controlled data centers with dedicated power supplies. The OT environment is an entirely different reality:
- Field cabinets on production floors with high levels of dust and humidity
- Disinfection procedures using foam or hot water that affect enclosures
- Protection rating requirements (e.g., IP55 for control cabinets)
- Special requirements for devices inside cabinets (vibration, temperature, and EMC resistance)
- Restrictions on the amount of energy supplied to explosion-hazard zones
2. Technologies Used
| Aspect | IT | OT |
|---|---|---|
| Software | Off-the-shelf products (SAP, Office 365) adapted to the organization | Systems programmed for a specific process |
| Protocols | Standard (TCP/IP, HTTP, SMTP) | Vendor-specific (Modbus, Profinet, EtherNet/IP) |
| Vendors | Choice among multiple vendors | Single vendor preference (shared development platform) |
| Programming language | Python, Java, C# | IEC 61131-3 languages (LD, ST, FBD) |
| Lifecycle | 3-5 years | 15-25 years |
| Patching | Regular maintenance windows | Rare, requires planned downtime |
In OT environments, automation engineers prefer solutions from a single vendor because a shared platform for programming operator panels, PLC controllers, and drives optimizes deployment time.
3. Design Approach
IT system designers analyze a system from the perspective of networks and applications. Security of communication channels and configurations is built into the design process.
OT designers view a system as a collection of physical devices - pumps, tanks, valves, reactors. Their primary goal is to control components and read measurement signals (temperature, volume, flow). Historically, requirements focused on reliability and physical safety - not information security.
This approach is changing - the IEC 62443 standard introduces security-by-design requirements for OT systems, including the concept of zones and conduits - but many existing installations were designed without consideration for cyber threats.
4. Security Priorities and Objectives
| Priority | IT | OT |
|---|---|---|
| Primary goal | Data confidentiality (CIA: Confidentiality first) | Availability and continuous operation (AIC: Availability first) |
| Key requirement | Protection of personal and business data | Production continuity, avoiding hazardous events |
| Latency tolerance | Seconds to minutes acceptable | Milliseconds - real-time transmission |
| Downtime tolerance | Planned maintenance windows | Minimal - every outage = production losses |
| Incident response | Isolate and analyze | Maintain safe process state |
In ICS environments, the critical factors are: availability, reliability, and determinism of functions. Data integrity and real-time transmission must be ensured without delays or disruptions.
5. Rate of Change
Designed lifespan of an IT system: 3-5 years, after which it is replaced.
Designed lifespan of an OT system: 15-25 years. The 2024 revision of IEC 62443-2-1 explicitly acknowledges that IACS systems may exceed a 20-year lifecycle, requiring management of hardware and software without active vendor support.
Modernization occurs when:
- Risk analysis demonstrates the need
- Return on investment is positive
- Spare parts availability becomes limited
Modernization must be carried out without unnecessary downtime.
OT networks are static in nature - they do not evolve over short time horizons. User groups are stable. IT network architecture is characterized by high variability and scalability.
6. Organizational Approach
In large organizations, IT departments consist of specialists responsible for specific parts of the process - some handle databases, others communications, still others maintenance.
In OT, maintenance personnel are responsible for everything:
- Communication between devices
- Device parameterization
- Replacement of faulty components
- Keeping documentation up to date
- Routine maintenance work
The Scale of the Problem - 2024-2025 Data
The interplay between IT and OT is not an academic matter. Data from recent years demonstrates real-world consequences:
| Metric | Value | Source |
|---|---|---|
| OT organizations still experiencing intrusions | 48% (improvement from 94% in 2022) | Fortinet 2025 State of OT |
| Increase in ransomware attacks on industrial organizations | +49% (from 80 to 119 groups in 2025) | Dragos 2026 Year in Review |
| Manufacturers reporting increased incidents after IT-OT integration | 80% | KPMG IT-OT Convergence Framework |
| Organizations with a mature IT-OT SOC model | 35% | ISACA |
| CISOs overseeing OT security | 52% (vs 16% in 2022) | ISACA |
| OT security market value (2025) | $27.03 billion | Security Review Magazine |
WARNING
In 2024, 80% of manufacturers reported an increase in security incidents following the integration of IT assets with plant networks. This is not an argument against integration - it is an argument for thoughtful security architecture and layered defense (Defense in Depth).
Why Collaboration Is Essential
The different perspectives of IT and OT are not a weakness - they are an opportunity. Each team sees different threats, which together provides a more complete picture of risk. Collaboration enables:
- Incorporating the needs of both groups at the project requirements stage
- Avoiding situations where IT security measures disrupt OT processes (and vice versa)
- Building a shared language and understanding between teams
- Creating unified security policies spanning the entire organization
Practical Steps Toward Collaboration
| Step | Description | Priority |
|---|---|---|
| Joint exercises | Incident scenarios covering both IT and OT | High |
| Cross-training | Automation engineers learn cybersecurity basics, IT staff learn process specifics | High |
| Joint asset inventory | Mapping connections between IT and OT networks | Critical |
| Agreed procedures | Patching policies, account management, incident response procedures covering both environments | High |
| Shared language | A glossary understood by both sides (e.g., “zone” vs “VLAN”, “control loop” vs “controller”) | Medium |
| Unified risk management | Shared risk assessment methodology (e.g., NIST CSF 2.0 with the “Govern” function) | High |
IT-OT Collaboration Checklist
- Identify the “owner” of OT security within the organizational structure
- Conduct a joint IT and OT asset inventory
- Map dependencies: which IT systems must be operational for OT to continue operations?
- Develop joint incident response procedures
- Plan joint exercises (at least once per year)
- Agree on patching policies that account for both environments
- Implement network segmentation in accordance with IEC 62443 (zones and conduits)
- Establish shared security metrics
- Conduct regular risk assessments covering the entire IT-OT chain
A common obstacle to achieving this goal remains a lack of understanding between the two different perspectives and differing industry vocabulary. But that is precisely why it is worth investing in building bridges between these teams - before an incident forces collaboration under crisis conditions.
SEQRED helps industrial organizations build IT-OT collaboration - from OT security audits in accordance with IEC 62443, through penetration testing of industrial environments, to designing zones and conduits architecture.
Sources:
- Sarah Fluchs - Why OT has different needs than IT
- ISACA - IT/OT Convergence: An Era of Interconnected Risk and Reward (2025)
- KPMG - IT-OT Cyber Security Convergence Framework (2025)
- Security Review Magazine - Outlook 2025: IT and OT Security Strategies
- Industrial Cyber - Rising ICS incidents drive shift to intelligence-driven OT security
- IEC 62443 in 2025: Network Segmentation Requirements and Changes