Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog


Building a Successful Industrial Security Strategy in a Converging IT-OT World

Plant managers and IT technicians traditionally occupy different parts of the organization. But as connected technology brings new industrial devices online, both sides must work together to mitigate cyber threats across the expanding attack surface.

There has been quite a lot of buzz the past few years around IT (information technology) and OT (operations technology) security convergence.

Much of the discussion has centered around opportunities to improve efficiency and availability – or the cybersecurity risks associated with IT/OT network convergence. But organizations are also struggling to balance mutually exclusive or overlapping projects, requirements, budgets, objectives, people and technology. 

Trying to find common ground between IT staff and engineers on the plant floor is a tough endeavor. But it’s the only viable option when aligning IT and OT networks with enterprise-level goals.

The culture clash between IT and OT environments

Delivering successful IT projects is quite different than in OT environments. Regulations, standards, project management, equipment, manufacturers, partners, technology and goals all draw from two different sides of the knowledge spectrum. 

Even their work cultures are different. IT is a dynamic environment, with systems that are patched, upgraded and replaced on a regular basis. IT is concerned about data confidentiality, integrity, and availability (i.e. “CIA”). Conversely, OT environments prioritize stability, safety and reliability. Their jobs involve the maintenance of complex and sensitive environments such as oil refineries, chemical plants and water utilities. Often the legacy systems underlying these operations were implemented long ago and haven’t changed for decades. The OT motto often goes, “if it works, don’t touch it.” 

This tension runs both ways. Engineers don’t want to be involved with IT, nor do they want IT coming into their space. And IT teams don’t want to be in the plant; their world is the data center. Neither side wants to cede control to the other, and for good reason. You wouldn’t want IT controlling the safety systems of the chemical plant. You obviously can’t “reboot” a complex and potentially explosive industrial chemical process. But you also wouldn’t want the plant engineer running your perimeter firewalls.

And yet, despite these clashes in culture, it’s more and more common that we see business objectives that require a holistic IT/OT approach, utilizing both information and operations technology. 

Case study: Water utility pumping stations

Take, for example, the situation faced by one of our customers: a water utility with hundreds of pumping stations distributed across acres of land. Its engineering team is tasked with monitoring the vibrations of these pumps as a means to detect malfunctions. Yet, the IT team refuses to enable remote connectivity due to cybersecurity concerns, unless a VPN (or virtual private network) connection is utilized.

Concerned that a VPN solution would take a long time to approve and implement, the engineers decide to purchase a cheap, disk-on-key cell modem from eBay and connect the programmable logic controller (PLC) directly to the internet. This enables them to log in from their home laptops to perform monitoring and maintenance. 

Voila! In their minds, the cell modem solves the problem, and there is no need to involve or seek approval from IT. This is how engineers are trained to think - to solve problems and work through obstacles. However, creative solutions can introduce other problems and cybersecurity issues, and they often can’t scale to meet business needs. 

Meanwhile, the IT department, hundreds of miles away, is unaware of the creative solution implemented by the engineers. They are debating how best to enable remote connectivity – by installing Ethernet or Wi-Fi in the water plant. Each has advantages and drawbacks. But planning without feedback from the plant engineers would be foolish. 

If IT implements a Wi-Fi solution without knowledge of the pump’s monitoring sensor requirements, it may not solve any issues for the engineer. Ethernet connectivity to the pumps might enable engineers to monitor vibration, but it also requires running Ethernet to every single pump, which can’t accommodate changes if a pump location is moved. 

It’s easy to see from this example that having experts who can speak both languages – IT and OT – is already a make-or-break factor in the successful application of technology in the industrial world. This is especially true when it comes to industrial cybersecurity projects, which almost always require both IT and OT specialists.

Appointing an IT-OT convergence champion

Organizations are more likely to succeed if they have a role built into the organization that can translate strategic objectives from business leaders to IT/OT subject matter experts.

Successful deployment of industrial cybersecurity projects will leverage resources from both IT and OT. Business-level oversight and leadership ensure that the different cultures don’t clash but instead work together, and eventually complement each other to provide even greater value to the organization.

To enact this vision, organizations are taking senior, experienced engineers from the various OT business units, which usually report into the chief operations officer, and moving those individuals under the chief information officer hierarchy, resulting in leadership roles that can straddle both sides of the IT/OT fence.

In our water utility example, if the customer had an IT/OT leader in place, that person would be responsible for providing a solution that addresses the needs of the engineers and IT staff, as well as the overall business. This person would lead an overarching IT/OT security convergence strategy that addresses everything from cybersecurity and safety to ongoing maintenance and procedures, resulting in sustainable, industrial-grade, enterprise-wide solutions.

Some organizations have taken this even further. Instead of building IT roles under the CIO, they create a new, C-level role to facilitate this strategy. It’s no longer uncommon to find a chief digital officer on the leadership team who helps bridge the gap between the COO and chief technology officer.

The higher up the organizational ladder that IT/OT convergence decisions are being made, the higher the chances for success, and the more likely your team can minimize future security risks while capitalizing on the upside of digital transformation.

For more information and best practices on improving cross-team collaboration, check out our whitepaper, “Mind the Gap: A Roadmap to IT/OT Alignment.”

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.