By
Andrew Collins
Research Fellow, OT Architecture and Operations
March 11, 2026
As information technology and operational technology networks continue to merge, organizations are discovering that the security frameworks, tools, and assumptions developed for enterprise IT environments do not translate cleanly into industrial settings. The consequences of applying IT security thinking without adaptation to operational technology environments range from ineffective protection to active operational disruption, and understanding that distinction is a prerequisite for sound industrial cybersecurity leadership.
Different Priorities, Different Stakes
Enterprise IT security operates according to a hierarchy that places confidentiality first, followed by integrity and then availability. Protecting sensitive data from unauthorized access is the primary concern. Operational technology environments invert this hierarchy almost entirely. In a manufacturing plant, an energy facility, or a water treatment system, availability is paramount. A system that is taken offline to apply a security patch, or that generates false alerts causing operators to shut down a process, may create more harm than the vulnerability it was intended to address.
This is not a reason to deprioritize security in operational environments. It is a reason to apply security measures with a fundamentally different operational calculus than IT teams are accustomed to employing.
Legacy Systems and the Patching Illusion
A significant portion of the operational technology installed in critical industrial environments was not designed with cybersecurity in mind and cannot be updated through conventional patch management processes. Controllers, sensors, and human-machine interfaces with operational lifespans of twenty or thirty years frequently run software that vendors no longer support and that cannot be modified without voiding warranties or disrupting validated processes.
Organizations that benchmark their OT security posture against IT patch compliance metrics are measuring the wrong things. The relevant questions in legacy-heavy environments concern network segmentation, anomaly detection, access control, and the capacity to detect and respond to threats that cannot be prevented through software updates.
The Vendor and Integrator Gap
Much of the technology installed in industrial environments is deployed and maintained by specialized vendors and systems integrators whose primary expertise lies in operational performance rather than cybersecurity. These relationships create a persistent gap in security accountability. Organizations frequently lack visibility into the security practices of the vendors who access their most sensitive operational systems, and vendor contracts rarely establish meaningful security obligations or audit rights.
Closing this gap requires deliberate procurement policy, contractual accountability, and an internal capability sufficient to evaluate and oversee vendor security practices.
Building the Right Governance Model
Effective industrial cybersecurity governance requires collaboration between operational leadership, IT security functions, and engineering teams, with clear accountability for decisions that affect both security and operational continuity. Organizations that assign OT security exclusively to IT departments or exclusively to operations teams tend to produce outcomes that serve one priority at the expense of the other.
The convergence of IT and OT is a permanent feature of industrial modernization. The governance model for managing that convergence must be equally deliberate.
