Introduction

As cyber threats evolve in complexity and frequency, the distinction between IT (Information Technology) and OT (Operational Technology) environments has never been more critical or more misunderstood. One of the most dangerous myths in industrial cybersecurity is that protecting OT systems is solely the responsibility of the IT department. This assumption is not only flawed, but also a recipe for disaster.

OT cybersecurity demands a distinct, purpose-built strategy that incorporates domain-specific expertise, risk modeling based on operational impact, and collaboration between IT and OT teams. In this blog, we’ll explore why assigning sole responsibility for OT cybersecurity to IT is a myth and how organizations can better structure their security practices to protect both digital assets and physical operations.

Understanding the Divide: IT vs. OT

Image – IT vs OT divide

IT: Focused on Data Integrity and Confidentiality

IT environments typically revolve around:

  • Business systems (e.g., email, databases, CRMs)
  • User authentication and access control
  • Data confidentiality, integrity, and availability (CIA triad)
  • Regulatory compliance (e.g., GDPR, HIPAA)

OT: Focused on Physical Processes and Safety

Operational Technology, by contrast, governs:

  • Industrial control systems (ICS)
  • Supervisory Control and Data Acquisition (SCADA) systems
  • Distributed Control Systems (DCS)
  • Safety Instrumented Systems (SIS)
  • Programmable Logic Controllers (PLCs)

OT’s core concerns are:

  • Safety of personnel
  • Availability and continuity of operations
  • Equipment reliability and process integrity

Image – Safety, Reliability, Productivity (SRP) Triad

The challenge emerges when cybersecurity is approached through a strictly IT-centric lens, where priorities revolve around confidentiality and data protection. In OT environments, however, the stakes are different. Availability, reliability, and deterministic system behavior take precedence. This fundamental mismatch calls for a purpose-built security strategy tailored to the unique demands of OT systems.

Why It’s a Myth: “OT Cybersecurity Is IT’s Job”

1. OT Systems Have Unique Requirements

OT systems:

  • Run on proprietary protocols (e.g., Modbus, DNP3)
  • Use legacy equipment with no built-in security
  • Require deterministic timing and low-latency communication
  • Often can’t be patched or rebooted without significant downtime

Assigning cybersecurity responsibilities for these assets to IT personnel, who may not fully understand these constraints, can lead to inappropriate security measures that disrupt operations or even create unsafe conditions

Case in Point: In 2017, malware infected Schneider Electric’s Triconex safety system at a petrochemical plant in the Middle East (Triton/Trisis malware). The attackers exploited a gap in the understanding between IT and OT roles, highlighting that OT systems require specialized security knowledge

Reference: MITRE ATT&CK for ICS – TRITON Case Study

2. IT Tools and Tactics Often Don’t Translate to OT

Standard IT tools, such as endpoint detection and response (EDR), vulnerability scans, or automated patching, can cause serious problems in OT networks:

  • Automated scans may overwhelm or crash legacy PLCs.
  • Patching without understanding operational dependencies can lead to downtime or unsafe states.
  • Antivirus software can consume resources or interfere with real-time processes.

Instead, OT environments require passive monitoring, behavior baselining, and asset-aware segmentation.

Available Tools: Claroty’s xDome, and Nozomi Networks Guardian offer passive network monitoring designed for ICS environments.

3. OT Risk Is Measured in Operational Impact, Not Data Loss

In IT, a security breach often means stolen or exposed data.
In OT, the stakes are far higher. A single cyber incident can lead to:

  • Production stoppages that halt revenue streams
  • Equipment damage costing millions in repairs or replacements
  • Environmental harm with regulatory and reputational fallout
  • Physical injury or loss of life — the most severe consequence of all
  • In OT environments, availability, reliability, and safety take precedence over confidentiality. This means risk modeling must focus on operational consequences, not just information security.
  • Framework Spotlight:
    • ISA/IEC 62443 – Is a globally recognized standard for OT cybersecurity. It addresses the unique needs of industrial systems with concepts like zones and conduits, defense-in-depth, and system integrity to protect critical operations.

4. IT Teams Lack Context for OT Operations

IT personnel often:

  • Lack visibility into OT asset inventories
  • Aren’t trained in control system logic or ladder diagrams
  • May not know the consequences of interrupting a control loop

Conversely, OT engineers often possess a deep understanding of their systems but may lack cybersecurity expertise.

Effective OT cybersecurity must be collaborative, integrating IT security knowledge with OT operational insight.

A Better Approach: Shared Responsibility, Specialized Roles

Rather than assigning OT security to IT, leading organizations are adopting converged cybersecurity models that align both disciplines while recognizing their unique needs. Some key practices are: 

1. Establish an OT Cybersecurity Program

This includes:

  • An inventory of OT assets and communication paths
  • Defined security zones (per ISA/IEC 62443)
  • Risk assessments using consequence-driven modeling (e.g., CCE – Consequence-driven Cyber-informed Engineering)

2. Build Cross-Functional Teams

Create a joint cybersecurity task force with:

  • Operations Maintenance Team
  • Production Operators
  • OT Engineers
  • IT Security Analysts
  • System Integrators
  • Safety Officers

This team :

  • Shares visibility across environments
  • Co-develops incident response plans
  • Regularly conducts tabletop exercises and red-team assessments

3. Implement Network Segmentation

Use firewalls and demilitarized zones (DMZs) to separate IT and OT networks. This helps:

  • Limit attack propagation
  • Enable safe data exchange (e.g., historian data or MES systems)
  • Create clear boundaries for monitoring and access control

Tool kits:

  • Firewalls
  • Managed Switches
  • Jump Hosts for remote access

4. Deploy Passive Monitoring and Anomaly Detection

Instead of intrusive scanning, use passive tools that:

  • Identify asset communication baselines
  • Detect deviations without impacting performance
  • Integrate with SIEMs for unified visibility

Vendors:

  • Claroty
  • Dragos
  • Forescout
  • Nozomi Networks
  • Tenable OT

5. Train OT Personnel in Cyber Hygiene

Equip operators and engineers with: 

  • Security awareness training tailored for ICSBasic threat detection skills (e.g., understanding unusual traffic patterns)
  • A cyber-first mindset during system upgrades and maintenance 

Training Providers: 

  • SANS OT/ICS Courses
  • CISA Advanced Cybersecurity for Industrial Control System
  • Tofino/Belden ICS Cybersecurity Fundamentals ICS Village (hands-on labs and capture-the-flag competitions)
  • Mike Holcombs Getting started with OT/ICS Cybersecurity

Common Pitfalls to Avoid

  • Assuming IT policies are effective in OT: Examples include forced password expiration and automated patching.
  • Relying on air gaps: Many “isolated” systems have been compromised due to USB devices, remote maintenance, or misconfigured firewalls.
  • Underfunding OT security: Security budgets often prioritize IT infrastructure, leaving critical OT systems vulnerable to security risks.

Real-World Incidents Highlight the Risk

  • Colonial Pipeline (2021):
    Though the attack targeted IT systems, the company shut down pipeline operations as a precaution, illustrating how IT/OT interdependencies affect critical infrastructure.
  • Ukraine Power Grid Attack (2015):
    Russian attackers employed spear-phishing and SCADA protocol manipulation to disrupt power, demonstrating a deep understanding of OT targeting.
  • Stuxnet (2010):
    Malware specifically designed to alter PLC logic while evading detection, underscoring the need for OT specific defenses.

Conclusion: OT Cybersecurity Is Everyone’s Job, But Not IT’s Alone

While IT teams play a critical role in an organization’s overall security posture, they are not equipped, nor should they be expected, to secure OT environments without specialized support. OT cybersecurity necessitates a cross-disciplinary approach that acknowledges the distinct physical, technical, and human factors inherent in industrial environments.

The future of critical infrastructure security depends on:

  • Breaking down the silos between IT and OT
  • Empowering operators with the tools and knowledge to secure their systems
  • Building governance structures that reflect the shared responsibility of both domains

By moving beyond the myth that “OT cybersecurity is IT’s job,” organizations can adopt more resilient, informed, and adaptive security strategies that protect not just data but people, processes, and the physical world itself.

At Enaxy, we specialize in bridging IT and OT security, helping organizations create unified governance, deploy effective controls, and train operators for the realities of today’s threat landscape.

Ready to align your IT and OT security strategies? Contact us at info@enaxy.com to get started.