





















For decades, operational technology (OT) quietly powered the physical systems societies rely on every day, from energy generation and manufacturing to transport and defense. Those systems were largely isolated, designed for reliability and safety rather than connectivity. That isolation is disappearing.
In the fifth episode of season 2 of Brass Tacks: Talking Cybersecurity podcast, we examine why OT has become a central cybersecurity concern. Host Joe Robertson speaks with Hossain Alshedoki, Partner at KPMG Middle East and Global Lead for OT and IoT, about why critical industries are increasingly exposed to cyberattacks and what leaders must do as IT and OT environments converge.
Unlike enterprise IT, OT systems were never designed to be connected to the outside world.
OT controls critical physical processes. Valves, turbines, assembly lines, electrical grids, and industrial machinery are managed through systems that prioritize availability and safety above all else. Minor changes in the environment can spell disaster. As a result, for much of their history, these systems operated in closed environments, with limited exposure to external networks.
That model, however, is changing. Digital transformation, automation, and data-driven decision-making are pushing OT systems to connect with corporate IT environments. As a result, OT is now facing cyber risks that IT has spent decades learning to manage.
A central theme of the episode’s discussion is the fundamental difference between IT and OT.
IT governs virtual processes, data, applications, and business workflows. OT governs physical reality. When something goes wrong in IT, systems may be shut down to prevent data loss. When something goes wrong in OT, the consequences of system shutdowns can include physical damage to the connected devices, environmental harm, or even risk to human life.
That critical distinction fundamentally changes how cyber risk must be understood and dealt with. OT security failures are not just business disruptions. They can become physical safety incidents.
Alshedoki helps demystify the OT environment by breaking it into its core building blocks.
Industrial control systems (ICS) form the overarching environment that manages operational processes. Within that environment, technologies such as supervisory control and data acquisition (SCADA) systems, programmable logic controllers (PLCs), and distributed control systems (DCS) execute logic and coordinate physical actions. Increasingly, these environments are evolving into cyber-physical systems, where computing, networking, and physical processes are tightly integrated.
As connectivity grows, so does complexity. To complicate matters further, many organizations are still developing a shared vocabulary between IT and OT teams—especially since they often have different priorities—which can slow progress and increase risk.
The idea of IT and OT convergence is often treated as a recent development, but Alshedoki pushes back on that framing. Elements of convergence have existed for years. What has changed is the scale and intent. Organizations now want data to flow from the factory floor to the boardroom, enabling analytics, automation, and better decision-making across the business.
This requires new architectures. Traditional OT models, often structured around hierarchical frameworks such as the Purdue Model, were not designed for the flat, interconnected architectures common in IT. As a result, simply merging networks is not enough. Convergence must be deliberate, secure, and aligned with how both environments actually operate. And that takes time, planning, and expertise that many organizations lack.
Technology is only part of the challenge. Historically, OT engineers focused on uptime, safety, and performance, while IT security teams focused on the confidentiality, integrity, and availability of data. As responsibility for cyber resilience expands across the organization, those worlds are colliding.
Alshedoki describes this primarily as a cultural issue. CISOs are increasingly accountable for cyber risk across the enterprise, often without visibility into OT environments. At the same time, OT teams may view security controls as potential threats to operational stability.
Bridging that gap requires trust, shared understanding, and collaboration, not just new tools. That requires a shift in culture.
One of the clearest lessons from the episode is practical. Before organizations automate controls or apply advanced governance frameworks, they need visibility. The challenge is that many OT environments lack accurate asset inventories or vulnerability insight. In some cases, simply monitoring the network reveals connected devices that were previously unknown.
Without that foundational understanding, automation can generate misleading data or even disrupt operations. Knowing what assets exist, how they communicate, and where risks lie is a prerequisite for meaningful security.
Alshedoki shares examples of organizations that have made progress by extending proven IT security capabilities into OT environments in a measured way.
This includes adapting anomaly detection, governance processes, and resilience planning to OT realities, while respecting operational constraints. Success depends on people and process as much as technology, including cross-training, secondment programs, and shared ownership of risk. The result is not instant transformation, but incremental improvement in resilience and visibility.
The conversation concludes with a focus on outcomes rather than tools. As OT systems become more connected, leaders must balance security, safety, and operational continuity. The goal is not to replicate IT security models wholesale, but to build environments that are agile, resilient, and able to evolve as technology changes.
Culture, Alshedoki emphasizes, is the umbrella that covers the entire transition. When IT and OT teams understand each other’s priorities and constraints, organizations are far better positioned to secure the physical systems their societies depend on.
Brass Tacks: Talking Cybersecurity is Fortinet’s podcast series focused on the real-world risks shaping today’s digital landscape. In season 2, the series expands its lens beyond technology and business to examine cybersecurity as a societal challenge—one that touches governments, critical infrastructure, public services, and everyday life.
Each episode features conversations with experts from policy, academia, and industry, offering practical insight into how organizations and societies can strengthen resilience, manage risk, and respond to an evolving threat environment.
You can watch Brass Tacks episodes on Fortinet TV and YouTube, or listen on your preferred podcast platform under the Fortinet Cybersecurity Podcast channel.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。