IT and OT Convergence: New Attack Vectors and Emerging Threats You Need to Know

A ransomware infection hits a corporate email server on a Tuesday morning. By Thursday, a production line in the same organization sits completely silent. That’s not a hypothetical scenario anymore — it’s the pattern playing out across manufacturing plants, energy utilities, and water treatment facilities as IT/OT convergence trends reshape what industrial cybersecurity actually means.

If your organization runs any kind of operational technology alongside a standard enterprise network, this guide maps exactly where the danger lives and what you can do about it.

Why IT/OT Convergence Has Become Every Security Team’s Problem

IT/OT convergence is the deliberate or gradual connection of enterprise information technology networks with operational technology systems — the PLCs (programmable logic controllers), SCADA (supervisory control and data acquisition) platforms, and industrial control systems (ICS) that manage physical processes.

A decade ago, most OT environments operated behind an air gap, physically isolated from the corporate network. That separation was never perfect, but it provided meaningful friction against remote attackers.

The business case for connecting these environments was genuinely compelling. Remote monitoring reduces the need for on-site technicians. Predictive maintenance algorithms need real-time sensor data flowing into cloud analytics platforms. Supply chain integration requires production data to move between factory floors and ERP systems. Organizations accepted the connectivity tradeoff because the efficiency gains were real and measurable.

What many organizations didn’t fully account for was the attack surface they were creating. The same network path that sends turbine telemetry to a cloud dashboard can carry attacker commands in the opposite direction.

Every connection point between IT and OT is a potential entry path, and unlike enterprise IT environments where patching happens on regular cycles, OT systems often run unpatched for years because taking a production line offline to update firmware is operationally unacceptable. That’s the core tension driving every threat discussed in this guide.

The Attack Surface Explained: Where IT Ends and OT Begins

The Layered Architecture of a Converged Environment

Understanding where attackers focus requires a clear picture of how converged environments are actually structured. The Purdue Model (formally the Purdue Enterprise Reference Architecture) divides industrial environments into five levels: enterprise IT sits at Levels 4 and 5, a DMZ and data historian occupy Level 3.5, OT control systems occupy Levels 2 and 3, and field devices like PLCs and sensors sit at Levels 0 and 1.

The historian server at Level 3.5 deserves special attention. It’s the system that collects real-time process data from OT networks and makes it available to enterprise IT systems for analysis and reporting. In a properly segmented environment, data flows one direction through the historian. In practice, many historians are bidirectionally accessible, creating a bridge that attackers actively target. An attacker who compromises a historian server has one foot in the IT world and one foot in OT.

What Makes the IT/OT Boundary So Hard to Defend

Standard IT security tooling doesn’t speak OT. Your SIEM probably doesn’t parse Modbus TCP frames or recognize DNP3 (Distributed Network Protocol 3) traffic anomalies. Most endpoint detection and response agents can’t run on a 15-year-old HMI (human-machine interface) running Windows XP because the vendor never certified the agent for that platform.

The boundary is structurally difficult to defend because the two environments operate on completely different assumptions about availability, patching, and acceptable latency.

The following table illustrates where those assumption gaps create the most dangerous exposure:

Dimension	IT Security Reality	OT Security Reality
Patching cadence	Monthly patch cycles standard	Patches delayed months or years
Availability priority	Confidentiality first	Uptime is non-negotiable
Authentication norms	MFA widely deployed	Shared credentials common
Network visibility	SIEM with full telemetry	Limited or no OT-aware monitoring
Incident response	Isolate and remediate quickly	Shutdown may cause physical harm
Vendor access	Controlled via PAM tools	Direct remote access often open

Primary Attack Vectors Targeting Converged IT/OT Environments

Some industry research suggests that close to half of attack vectors on OT assets ultimately trace back to IT network breaches — though that figure should be treated as directionally informative rather than definitive given variability in how incidents are classified and reported. What’s consistent across documented incidents is the pattern: attackers rarely start in OT. They start in IT and work their way down.

What Is Ransomware Lateral Movement in OT Environments?

Ransomware lateral movement in OT environments is when an attacker who has encrypted IT systems continues propagating through network connections into OT infrastructure, either deliberately targeting production systems or causing collateral damage to historian servers and engineering workstations that OT operations depend on.

Here is how this attack unfolds in practice:

1. Attacker gains initial access via phishing or credential stuffing against a VPN endpoint.
2. Using pass-the-hash or credential dumping techniques, the attacker moves laterally through the enterprise network.
3. The attacker reaches a historian server or engineering workstation that has network connectivity to the OT zone.
4. Ransomware encrypts the historian, cutting off process data visibility for operators.
5. OT operators, now flying blind, shut down production as a precaution — achieving the attacker’s operational disruption goal even without touching a single PLC.

To defend against this vector: segment historian servers into a dedicated DMZ with strict firewall rules, ensure no direct routable path exists from enterprise IT to OT control systems, and run tabletop exercises that specifically simulate historian compromise scenarios.

Remote Access Abuse and VPN Exploitation

Third-party vendor remote access is one of the most consistently exploited entry points into OT environments. Vendors need remote access to maintain PLCs and HMIs, and organizations often grant that access through the same VPN infrastructure used for IT remote work. Once inside the VPN, a compromised vendor account may have direct network-level access to OT assets that an internal IT employee would never be permitted to reach.

CISA has repeatedly flagged uncontrolled vendor remote access in its advisories on ICS vulnerabilities.

Protocol Exploitation: Modbus, DNP3, and OPC-UA

Many industrial protocols were designed for reliability on isolated networks, not security on connected ones. Modbus TCP, one of the most widely deployed industrial protocols, has no authentication or encryption. An attacker who reaches the OT network can issue legitimate-looking Modbus commands to a PLC without any credentials.

DNP3 faces similar issues. OPC-UA (OLE for Process Control Unified Architecture) is more modern and supports authentication, but many deployments run it in an unauthenticated mode for compatibility with legacy devices.

After reading this section, map all data flows crossing your IT/OT boundary and document which protocols are in use and whether they carry any authentication or encryption. That inventory is your starting point for understanding actual exposure.

Supply Chain Compromise Targeting OT Vendors

Attackers increasingly target the software and hardware supply chains that feed OT environments. A compromised firmware update from an ICS vendor, a malicious library embedded in an HMI software package, or a backdoored engineering workstation shipped from a vendor can all deliver attacker access that bypasses network-level controls entirely.

MITRE ATT&CK for ICS documents supply chain compromise as a recognized initial access technique, and real-world incidents have demonstrated exactly how this path plays out against industrial targets.

Emerging Threats Reshaping the IT/OT Threat Landscape

Named Threat Groups with Proven OT Capabilities

The threat actor landscape targeting converged environments has matured significantly. These aren’t opportunistic criminals stumbling into OT systems. Several groups have demonstrated deliberate, sophisticated IT-to-OT pivot capabilities:

• Sandworm (attributed to Russia’s GRU): Responsible for the 2015 and 2016 Ukraine power grid attacks, demonstrating the ability to manipulate OT systems to cause physical power outages.
• Chernovite / PIPEDREAM: The malware framework discovered in 2022 and documented by Dragos and CISA, designed to interact directly with industrial protocols including Modbus and OPC-UA to manipulate PLCs and safety systems.
• Xenotime: The group behind TRITON/TRISIS malware, which targeted safety instrumented systems (SIS) at a Middle Eastern petrochemical facility — the first malware specifically designed to disable industrial safety systems.
• VOLTZITE: A threat group tracked by Dragos with demonstrated interest in electric utility OT environments, using living-off-the-land techniques to avoid detection.

Subscribe to ICS-CERT advisories and the Dragos Year in Review threat intelligence report to stay current on these groups’ evolving tactics and newly identified targets.

AI-Assisted Reconnaissance of Industrial Networks

Artificial intelligence is changing how attackers conduct reconnaissance against industrial environments. Automated scanning tools can now identify exposed OT devices, fingerprint industrial protocols, and map network topologies faster than any human analyst. Microsoft’s security research has highlighted AI agents as an emerging offensive capability — a concern echoed across the industrial security community heading into 2025 and 2026.

The ISA Annual Report 2025 spotlights a surge in OT-targeted incidents, and MITRE Caldera has released HVACSim specifically to help defenders train against OT attack scenarios without requiring physical hardware. That’s a telling signal: the threat has matured enough that the defensive training ecosystem is catching up.

IIoT Device Weaponization

The Industrial Internet of Things (IIoT) has added thousands of internet-connected sensors, gateways, and monitoring devices to OT environments. Some industry research suggests that roughly half of IoT devices contain critical vulnerabilities that attackers can readily exploit — though that figure varies significantly by device category and deployment context, so treat it as a directional concern rather than a precise benchmark.

What’s consistent is that IIoT devices often run embedded Linux or RTOS firmware with limited security controls, connect to both OT networks and cloud platforms, and receive firmware updates infrequently. They’re an attractive pivot point for attackers who want to move from cloud-connected infrastructure into OT networks without touching traditional IT systems at all.

Why OT Security Is Structurally Different — And Why That Matters for Defense

What makes OT networks more vulnerable when connected to IT systems?

OT networks become more vulnerable when connected to IT systems because they were built for reliability and determinism, not confidentiality and integrity verification. Adding IT connectivity exposes OT assets to threat actors who have decades of experience compromising IT environments but who now face OT targets that can’t be patched, can’t run modern security agents, and can’t tolerate the kind of network disruption that IT incident response takes for granted.

The Purdue Model provided a useful conceptual framework for segmenting industrial environments, but it was designed before cloud connectivity, remote work, and IIoT became standard. Modern converged environments routinely punch holes through Purdue Model zone boundaries for legitimate operational reasons, and those holes don’t always get closed or monitored. The model remains a useful reference for network architecture conversations, but it shouldn’t be treated as a security guarantee.

The Legacy Hardware Problem

Many OT environments run equipment with 20 to 30-year operational lifespans. A PLC installed in 2005 might run firmware that predates modern cryptographic standards entirely. The vendor may no longer exist. The engineering team that configured it may have left the company.

Patching isn’t just delayed — it’s sometimes literally impossible without replacing hardware that costs hundreds of thousands of dollars and requires a planned production shutdown to install. Standard IT security frameworks like NIST SP 800-53 assume a baseline of patchable, manageable assets. NIST SP 800-82 (Guide to OT Security) exists precisely because that assumption breaks down in industrial environments.

Practical Steps to Reduce Your IT/OT Attack Surface

How do you secure an IT/OT converged network?

Securing a converged IT/OT network requires layered controls that account for the unique constraints of OT environments: start with network segmentation and visibility, then build toward detection and response capabilities that don’t require touching production systems. Perfect security isn’t achievable here. The goal is meaningful risk reduction and operational resilience.

Here are the priorities that actually move the needle:

1. Audit your IT/OT boundary segmentation. Download or bookmark a network segmentation checklist tailored to IT/OT boundary zones and audit your current VLAN and DMZ configurations against it. Many organizations discover that their “segmented” OT network has accumulated firewall exceptions over years of operational requests until the segmentation is effectively meaningless.
2. Run a passive OT asset discovery scan. Tools like Claroty, Dragos Platform, and Nozomi Networks can identify every device on your OT network without sending active probes that could disrupt industrial processes. You can’t protect assets you don’t know exist, and shadow assets — devices added by OT engineers without IT security involvement — are a persistent blind spot.
3. Implement privileged access management for vendor remote access. Every third-party vendor with remote access to OT assets should connect through a controlled, session-recorded gateway with time-limited credentials. Permanent always-on VPN access for vendors is one of the most common findings in OT security assessments.
4. Check whether your SIEM ingests OT telemetry. If it doesn’t, attackers can move through your OT network without generating a single alert in your security operations center. Pilot an OT-aware monitoring solution in a non-production segment to understand what visibility you’re actually getting before assuming your existing tools cover industrial environments.
5. Update your incident response playbook. Most IR playbooks are written for IT environments. Review and update yours to include OT-specific scenarios: PLC firmware tampering, HMI compromise, historian server encryption, and safety system manipulation. Your response actions in an OT incident are fundamentally different — isolating a PLC might stop a physical process in a way that creates safety hazards, so your playbook needs to account for that before an incident happens.
6. Run a tabletop exercise with an OT scenario. Simulate a ransomware infection that pivots from an IT workstation into the OT historian and evaluate your team’s detection and containment response. The gaps that surface in a tabletop are far less costly to address than the gaps that surface during an actual incident.

Reference IEC 62443 (the international standard for industrial cybersecurity) as your framework for evaluating these controls against an established baseline. It’s more operationally realistic for OT environments than frameworks built primarily around enterprise IT.

Building an IT/OT Security Program That Actually Holds Together

Bridging the IT/OT Cultural Divide

Technical controls fail when the organizational layer underneath them doesn’t support them. The IT/OT cultural divide is real and it undermines security programs even when the right tools are in place. OT engineers prioritize uptime above almost everything else.

They’ve watched IT security teams push changes that caused process disruptions, and they’re not wrong to be cautious. IT security teams, trained to patch aggressively and isolate compromised systems, often don’t understand why an OT operator’s resistance to a firewall rule change isn’t just obstinance — it’s a legitimate operational risk calculation.

Closing that divide starts with shared language. Schedule a cross-functional meeting between IT security and OT engineering to align on shared threat definitions, escalation paths, and decision rights when an incident occurs. Both teams need to understand what the other considers an acceptable response, and that conversation needs to happen before an attacker forces it.

Governance That Sustains the Program

Tactical controls without governance decay. Build a joint IT/OT security governance structure that includes representation from OT operations, IT security, and business leadership. Define ownership of OT assets clearly — ambiguity about who is responsible for a historian server’s security is how that server ends up unmonitored for years. Align your program with NIST SP 800-82 and IEC 62443 to give leadership a recognized framework for evaluating maturity and investment priorities.

The old air-gap model felt secure because physical isolation is easy to understand. IT and OT convergence has replaced that simple boundary with a complex, dynamic attack surface — but it’s also created the opportunity to build something more resilient. Converged environments with proper visibility, segmentation, and cross-functional governance are more defensible than isolated OT networks that nobody monitored because everyone assumed the air gap was holding. The threat is real, but so is the ability to manage it effectively.

Frequently Asked Questions

What are the biggest cybersecurity risks of IT and OT convergence?

The biggest risks are lateral movement from compromised IT systems into OT networks, exploitation of unauthenticated industrial protocols like Modbus TCP, uncontrolled vendor remote access, and legacy OT devices that can’t be patched. These vectors can result in production shutdowns, safety system failures, and physical damage to industrial equipment — consequences that go well beyond typical IT breaches.

How do attackers move from IT networks into OT systems?

Attackers typically gain initial access through phishing, credential stuffing, or VPN exploitation, then move laterally through the enterprise network until they reach a historian server or engineering workstation with connectivity to the OT zone. From there, they can issue commands to PLCs and SCADA systems using industrial protocols that carry no authentication requirements.

Which industries face the highest risk from IT/OT convergence attacks?

Energy and utilities, manufacturing, water and wastewater treatment, and oil and gas are the most actively targeted sectors. These industries combine high-value OT assets, significant legacy infrastructure, and operational consequences severe enough that attackers expect ransom payment or geopolitical disruption from successful attacks.

What is the Purdue Model and does it still apply to OT security?

The Purdue Model is a reference architecture that divides industrial environments into zones from field devices at Level 0 up to enterprise IT at Level 5. It remains a useful conceptual framework for network segmentation conversations, but modern cloud connectivity and IIoT deployments routinely bypass its zone boundaries, so it can’t be treated as a security guarantee without additional controls at each zone boundary.

What is MITRE ATT&CK for ICS and how should security teams use it?

MITRE ATT&CK for ICS is a publicly available knowledge base of tactics and techniques that threat actors use to compromise industrial control systems. Security teams use it to map their defensive controls against known attacker behaviors, identify gaps in detection coverage, and build OT-specific incident response playbooks. It’s the OT equivalent of the enterprise ATT&CK matrix most IT security teams already reference.

How is AI changing the threat to OT environments?

AI is accelerating attacker reconnaissance capabilities, allowing automated tools to identify exposed OT devices, fingerprint industrial protocols, and map network topologies at scale. Microsoft’s security research has flagged AI agents as an emerging offensive tool, and the OT security community is responding with new defensive training platforms like MITRE Caldera’s HVACSim, which lets defenders practice against OT attack scenarios without physical hardware.

What’s the first thing a security team should do to reduce IT/OT convergence risk?

Run a passive asset discovery scan on your OT network to build a complete inventory of every device, protocol, and data flow crossing your IT/OT boundary. You can’t prioritize risk or deploy controls against assets you don’t know exist. Tools like Claroty, Dragos, and Nozomi Networks perform this discovery without sending traffic that could disrupt industrial processes.