The convergence conundrum

23 August 2021

Although a lot is being said about the pro’s and con’s of Operational Technology/Information Technology (OT/IT) convergence, there is often little appreciation of what companies at different stages in their evolution may need to do, argues Edward Kessler.

What does OT/IT convergence mean? In the OT/IT cyber workspace there are two types of company – those seeking to converge and those that have never diverged. Both must change and both must face similar risks. But their circumstances and their means of addressing the risks may be vastly different as the following examples illustrate.

What sort of companies are they?
Company A, which is seeking to converge, is a large company operating multiple sites and with multiple complex manufacturing processes. The network is currently segmented to provide complete segregation between OT and IT – theoretically ‘air gapped’, or at least with one or more firewalls between OT and IT. Perhaps 20 years ago the company reviewed OT/IT security and decided that this was the safest approach. However, today it is no longer the case. For this business model it makes sense to have a complete overview of the chain of manufacturing from order placement for goods-in to order fulfilment for ‘widgets’ or ‘gloop’ -out. 

Company B has never diverged OT and IT, being medium sized, it has embraced technical innovation through greater use of IT, which spills over into use of smarter machines and sensors in the manufacturing environment. For this company it makes sense to connect machines to the IT network to extend control and monitoring to a remote location or to make use of maintenance tools. The company has a flat and undivided network because it grew that way. It has a firewall where its Internet Service Provider (ISP) provides service, so all is good (or so it seems). But it isn’t. 

The threats
The threat landscape has changed so much in recent years that the probability of attack is essentially random and high. That means that it is now necessary to create as many barriers to attack as possible. 

Company B needs to be aware that the firewall at the ISP access point has very limited capabilities and is only fit to protect the IT environment – it has no knowledge of the protocols used by OT equipment. As if that were not bad enough, the defenders need to be aware that if their perimeter defences are penetrated – due to a phishing e-mail – any malware installed would be free to attack the OT equipment which is generally not robust to attack. Divergence is needed! At least to the extent of getting an extra firewall to separate IT and OT. It would be wise to start monitoring network traffic too.

Company A has a ‘convergence’ project to migrate much of the IT and OT infrastructure to the cloud, which is fine if done with appropriate safeguards. Those safeguards, for both supplier and user physical assets and management processes, include providing adequate diversity and redundancy, avoiding single points of failure, minimising pinch points, and wargaming some realistic scenarios. These things should be done before placing contracts! If the service provider – a high value ransomware target – is attacked and cannot provide service at any level then what is the fallback position?

Problem areas
Although the solutions are different there are some points of common difficulty. What have they got that they actually want to change? It is easy to overlook that a complete, thorough, as built inventory is needed, including all connections (physical and logical) and data flows with the reasons for them. Many organisations struggle with this – it is not a small task. Some of it can be automated – the ‘What’.  ‘How’ is a little harder, ‘Why’ is harder still. There is no shortage of guidance about what a target secured network design should look like for various cases but it doesn’t tell you how to get there from where you are now. The problem is that no one but those intimately involved can define that journey.

Edward Kessler is a technical executive at EEMUA (

Contact Details and Archive...

Print this page | E-mail this page