Legacy Companies Worry About IT-OT Convergence, they Are Right to be Scared.
Jan-Henrik Svensson, CEO, Beamex
I have noticed a sense of fear when talking about IT-OT convergence with companies that still work with legacy systems and processes. For them, operational technology (OT) has long been isolated from information technology (IT). Connecting the two worlds is not easy. It can feel terrifying and risky and I say that fear is justified.
The systems we’re talking about, the ones running plants and processes, were never meant to be exposed to the risks of the outside world. That is by design and for good reason. Let me explain why.
If you’re running a company working with legacy infrastructure, chances are your OT systems were built in a different era. One where connectivity wasn’t a priority. It was something to be avoided. Systems were purposely designed with air gaps to ensure they weren’t connected to anything beyond their immediate network. This closed-off environment helped prevent external threats like hackers or cyberattacks. Even today, you have many experts saying these air gaps should be maintained to preserve cyber resilience.
While the need to maintain cybersecurity is clear, it is also a fact that almost every piece of modern equipment comes with built-in connectivity. You may think you’ve maintained that air gap, but in reality, the very equipment you buy might already be connected in ways you’re not even aware of. These days, even your HVAC system can come with connected components, allowing for potential breaches.
Legacy companies need to be scared
That’s a frightening thought. These systems weren’t designed to be upgraded or patched like IT systems, so any vulnerability that gets exposed is a huge risk. We’ve seen real-life examples of the problems this can cause. One significant example was the 2015 cyberattack on Ukraine’s power grid, which left large portions of the country without electricity. The systems that were attacked were critical infrastructure, exactly the kinds of systems many legacy companies rely on. Then there was the NotPetya attack in 2017, which is considered one of the most costly and destructive cyber attacks to have taken place. It took down some of the world’s largest corporations by exploiting vulnerabilities in OT systems.
Nearly a decade later, cyberattacks that leverage OT vulnerabilities have only become more varied. In September 2024, water utilities in Arkansas City, Kansas had to switch to manual operations because of cybersecurity issues. The Cybersecurity and Infrastructure Security Agency (CISA) issued a notice stating “CISA continues to respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector. Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.”
When I think about these incidents, it’s easy to understand why many legacy companies are hesitant about IT-OT convergence. But at the same time, I believe that this fear, while justified, should be the very reason we push ahead with IT-OT convergence, rather than hold back.
Why fear can’t be a deterrent
IT-OT convergence is happening whether we like it or not. There are enough examples of the benefits. Many industries are already moving forward, using the data from their OT systems to drive efficiencies, predict maintenance needs, and streamline their operations.
Many governments and organisations are actively incentivising such convergence to usher in Industry 4.0. The USA, China, Japan and Germany are promoting modular, data-driven manufacturing. Companies that are leveraging IT-OT convergence are setting themselves up for success in this new landscape, where efficiency, customisation, and data are the name of the game. Where does this leave legacy companies that don’t make the jump? I have one word; obsolete.
Regulatory pressures are growing that will force companies to enable IT-OT convergence, whether they want to or not. In Europe, the NIS 2 directive is imposing new cybersecurity requirements on critical infrastructure, meaning that even if companies want to maintain their air-gapped systems, they’ll need to upgrade their security practices to comply with the law. We’re also facing cyberattacks powered by artificial intelligence (AI) to exploit vulnerabilities. Without the data and real-time monitoring capabilities that come from IT-OT convergence, legacy companies will find it harder to defend themselves from these AI-driven attacks. Without convergence, they will not have the tools to protect themselves.
So where does that leave us? First, legacy companies need to recognize that IT-OT convergence is not a question of if, but when. The key is to approach it with a clear strategy. We need a unified approach to security, risk management, and data integration, and that means IT and OT can no longer operate as separate entities.
The path forward
A few years ago, OT cybersecurity was almost entirely the responsibility of OT teams. Similarly, IT had its sphere and never did the two meet. Today the landscape is shifting rapidly towards greater convergence. More than 40% of companies now place OT security under the Chief Information Security Officer (CISO), recognizing that OT systems need the same level of protection as IT systems. This integration is key to managing the risks of IT-OT integration, but it’s also a big shift in how we think about the roles of IT and OT.
OT systems have unique needs with many of them designed to operate for 20 or 30 years. On the other hand, IT systems, are upgraded much more frequently and are designed to be flexible. But IT-OT convergence isn’t just a technical problem, it’s cultural. IT and OT teams speak different languages, work in varied environments, and have starkly differing priorities. In many companies, these two worlds have rarely intersected, and when they have, it hasn’t always been smooth. Training and workforce development is one way to solve this. Both IT and OT personnel need to understand the challenges and risks of convergence. OT teams must become familiar with cybersecurity practices, while IT teams need to understand the unique requirements of OT systems.
Here, I offer Beamex’s own experience with IT-OT convergence as inspiration. Beamex’s calibrators, which were traditionally OT devices used in the field for calibration tasks, have evolved into much more than just tools. We have developed software solutions that allow OT data collected by our calibrators to integrate seamlessly with IT-driven systems, such as CMMS (Computerized Maintenance Management Systems). The fact that we have solutions on both the OT and IT side make it easier for us to improve convergence while preserving cyber resilience. When talking to customers in legacy industries, I have often used our example to show how effective IT-OT convergence is possible.
By embracing IT-OT convergence, we position ourselves for success in a digital future. Do you have ideas on how we can accelerate this convergence? If yes, get in touch and let’s chart a path towards a safer and less uncertain world.
You might also find interesting
For a safer and less uncertain world
Welcome to our series of topical articles where we discuss the impact that accurate measurement and calibration has on the world and our everyday lives.