Every mid-market manufacturer we meet has been told, by someone, that they need to embrace IT/OT convergence. Almost none of them have been told what that actually means, or what the cost of getting it wrong looks like.
Convergence, as the word is commonly used, has become a rhetorical shortcut for "put the plant network on the same infrastructure as the corporate network and manage it with the IT team." That is a set of architectural choices, not a strategy — and those choices have real, measurable consequences.
What convergence actually refers to, historically
The term emerged from a reasonable observation: the hard air-gap between IT and OT environments has eroded. Plants send production data to the cloud. Remote support is routine. MES and ERP systems need to talk. Pretending that OT and IT are separate worlds is no longer useful.
So far, so good. The problem is the leap from "these systems need to talk" to "these systems should live on the same network, managed by the same team, under the same operational assumptions." That leap collapses two environments that have fundamentally different requirements.
Why IT and OT environments are different
Three reasons that matter for architecture:
- Change tolerance. Corporate IT tolerates — often demands — frequent patching, agent deployment, and endpoint reconfiguration. A PLC that has been running since 2009 tolerates none of that. Patching cycles are measured in planned maintenance windows, not Patch Tuesdays.
- Failure consequence. An IT outage costs productivity. An OT outage costs production — and occasionally, physical safety. The tolerable-failure threshold is much lower.
- Lifespan. IT equipment is replaced on 3-to-5 year cycles. OT equipment is replaced on 15-to-25 year cycles, or whenever the process line is re-engineered. You will be defending systems that shipped in 2004 until 2030.
What responsible integration looks like
The right question is not "should IT and OT be integrated?" — they already are. The right question is: "how do we integrate them such that IT-originating incidents cannot cascade to OT operations?"
Responsible integration has, in our experience, five properties:
- Explicit zoning. A documented model — typically Purdue-aligned — that defines which systems belong in which zone.
- Enforced conduits. Traffic between zones passes through a firewall that enforces an explicit allow-list. Every permitted flow has a documented owner.
- Isolation capability. The architecture supports rapid disconnection of corporate from OT without halting OT. This is a testable property.
- Differentiated ownership. OT and IT share information, tooling, and occasionally people — but plant operations retains authority over change in the OT zone.
- Separate incident response. OT-specific playbooks exist, have been exercised, and include the plant floor as a participant.
Signs you are converging badly
If any of these describe your environment, it's worth a closer look:
- Plant operators log in to corporate tools using their corporate AD credentials
- PLCs and HMIs share a VLAN with user workstations
- The IT team patches the historian server on corporate Patch Tuesday, without plant review
- Integrator remote access flows through the same VPN appliance that employees use
- Your IR playbook does not mention OT
The takeaway
Convergence is descriptive, not prescriptive. IT and OT have converged; the question is whether you converged them by design or by accident. If the architecture was not engineered for this, it is almost certainly vulnerable to cascade failure — and the only question is when the cascade will be triggered.
If you want someone to help you answer that question for your specific facility, that is what we do.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.