Asset Management Key to Mitigating OT/IT Convergence Cybersecurity Risks
September 2, 2025 – Published on NexusConnect
Along with the rising convergence of operational technology (OT) and information technology (IT) systems comes significant risks. This is especially true in organizations with constrained budgets, such as small healthcare providers, local government agencies, and municipal utilities, among others. When these organizations integrate their OT and IT systems—driven by the need for improved efficiency and connectivity—they are exposed to a broader attack surface and more complex vulnerabilities, raising concerns over process integrity and physical security. The result is that these institutions are forced to make challenging operational and security tradeoffs.
The convergence won’t stop. The business benefits are too great, as the promise of enhanced operational efficiency, real-time monitoring, and data-driven decision-making drives the trend toward OT/IT convergence. Last month, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance aimed at addressing the risks associated with the convergence of OT/IT in modern industrial organizations.
CISA’s guidance, Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators, identifies several common deficiencies within these environments that make it all too easy for adversarial compromise. The list won’t be surprising to some. Items include insufficient network segmentation as one of the primary attack vectors that threat actors exploit to move laterally from IT to OT environments and between OT systems. Additionally, insecure remote access points created through IT/OT integration can provide attackers with entry points to OT systems, “allowing for lateral movement or for command and control.”
Experts see challenges as IT and OT systems continue to converge. And to get a handle on the expanded attack surface from OT/IT convergence, the guidance stresses the importance of establishing proper asset inventories and taxonomies as foundational elements for building a “modern defensible architecture” that can identify, prevent, and respond to cyber threats while maintaining the operational benefits of IT/OT integration.
“When you’re on the production side of this, it’s intimidating when you don’t understand the IT and networking and security side, and conversely, when you’re on the IT side, it’s intimidating because you don’t understand the engineering side. You don’t know what all those machines are for,” Daniel Gaeta, managing security engineer, operational technology at GuidePoint Security, said.
Read More HERE.