IT and OT collaboration in cybersecurity – why the biggest threat is not the attackers but the lack of integration

H1: IT and OT collaboration in cybersecurity – why the biggest threat is not the attackers but the lack of integration

Title: IT and OT collaboration in cybersecurity – the key to protecting your organization

Description: Why does the lack of collaboration between IT and OT teams pose a greater threat than cyberattacks? Discover integration strategies that strengthen security.

Excerpt: In industrial cybersecurity, the biggest problem is not sophisticated attackers. It is the lack of collaboration between IT and OT teams that opens the door to cybercriminals. Discover strategies that unite both worlds into one effective line of defense.

URL Slug: it-ot-collaboration-cybersecurity-team-integration

Imagine a manufacturing plant where the IT team has just deployed a new policy enforcing automatic operating system updates. That same day, the production line stopped for three hours because the update restarted a SCADA controller managing the continuous steel casting process. The OT team was not informed about the change. The IT team did not know that this particular server controlled a process whose unplanned shutdown costs several hundred thousand zlotys per hour. Neither side acted in bad faith – both wanted to protect the organization. But the lack of communication meant they were protecting it against different threats while simultaneously creating new ones.

This situation is not an exception. In dozens of organizations we work with at nFlo, we observe the same pattern: IT and OT teams function as separate islands, with their own priorities, language, and work culture. Meanwhile, attackers do not respect these internal divisions. For them, a network is a network – regardless of whether it leads to a customer database or to a PLC controller on the production floor. This is not the “IT side of the house” or the “OT side of the house.” It is the SAME house. And it is high time that all its residents start working together before attackers exploit their mutual distrust.

Why does the lack of collaboration between IT and OT pose a greater threat than cyberattacks?

The traditional approach to cybersecurity focuses on external threats: ransomware, APT attacks, phishing, and zero-day exploits. These threats are real and serious, but there is a factor that multiplies their effectiveness many times over – the internal fragmentation of the teams responsible for security. When IT and OT do not communicate with each other, the organization loses its ability to mount a coherent defense.

The problem is systemic. The IT team may deploy an advanced SIEM solution that collects logs from all corporate systems but completely ignores network traffic from the industrial network. The OT team may maintain SCADA systems with default passwords, arguing that “the network is isolated” – while IT has just connected it to the cloud for remote monitoring. Each side sees only its portion of the picture and makes decisions based on incomplete information.

The consequences of this split are measurable. An attacker who gains access to the corporate IT network will, in an organization with integrated teams, encounter a coordinated response involving both IT segment isolation and verification of OT system integrity. In an organization with disconnected teams, the same attack can spread undetected through the OT environment because no one thought to notify the automation engineers about an incident in “their” part of the network.

Additionally, the lack of collaboration leads to duplication of effort and gaps in coverage. Both teams may independently purchase security tools that are incompatible with each other, create separate incident response procedures, and conduct separate audits that do not account for the contact points between environments. As a result, the organization spends more on security while simultaneously being more vulnerable to attack.

📚 Read the complete guide: NIS2: Kompletny przewodnik po dyrektywie NIS2 - obowiązki, kary, terminy

How do the priorities of IT and OT teams differ and where do the conflicts come from?

The root cause of most conflicts between IT and OT is a fundamental difference in priorities, stemming from the different operational objectives of both environments. Understanding these differences is the first step toward building a bridge between the teams.

In the IT world, the key priority is the CIA triad – Confidentiality, Integrity, and Availability, usually in that order. Protecting data from unauthorized access comes first. Regular system updates, service restarts, and planned maintenance windows are a normal part of operations. The hardware lifecycle is 3-5 years, and technology replacement is seen as a natural evolution.

In the OT environment, priorities are reversed – availability comes first, then integrity, and confidentiality comes last. The continuity of the production process is paramount. An unplanned restart of a control system can mean not only financial losses, but in industries such as energy, chemical, or pharmaceutical – a real threat to human health and life. OT systems often operate for 15-25 years without replacement, and automation engineers rightly treat any change to a working system as a potential risk.

These differences lead to specific conflicts. IT wants to patch systems immediately after security updates are released – OT refuses because every update requires compatibility testing with the process control software. IT wants to segment the network and introduce firewalls – OT fears that additional communication latency may disrupt real-time processes. IT enforces multi-factor authentication – OT needs immediate system access in emergency situations.

Neither side is “wrong.” Both act rationally within the context of their operational goals. The problem arises when these goals are not reconciled at the organizational level, and each team perceives the other as an obstacle rather than a partner.

On top of this, there are cultural differences. IT engineers often have experience in dynamic environments where speed of change deployment is an asset. OT engineers come from an engineering culture where stability and process repeatability are the foundation of safety. These different perspectives can lead to mutual frustration and a lack of respect for each other’s competencies.

What consequences do organizations face when IT and OT operate in isolation?

The operational isolation of IT and OT generates concrete, measurable losses that extend far beyond cybersecurity itself. The effects of this divide affect the finances, regulatory compliance, and reputation of the organization.

The first and most direct consequence is an extended incident response time. When a ransomware attack penetrates from the corporate network into the industrial environment, the lack of shared response procedures means both teams act independently, often making conflicting decisions. The IT team may cut network communication to stop the spread of malware – not knowing they have just severed connectivity to the emergency shutdown system of a steel furnace. The average incident response time in organizations with separate IT/OT teams is two to three times longer than in companies with an integrated approach.

The second consequence is gaps in regulatory compliance. The NIS2 directive, which has brought significantly more entities within its scope than its predecessor, requires a holistic approach to cybersecurity risk management – covering both IT and OT systems. Organizations where these areas are managed separately have serious difficulty demonstrating a coherent security policy to regulators. Similarly, the IEC 62443 standard, the benchmark for industrial automation system security, explicitly requires collaboration between IT and OT domains.

The third area of consequences is operational costs. Duplication of security tools, separate monitoring teams, and the lack of shared vulnerability management processes – all of this generates higher costs with lower effectiveness. An organization may maintain two separate security operations centers (SOC), neither of which has a complete picture of threats.

Finally, IT/OT isolation makes effective digital transformation of industrial environments impossible. Industry 4.0 initiatives, predictive maintenance, digital twins, and remote process management all require deep integration of IT and OT systems. Without collaboration between the teams responsible for both environments, these projects either never get off the ground or create new, unmanaged attack vectors.

How does IT/OT convergence change the cyberthreat landscape?

IT/OT convergence is the process of merging previously separated information technology and operational technology environments into an integrated ecosystem. While it delivers enormous business benefits, it fundamentally changes the organization’s risk profile and requires a new approach to security.

For decades, OT systems were protected primarily by physical isolation. The industrial network had no connection to the internet or even to the corporate network, which effectively eliminated most cyberthreats. That era has come to an end. The need for remote monitoring, production optimization based on ERP system data, and predictive maintenance has forced the merging of both worlds. Over 70% of industrial organizations already have direct or indirect connections between their IT and OT networks.

This convergence has opened new attack vectors that neither team can monitor independently. Attackers can use phishing aimed at IT department employees as an entry point, then move laterally through the corporate network until they reach a segment with access to SCADA or DCS systems. Incidents such as the Colonial Pipeline attack and the Sandworm group campaigns targeting Ukrainian energy infrastructure demonstrate that this attack path is being actively exploited by advanced cybercriminal groups.

At the same time, convergence renders the traditional security approaches of both domains insufficient. IT security tools designed to protect Windows and Linux systems may not recognize industrial protocols such as Modbus, DNP3, or OPC UA. Conversely, traditional OT protections based on air-gaps and physical access control do not protect against threats penetrating from the IT layer.

Organizations need a new class of solutions and competencies that combine knowledge from both domains. At nFlo, we observe growing demand for security analyses that cover both IT infrastructure and industrial automation systems. An OT security audit that does not account for connections to the corporate network gives a false sense of security – just as an IT audit that ignores the industrial environment does.

Why are empathy and understanding crucial in building IT/OT collaboration?

IT and OT integration is not just a matter of technology and processes. It is above all a human challenge that requires a fundamental change in the way both teams perceive each other. Without empathy and mutual understanding, even the best tools and procedures will not deliver the expected results.

Empathy in the context of IT/OT collaboration means the ability to put yourself in the other team’s shoes and understand why they make certain decisions. When an IT engineer hears that the OT team refuses to install a security patch, the natural reaction is frustration – “why are they ignoring a critical vulnerability?” But when that same engineer understands that the last PLC controller software update caused a four-hour production line shutdown and losses counted in hundreds of thousands of zlotys, their perspective changes. The refusal does not stem from ignorance, but from experience.

Similarly, OT engineers often perceive IT teams as people who do not understand the realities of the production environment and impose solutions designed for office environments. When the IT team requires regular password changes for control systems, the automation engineer sees a risk – an operator in an emergency situation cannot waste time logging in with a new password because every second of delay can mean equipment damage. This is not resistance to security – it is prioritizing physical safety over digital security.

Building empathy requires deliberate actions. Joint visits to the production floor, where IT engineers see firsthand the consequences of unplanned downtime, are invaluable. Equally valuable are sessions where the OT team participates in the analysis of real cybersecurity incidents, understanding the scale and sophistication of modern threats. These experiences build mutual respect and create the foundation for constructive collaboration.

Organizations that invest in building relationships between IT and OT teams achieve better results not only in security but also in operational efficiency. When both teams understand each other’s constraints, they can jointly develop solutions that meet cybersecurity requirements without disrupting the continuity of production processes. This is the essence of partnership – one of the fundamental values we implement daily at nFlo in our relationships with clients.

How do you build a common language between IT and OT teams?

One of the biggest barriers in IT/OT collaboration is the lack of a common language. The same words can mean completely different things in both environments, and the specialized jargon of each domain is incomprehensible to the other side. Building a common language is the foundation of effective communication.

Let us start with an example. The word “server” for an IT specialist means a machine (physical or virtual) hosting applications and services that can be restarted, updated, or migrated. For an OT engineer, a “server” is often an engineering workstation or SCADA server whose restart may require a multi-hour procedure to resynchronize with process controllers. Similarly, a “firewall” in IT is a standard network tool, while in OT, deploying a firewall requires a deep understanding of industrial protocols and acceptable communication latencies.

The first step toward building a common language is creating a glossary that defines key terms in the context of both environments. Such a document should cover not only technical terminology but also metrics and indicators. When IT talks about “99.9% availability,” this means a maximum of 8.7 hours of downtime per year. For OT, “availability” means zero unplanned process shutdowns – even a one-minute interruption in furnace or reactor operation can generate losses exceeding the annual IT budget.

The second element is a shared risk taxonomy. IT classifies risk primarily in terms of data loss, privacy breaches, and digital service outages. OT assesses risk through the lens of physical safety, production continuity, and environmental impact. A unified risk matrix that incorporates both perspectives enables constructive discussions about priorities without mutual misunderstandings.

Regular interdisciplinary meetings – not just in crisis situations but also during planning – help both teams familiarize themselves with the terminology and priorities of the other side. Over time, a natural shared language emerges that enables faster and more effective communication in daily work and in crisis situations.

What organizational structures support IT and OT integration?

Effective IT/OT collaboration requires appropriate organizational structures that institutionalize integration rather than leaving it to the goodwill of individual people. Without formal collaboration frameworks, even the best intentions dissolve under the pressure of daily responsibilities.

The most advanced model is the establishment of an integrated security operations center (SOC) that monitors both the IT and OT environments. Such a SOC requires analysts with competencies in both domains, or at least close collaboration between specialists from both areas. A shared monitoring platform that correlates events from the corporate and industrial networks enables the detection of attacks that cross domain boundaries – which is impossible when each team monitors only its own piece of the infrastructure.

If the organization is not ready for full SOC integration, an effective intermediate solution is to establish a liaison role – a person or team responsible for coordinating security at the IT/OT boundary. This role requires a unique skill set: understanding both IT network protocols (TCP/IP, HTTP, DNS) and industrial ones (Modbus, Profinet, EtherNet/IP), as well as the ability to communicate with both groups.

Equally important is incorporating OT topics into existing IT security management processes. This means joint change planning sessions where the OT team has an advisory voice when modifying network infrastructure, and the IT team participates in planning control system modernization. A joint change management committee eliminates situations where one side makes decisions affecting the other without consultation.

At the executive level, it is critical to assign clear responsibility for security covering both environments. Whether this is a CISO with an expanded mandate or a new role responsible for convergent security – the organization needs a person with the authority and motivation to bridge both worlds. Without executive-level support, integration will remain a grassroots initiative dependent on personal relationships rather than organizational structure.

How do you implement a unified approach to IT/OT risk management?

Unified risk management is where IT/OT collaboration takes on a concrete, measurable form. This requires moving beyond the siloed approach where each team maintains its own risk register and creating a shared picture of threats for the entire organization.

The foundation is a shared risk assessment methodology that accounts for the specifics of both domains. The IEC 62443 standard, dedicated to the security of industrial automation systems, provides an excellent starting point because it was designed with IT/OT convergence in mind. Combining it with the NIST Cybersecurity Framework creates a comprehensive risk management model covering both information assets and process control systems.

A key element is a joint asset inventory. Organizations often have a detailed registry of IT assets (servers, workstations, network devices) but lack a complete picture of OT assets (PLC controllers, HMIs, sensors, actuators). Without a comprehensive inventory covering both environments, it is impossible to conduct a reliable risk assessment. At nFlo, we begin every OT security analysis by mapping assets and connections between IT and OT domains – this is the foundation without which subsequent steps are meaningless.

The next step is a unified threat classification. A ransomware attack that encrypts a file server in the accounting department and the same ransomware encrypting a SCADA engineering workstation are completely different scenarios in terms of consequences. A shared impact matrix that considers both business effects (data loss, service interruption) and physical effects (threat to people, equipment damage, environmental impact) enables adequate prioritization of remediation actions.

Finally, unified risk management requires shared vulnerability management processes. This does not mean that OT systems must be patched with the same frequency as IT systems. It does mean, however, that both teams must have visibility into vulnerabilities in both domains and jointly decide on the strategy for addressing them – whether through patching, compensating security controls, or risk acceptance with full awareness of the consequences.

What role do joint exercises and incident simulations play?

Joint cybersecurity exercises covering both IT and OT scenarios are one of the most effective tools for building collaboration between teams. Nothing unites people like solving problems together under pressure – even if that pressure is simulated.

Tabletop exercises, in which IT and OT representatives jointly analyze a hypothetical attack scenario, reveal communication and procedural gaps that are invisible in day-to-day operations. A typical scenario might involve a ransomware attack that penetrates from the corporate network to the OT segment through an unsecured remote access connection. When both teams try to jointly develop a response plan, key questions immediately emerge: who decides to disconnect the industrial network? Who informs the board? Who contacts the regulator? Is there a procedure for emergency manual control?

More advanced exercises involve simulations using test environments where teams can practice responding to real attacks without risk to production systems. In these scenarios, IT engineers learn how SCADA systems behave under attack, and OT engineers observe the techniques attackers use to penetrate the corporate network. This experience builds mutual understanding that is difficult to achieve in any other way.

Regular exercises also have a practical dimension. They allow teams to test and refine joint incident response procedures, identify training needs, and build personal relationships between members of both teams. People who have jointly “survived” a simulated crisis communicate and collaborate much more easily when a real threat appears.

It is recommended to conduct tabletop exercises at least once per quarter and full incident simulations once or twice per year. Every exercise should conclude with an after-action review, resulting in specific improvement actions. This is a process of continuous improvement, not a one-time event.

How can technology support IT/OT security convergence?

While the foundation of IT/OT collaboration is people and processes, appropriate technology tools can significantly facilitate integration and improve protection effectiveness. The key is choosing solutions designed with convergent environments in mind.

The first category is unified visibility platforms that collect and correlate data from both IT infrastructure and industrial systems. Traditional SIEM tools are evolving to support OT protocols, while dedicated industrial network monitoring platforms offer integration with the IT security ecosystem. The goal is to create a single pane of glass through which security analysts see the complete threat picture – regardless of whether the threats concern the IT or OT world.

Network segmentation is another critical tool. The Purdue model (ISA-95) defines zones and communication channels between IT and OT layers, and modern firewalls supporting industrial protocols enable precise traffic control at the boundary between both environments. Properly implemented segmentation does not cut IT off from OT – it provides controlled, monitored access that minimizes the risk of attackers moving laterally between network segments.

Identity and access management (IAM) adapted to OT needs is the third technological pillar. Solutions such as privileged access management (PAM) with session recording capabilities allow access control to critical control systems without introducing delays that threaten real-time processes. It is essential that these solutions are implemented in collaboration with the OT team, with a full understanding of operational requirements.

Security process automation – from vulnerability scanning to incident response – can radically improve the efficiency of joint operations. SOAR (Security Orchestration, Automation and Response) platforms with playbooks accounting for OT specifics enable faster, more consistent responses to threats crossing domain boundaries.

Technology, however, is only a tool. Without first establishing shared processes and building relationships between teams, even the best technology solutions will not deliver the expected results. A tool implemented without organizational context becomes yet another silo, not a bridge.

How do you measure IT/OT collaboration maturity in an organization?

Measuring progress in IT/OT integration requires specific metrics and a maturity model that allows the organization to assess where it stands and what steps it should take to advance to the next level. The model below identifies five levels, from full isolation to integrated partnership.

Level	Name	Characteristics	Risk management	Incident response	Key indicator
1	Isolation	IT and OT do not communicate, separate budgets and structures	Two separate risk registers, no correlation	Separate procedures, no joint exercises	No joint meetings
2	Awareness	Both teams know the other exists, sporadic communication	Sharing of critical risk information	Mutual incident notification	Quarterly informational meetings
3	Coordination	Formal communication channels, joint pilot projects	Joint risk assessment at the IT/OT boundary	Joint tabletop exercises, coordinated procedures	Designated liaison role
4	Integration	Shared security processes, integrated tools	Unified methodology and risk register	Integrated SOC, shared playbooks	Average response time < 4h
5	Partnership	One security culture, continuous optimization	Proactive convergent risk management	Automated response with OT context	Coordinated response to 100% of incidents

Most industrial organizations in Poland are at level 1 or 2. Advancing to level 3 is achievable within 6-12 months and delivers immediate benefits in terms of better threat visibility and faster incident response. Levels 4 and 5 require longer commitment and investment, but organizations that reach them report significantly lower risk levels and higher return on security investment.

Key performance indicators (KPIs) worth monitoring along the maturity path include: mean time to detect an incident spanning both environments (MTTD), mean time to respond to such an incident (MTTR), the percentage of OT assets covered by security monitoring, the number of joint exercises conducted per year, and the percentage of IT/OT vulnerabilities addressed within the agreed time window.

What first steps should you take to start integrating IT and OT teams?

Transforming IT/OT collaboration does not require a revolution. It does, however, require consistent, thoughtful steps that gradually build bridges between both teams. Below we present a practical path that organizations at any maturity stage can follow.

Step one is an inaugural meeting – but not in a conference room. Invite the IT team to the production floor and let the OT engineers show them how the systems they are responsible for operate. Then invite the OT team to the server room and IT operations center. This experience is invaluable because it allows both sides to see the reality in which the other team works. Understanding comes from observation, not from presentations.

Step two is a joint inventory of connections between the IT and OT environments. Many organizations are surprised by how many unmanaged connections exist between the networks – from forgotten VPN links, through cellular modems installed by control system vendors, to wireless access points configured for technician convenience. Mapping these connections is a practical task that requires collaboration from both teams and simultaneously builds a shared understanding of the infrastructure.

Step three is developing a joint incident response procedure that covers scenarios spanning both environments. This does not have to be a complete business continuity plan right away – a simple document is enough that specifies: who notifies whom, who decides on segment isolation, what the priorities are (human safety always first), and what contact details for both teams should be available 24/7.

Step four is the first joint tabletop exercise. The scenario should be realistic but not overwhelming – for example, phishing targeting an employee with OT network access or the detection of an unknown device in the industrial segment. The goal is not to “pass a test” but to identify gaps in communication and procedures.

Step five is formalizing the collaboration – establishing regular meetings (at least once per month), defining the liaison role, and incorporating OT security topics into existing IT security management processes. From this point on, collaboration ceases to be a grassroots initiative and becomes part of the organizational structure.

If the organization needs support in this process, it is worth considering engaging an external partner with experience in both domains. At nFlo, we conduct OT security analyses that cover not only technical aspects but also an assessment of IT/OT collaboration maturity and recommendations for its development. An external perspective often helps break down internal barriers and accelerate the integration process.

Keys to effective IT/OT collaboration

One house, one defense

• IT and OT are not two sides of a barricade – they are two walls of the same building
• Attackers do not respect internal organizational divisions
• Lack of collaboration is the biggest security gap, greater than any exploit

Empathy before technology

• Put yourself in the other team’s shoes before proposing a solution
• Joint visits to the production floor and server room build understanding
• Both sides act rationally – their priorities simply differ

Practical steps, not revolution

• Start with a joint inventory of IT/OT connections
• Conduct your first tabletop exercise within a month
• Designate a liaison role between teams
• Formalize collaboration in structures and processes

Measure progress

• Assess your maturity level (1-5) and set a realistic target
• Monitor response time to convergent incidents
• Advancing from level 1 to 3 is achievable within 6-12 months