For many organizations, it has been best practice to keep things separate. Factory equipment, power grids, water treatment facilities, medical systems and other critical infrastructure have long been walled off from IT systems. Because these environments handle critical operational tasks, they've remained isolated and air-gapped from enterprise software and outside networks.

But as organizations look for ways to dial up efficiency and cut costs, operational technology (OT) is getting a makeover. Connected sensors, AI and cloud-based analytics are rapidly moving onto the plant floor. As a result, what was once a highly secure, one-way data flow has become a dynamic, bidirectional exchange.

This shift introduces remarkable gains, but it also amplifies cyber-risk. 

"OT wasn't built with security in mind. Generally, it was designed to be a trusted enclave," said Paddy Harrington, senior analyst at Forrester Research. Many industrial systems still run on old OSes, proprietary protocols and flat networks that are difficult to segment and patch. Taking a controller offline can halt production or interrupt critical systems.

Related:How cyber-risk can fall flat in the boardroom

"We have witnessed a dramatic expansion in connectivity without a corresponding increase in security maturity," said Pia Capra, director of OT cybersecurity for Booz Allen's commercial business. "It took decades for organizations to cautiously connect OT systems to enterprise IT. Now, in just the last few years, many have leapfrogged straight into cloud-connected and AI-enabled environments."

The takeaway? CIOs, CISOs and others managing cybersecurity must toss the traditional playbook when it comes to asset visibility, network segmentation, vendor trust and incident response. Even a relatively small gap or breakdown can result in downtime, damaged equipment and — in a worst-case scenario — physical harm.

Connections bring risks for OT systems

Historically, securing industrial systems meant locking the door and losing the key. The technology inside — programmable logic controllers (PLCs), sensors, actuators and software — ran on proprietary protocols that were walled off from IT systems. This framework, based on the Purdue Model, established a hierarchy of zones with controllers that normally didn't interact with outside networks.

Ethernet and IP-based protocols have steadily crept onto plant floors. This has introduced novel risks for OT systems, including widely used supervisory control and data acquisition (SCADA) systems. In 2010, the Stuxnet worm infiltrated a Siemens PLC that Iran was using to enrich uranium. The malware destroyed about 1,000 centrifuges. In May 2021, Colonial Pipeline proactively shut down as a result of ransomware that hit the firm's IT systems. The event triggered fuel shortages and panic buying across the eastern U.S.

Related:Non-human identity sprawl is agentic AI's real risk

Today, the attack surface is expanding due to ubiquitous sensors, cameras, connected devices and AI-enabled tools. "IoT devices are destroying the air gap faster than any other thing we've seen," said Sean Tufts, field CTO at security firm Claroty. Decades-old OT systems magnify the problem; they were never designed for the internet and AI. "What seems like a harmless sensor can open a backdoor into the environment," he said.

In fact, a 2025 Forrester study commissioned by Schneider Electric, found that 91% of the 262 global critical infrastructure organizations surveyed have experienced at least one OT breach or failure over the past 18 months. The study also found that 51% still rely on traditional IT practices to secure OT environments, and only 40% have 24/7 monitoring in place.

AI raises the risks

Introducing AI to OT systems is particularly risky. Unlike static sensors that collect data and route it to the cloud, AI constantly interacts with the cloud — while still relying on a 1990s OT infrastructure. This environment renders firewalls and conventional security largely ineffective. Agentic AI extends the risks by stringing together actions that extend across IT and OT. 

"Agents with unfettered access can take down the entire network in a blink," Harrington said.

Technology isn't the only challenge, however; there are also governance concerns Historically, it's been the job of engineers to oversee SCADA systems and other controls. The problem? These teams typically lack specific knowledge about IT security and modern threats. For many organizations, this leads to a governance gap: OT specialists don't understand the risks their environments create, while IT teams overlook the fact that cybersecurity rooted in IT is fundamentally different from cybersecurity rooted in OT. 

Still another challenge is managing the complexity of blended OT-IT environments and the exposure that extended supply chains introduce. It's increasingly common for contractors and third parties to have access to systems, to improve visibility and efficiency. But the resulting remote maintenance, shared credentials, unmanaged devices, and shadow IT further increase the risk footprint. 

Says Tufts: "Third-party risk is a new perimeter."

How the CIO and COO affect OT

CIOs will play an important role in dismantling the wall between OT and IT, but they need to move strategically. "The discussion needs to shift from CIOs taking control of OT to creating shared accountability without disrupting operations," Capra said. This "shifts the conversation away from a turf war and toward alignment with business priorities."

What often flies under the radar of both IT and OT specialists is that both groups are in pursuit of the same outcomes, but for different reasons, Capra said. While a CIO might be focused on "understanding threats and reducing cyber-risk," a COO is typically buried in "troubleshooting, change management and enabling more advanced capabilities like smart manufacturing," she added.

This leads to subtle differences in the way teams typically respond to threats and security incidents, Capra said. In IT, the first step is typically to isolate or shut down a system, whereas in OT, pulling the plug can create unsafe conditions and damage equipment. "In some cases, the right decision is to let a process continue or run to a safe stopping point, if there's no risk to safety or further spread of the malware," she said.

Without clear communication, OT and IT teams may clash over opposing response tactics. This makes cross-functional collaboration paramount. Doing this effectively requires identifying key operational priorities — and building in the right metrics. For OT teams, this often includes uptime, safety and reliability. For IT, important factors include protecting assets, critical tools and overall visibility. "Governance cannot be imposed in a way that risks disrupting production," Capra said.

Gaining visibility into OT systems

The question isn't whether OT and IT will become inextricably connected. It's how to move forward and unlock the benefits of an integrated OT-IT environment. 

According to Tufts, the overarching goal is to build broad and deep visibility into an OT-IT framework through asset discovery, communication mapping and passive monitoring. AI used effectively can also aid in threat analysis, anomaly detection, data routing, predictive maintenance and smoother operations and security workflows.

CIOs must recognize, however, that it isn't a good idea to update aging OT systems overnight. Some carry upward of 25 years of technical debt. Instead of rushing into end-to-end action, a practical approach centers on first identifying the changes that reduce risk the fastest and make the biggest impact. Then organizations can move on to other systems, tools and workflows, Tufts said. This often translates to just-in-time access, stronger identity controls, the ability to view vendor sessions and tighter controls over contractors and their devices.

There’s no quick fix, but when organizations get things right, there's a genuine upside: faster threat detection, more resilient operations and a foundation for IoT and AI that enhances enterprise performance while reducing risk. 

Concluded Harrington: "All the rules change entirely in today's environment."

About the Author