Securing IT and OT convergence in industrial systems

Quick summary

The air gap that once separated industrial control systems from corporate IT has effectively disappeared. As OT and IT converge, the security model has to shift from isolation to segmentation, visibility and zero trust, with frameworks like IEC 62443 and regulations like NIS2 setting the direction.

Introduction

For decades, operational technology was protected by being separate. Control systems ran on isolated networks, physically and logically apart from the corporate IT that handled email and enterprise software. That separation, the air gap, was the foundation of industrial security.

It no longer holds. The rise of industrial IoT, cloud analytics and remote access has stitched OT and IT together, because the business value of connected operations is too great to forgo. The result is a converged environment that is more capable and more exposed at the same time, and securing it requires a fundamentally different approach.

Why the air gap no longer exists

The air gap eroded for practical reasons. Plants adopted industrial IoT and edge computing, vendors and integrators required remote access, and operators wanted real-time data flowing to enterprise systems for analysis. Each of these is a legitimate business need, and collectively they connected networks that were once isolated.

The exposure this creates is no longer theoretical. ENISA's 2025 threat landscape, which analysed nearly 4,900 incidents across the EU, records growing intent among threat actors to target operational technology, including claimed attacks on energy and water management interfaces (ENISA, 2025). The reason this matters is that convergence has handed attackers a path: a foothold in IT can become a route into OT if the boundary between them is weak.

Convergence did not weaken industrial security by accident; it removed the single control, isolation, that the old model depended on entirely.

That is why pretending the air gap still exists is the most dangerous posture an operator can take. The connections are real, and the security model has to account for them.

Takeaway: Industrial IoT, cloud and remote access have dissolved the air gap, so the old isolation-based security model has been replaced by exposure that attackers actively probe.

The Purdue model and its modern evolution

The Purdue Enterprise Reference Architecture has been the dominant mental model for industrial network design for decades. It divides a plant into layers, from the physical process at the lowest level up through control systems to enterprise IT at the top, with a demilitarised zone mediating between OT and IT. Its purpose was to enforce a clear, hierarchical separation.

Convergence has forced the model to adapt rather than disappear. Sensors now send data directly to the cloud, remote access reaches deep into control layers, and virtualisation has moved into OT, all of which blur the clean boundaries the original model assumed. The contemporary view treats Purdue not as a rigid wiring diagram but as a conceptual guide to segmentation, combined with the zones and conduits approach of IEC 62443.

The practical engineering of these boundaries, deciding which systems belong in which zone and how data should cross between them, is where secure integration across the IT and OT boundary becomes the decisive skill, because a segmentation model is only as good as the conduits that enforce it under real operating conditions.

Takeaway: The Purdue model survives as a conceptual segmentation guide rather than a rigid blueprint, and it now works best combined with the zones and conduits approach of IEC 62443.

Where convergence creates risk

Converged environments fail in characteristic ways, and understanding them is half the battle. The most common weaknesses include:

Visibility gaps, where OT traffic is not monitored and intrusions go unseen
Lateral movement, where an attacker pivots from a compromised IT system into OT
Unmanaged remote access, where vendor and support connections bypass controls
Flat networks, where insufficient segmentation lets a breach spread unchecked

Visibility is the foundational problem. According to ENISA, 32 percent of energy sector operators do not have a single critical OT process monitored by a security operations centre, and only 52 percent integrate OT and IT under one monitoring function (ENISA, 2024). The implication is stark: a large share of operators cannot see what is happening in the very environment convergence has exposed.

Without visibility, every other control is weakened. Segmentation that is never monitored, access policies that are never reviewed, and alerts that no one receives provide a false sense of security rather than real protection.

Takeaway: Converged environments fail through visibility gaps, lateral movement and flat networks, and the absence of OT monitoring at many operators is the weakness that undermines every other control.

Segmentation, zones and zero trust

The constructive response to convergence is layered. Segmentation remains the backbone: dividing the environment into zones based on criticality and controlling the conduits between them, so a compromise in one area cannot freely reach another. An industrial demilitarised zone provides a controlled, inspected interface between OT and IT rather than a direct connection.

Zero trust adds the modern principle that no user, device or connection is inherently trusted, even inside the perimeter. In an OT context this must be applied with care, because control systems have real-time requirements and legacy limitations that blanket IT-style controls can disrupt. Access controls and authentication have to preserve the operational continuity the plant depends on.

IEC 62443 ties these ideas into a coherent framework, with its zones and conduits model and its security levels matched to risk. The reason this matters is that it lets operators apply the strongest controls to the most critical assets, such as safety systems, while using proportionate measures elsewhere, avoiding both underprotection and operational disruption.

Takeaway: Effective convergence security layers risk-based segmentation, inspected IT-to-OT interfaces and carefully applied zero trust, with IEC 62443 providing the framework that matches controls to criticality.

Aligning convergence security with regulation

Securing convergence is increasingly a legal obligation, not just good practice. The NIS2 Directive requires essential and important entities to manage risk across both IT and OT, and its Article 21 expectations on risk management and network security map directly onto the work of segmenting and monitoring a converged environment (European Commission, 2025).

For the electricity sector specifically, the Network Code on Cybersecurity adds a directly applicable layer of obligations, and IEC 62443 is widely used as the technical means of meeting both. The interpretive point is that the same architecture that makes a converged plant secure also makes it compliant, so the two goals reinforce rather than compete with each other.

This alignment is an opportunity. An operator that builds genuine OT visibility and risk-based segmentation is not only harder to attack but also far better placed to demonstrate compliance when a regulator or auditor asks.

Takeaway: NIS2 and, for electricity, the Network Code on Cybersecurity turn convergence security into a legal duty, and the architecture that secures a converged plant is largely the same one that proves compliance.

Conclusion

IT and OT convergence is not a future risk to plan for; it is the present reality of industrial operations. The air gap is gone, the exposure is real, and attackers are increasingly aiming at the control layer.

The path forward replaces isolation with visibility, segmentation and zero trust, structured through IEC 62443 and aligned with NIS2 and sector rules. For operators across the Nordics, DACH and the wider EU, building that capability is what turns convergence from a liability into the safe foundation for connected, data-driven operations.

FAQ

What is IT/OT convergence and why is it a security concern?

IT/OT convergence is the integration of operational technology, such as control systems and industrial equipment, with corporate information technology and cloud systems. It is a security concern because it removes the isolation, or air gap, that once protected OT. A foothold in IT can become a route into OT, and ENISA's data shows attackers increasingly target operational technology as these environments connect.

Is the Purdue model still relevant for OT security?

Yes, but in an evolved form. The Purdue model remains a valuable conceptual guide to network segmentation, but its original assumption of rigid, air-gapped layers no longer matches reality. Modern practice treats it as a segmentation guide combined with the zones and conduits approach of IEC 62443, accommodating cloud connectivity, remote access and industrial IoT.

How do you secure a converged IT/OT environment?

The core measures are risk-based segmentation into zones with controlled conduits between them, an industrial demilitarised zone providing an inspected interface between OT and IT, comprehensive monitoring of OT traffic, and carefully applied zero trust principles that respect real-time and legacy constraints. IEC 62443 provides the framework for matching the strength of controls to the criticality of each asset.

How does IT/OT convergence relate to NIS2 compliance?

NIS2 requires essential and important entities to manage cybersecurity risk across both IT and OT environments. Its Article 21 expectations on risk management and network security align closely with the segmentation and monitoring needed to secure convergence. For the electricity sector, the directly applicable Network Code on Cybersecurity adds further obligations, and IEC 62443 is commonly used to meet both.

Sources

ENISA Threat Landscape 2025 – ENISA – 2025 – https://www.enisa.europa.eu/topics/cyber-threats/threat-landscape
Cyber Europe tests the EU cyber preparedness in the energy sector (NIS Investments findings) – ENISA – 2024 – https://www.enisa.europa.eu/news/cyber-europe-tests-the-eu-cyber-preparedness-in-the-energy-sector
Understanding IEC 62443 (zones, conduits and risk-based approach) – IEC – 2021 – https://www.iec.ch/blog/understanding-iec-62443
NIS2 Directive, scope and risk management obligations – European Commission – 2025 – https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

About Author Wirtek is a Danish tech company with 25 years of experience, specialising in three core domains: energy, connectivity & automation and digital engineering. We build, connect and operate digital solutions through software development, Internet of Things (IoT), quality assurance and ready-made products. Founded as a Nokia spin-off, we combine deep know-how with EU compliance to partner with companies on their journey to modernise systems and extend capabilities while reducing risk. Since 2022, we have focused strongly on shaping solutions that power the sustainability transition.