Securing the Convergence: OT and IT Systems in the Modern Age

Securing the Convergence: OT and IT Systems in the Modern Age

The industrial internet of things (IIoT) is reaching new heights. As the lines between operational technology (OT) and information technology (IT) blur, companies are unlocking new standards of visibility and efficiency. However, this trend also has a dark side that has become increasingly prominent amid rising cybercrime.

The Need for Cybersecurity in IT/OT Convergence

A worrying 80% of manufacturing companies noticed an increase in cybersecurity incidents in 2024 as IT/OT convergence has grown. At the same time, just 45% feel they have appropriate protections to weather these risks.

Excitement around IIoT solutions often exceeds awareness around their unique cybersecurity needs. As a result, many organizations implement technologies faster than they can secure them. Even as more businesses recognize the need for higher security, network complexity and fragmented IT/OT stacks stand in the way.

These concerns are becoming more prominent as regulatory pressure to improve IT/OT cybersecurity grows. Companies seeking government contracts may need to comply with the Cybersecurity Maturity Model Certification over the next three years, and cybersecurity laws are expanding elsewhere. As this trend continues, failing to modernize IIoT security could result in legal trouble.

IIoT Security Best Practices for Modern Organizations

In light of these mounting demands, IIoT adopters must rethink their security posture. While some specific steps will vary between facilities based on their needs and tech stack, a few general practices apply to all IIoT setups.

Choose Devices Carefully

The first step is to be more careful about the endpoints a company purchases. A lack of regulatory guidance has left the IoT cybersecurity landscape disjointed. Built-in protections and security features vary widely between devices, so organizations must intentionally look for functionality like encryption, secure over-the-air (OTA) updates and multi-factor authentication (MFA).

This will become easier over time. The U.S. is rolling out a Cyber Trust Mark to verify IoT gadgets that meet certain standards. Europe’s Cyber Resilience Act will take effect in 2027, requiring many device manufacturers to include more robust protections. Until then, though, it falls to buyers to analyze the security levels of their options.

Do Not Overlook Physical Security

Network protections have primarily taken the spotlight in IIoT security, but given these systems’ physical nature, their physical security should not go overlooked, either. IIoT endpoints must be robust enough to resist in-person tampering and maintain full functionality in harsh operating environments. Otherwise, physical risks may lead to cyber vulnerabilities.

The specific defenses a device needs depend on its environment, but military standards offer solid benchmarks in all cases. For example, MIL-DTL-901E requires significant shock and vibration protection, making it appropriate for IIoT endpoints on mobile or high-movement equipment. Military waterproofing and electromagnetic resistance ratings are also worth considering.

Implement Controls at All IIoT Layers

As for equipment’s cyber controls, organizations must pay attention to all layers. It starts with the perception layer, which covers IIoT sensors and other data-gathering devices. Security here includes MFA and other access controls. The network layer — where communications occur — also deserves protection through encryption and real-time monitoring.

The processing layer requires secure OTA protocols and — if facilities are using any artificial intelligence models — access restrictions and regular model audits. Finally, the application layer needs strict privilege controls and user training.

Embrace Zero Trust

Zero-trust network architecture is another crucial step. This approach assumes all activity is suspicious until proven otherwise, so it verifies every data access and transmission request at every step. While setting up such protections can be complicated, the security benefits are hard to ignore.

Some government organizations are pushing for zero-trust mandates, so contractors may need to implement these measures for regulatory compliance. Even when not required, extensive verification is helpful, as 98% of organizations today have suffered a third-party breach, and IIoT solutions make networks complex. Zero-trust overcomes these barriers by inspecting everything.

Understand IIoT Security Is a Process

Finally, companies pursuing IT/OT convergence must understand that IIoT security is ongoing. Threats evolve quickly — cybersecurity researchers discover 560,000 new malware strains daily — so something secure today may not be tomorrow. As cybercrime changes and new defenses and best practices emerge, IIoT setups must likewise evolve.

Regular penetration testing is a good place to start and may be mandatory under some regulations. Business leaders should also stay on top of developing IIoT and cybersecurity trends to learn when a new technology or practice is worth their attention. Ongoing optimization is the key to reliable IIoT safety.

New Tech Requires New Defenses

IIoT solutions will only reach their full potential when their cyber risks do not outweigh the process benefits. Consequently, any organization converging its OT and IT systems must pay attention to new security standards.

Cybersecurity is nonnegotiable for modern businesses in any industry, and IIoT heightens its importance. Both the makers of these devices and the companies implementing them must consider how they can drive better security practices. A security-first mindset is crucial to maximizing IIoT returns.

About the author

This article was written by Ellie Gabel. Ellie is a freelance writer and an associate editor for Revolutionized living in Raleigh, NC. When she’s not writing about the latest advancements in science and technology, you can find her spending time with her cats.