In many industrial environments, OT teams work primarily to keep production lines running, ensuring the highest availability of systems like programmable logic controllers (PLCs) and SCADA devices. IT, on the other hand, is typically tasked with securing and optimizing office networks, data centers, and cloud solutions. While each side has different objectives and expertise, the growing complexity of cyber threats—and the rising interconnectivity between IT and OT systems—means that this long-standing divide is no longer feasible. We spoke about this topic with Ronald Beiboer, Solutions Engineer at Splunk.
“In an OT context, availability is king”
A primary source of tension comes from the different priorities in each department. The OT staff focuses on keeping manufacturing and production environments continuously available, as every minute of downtime translates to significant costs and, more importantly, potential risks to human safety. IT teams concentrate on data confidentiality and integrity. Balancing both is essential.
Ronald explains: “In an OT context, availability is king. On the IT side, teams tend to emphasize new features and confidentiality. Because these are two different mindsets, many organizations are still structured so that OT and IT work in complete isolation.”
Bridging the gap is more urgent than ever
Beyond traditional attacks, organizations now face rapidly evolving threats that take aim at critical infrastructure. The rise in geopolitical tensions, sophisticated ransomware campaigns, and malicious insider threats all underscore the importance of protecting production environments. Ronald emphasizes:
“We’re seeing more focus on public sector and utilities in particular. Recent global events have accelerated the need for comprehensive security. It’s no longer enough to secure IT and OT separately—companies risk missing entire attack paths.”
Connecting distinct data sources with Splunk
Splunk’s flexibility is a key strength when bridging the IT-OT divide. Known as a robust data analytics and SIEM platform, Splunk can take in data from any source, in any format, at any scale. Ronald says: “Splunk’s core advantage is its ability to process ‘any data.’ Whether that’s logs from a Windows server or specialized data from OT monitoring tools, Splunk can unify it. This cross-environment visibility is critical when you’re combining IT and OT security.”
The platform can be deployed either on-premises, which is a popular choice for sensitive industrial environments that may be reluctant to push data to the cloud, or in private/public cloud environments, depending on organizational needs.
Key functionalities for OT incident response
Traditional OT-specific solutions often generate a flood of alerts but retain only minimal historical data. OT teams can struggle with “alert fatigue” and lack the capability for robust forensic analysis. “Many OT solutions don’t store data long-term and flood you with alerts. By integrating these tools into Splunk, you maintain the context you need for threat hunting or forensic work, and you only see the alerts that truly matter.” Splunk helps solve these pain points by:
- Reducing alert noise: Splunk can correlate alerts from various sources and filter out low-risk or duplicated events. Analysts get fewer, more meaningful alerts.
- Long-term data retention: Splunk scales to keep historical logs and sensor data far longer than many point solutions. This extensive data retention is critical for forensics and post-incident investigations.
- Easy integration with OT tools: Many industrial security vendors plug directly into Splunk. This creates a central console for both IT and OT events.
For organizations handling particularly sensitive data, the DataDiode creates a one-way stream that allows monitoring data to be pulled out of the OT environment and correlated with IT data, all while preventing network traffic from flowing back into the OT environment. This ensures that, while OT data is monitored and analyzed for security, no malicious traffic can use the connection as a backdoor to compromise critical systems.
However, many data-centric solutions (including Splunk) traditionally require bi-directional communication to acknowledge data transmission. Fox Crypto bridges this challenge by deploying a Splunk Replicator within the DataDiode architecture.
“A DataDiode enforces one-way traffic—fantastic for security, but it can disrupt tools that rely on two-way acknowledgment. Fox Crypto’s Splunk Replicator effectively simulates the ‘return path,’ enabling logs to be ingested into Splunk while preserving the diode’s strict one-way flow. It’s an elegant solution that maintains the integrity of both systems.”
Use cases: Tackling OT security at scale
Ronald describes a typical scenario: an OT security team deploys a specialized monitoring tool, but only captures a small slice of events. Flooded by alerts, the team lacks context on how an attacker entered or pivoted. “When a real incident hits, you need to piece everything together—otherwise you waste time. With Splunk, you keep your data long enough to answer the tough forensic questions. That’s a game-changer in critical OT environments.”
By extending logging and correlation to Splunk, they benefit from:
- Full attack-path visibility: OT and IT logs in one place, showing how threats move from a compromised IT device to a PLC, for example.
- Improved analyst efficiency: Analysts handle fewer, higher-fidelity alerts and have deeper forensic data available.
- Streamlined incident response: Should an organization need external support—like an incident response team—having historical data in Splunk drastically speeds up investigations.
The future of OT security
Looking forward, Ronald predicts a continued push for IT-OT convergence, especially as global tensions and threat actors become more sophisticated. Organizations that keep OT security isolated will face higher risks, inefficiencies, and the possibility of blind spots.
“Many companies are only just now starting to invest in OT security. The next natural step is combining IT and OT security to reduce operational costs and gain visibility into every aspect of the attack surface.”
A crucial part of this evolution is organizational alignment at the leadership level. Without strong C-level buy-in to unify IT and OT teams—sharing best practices, tool sets, and data—security strategies will remain fragmented. This vision is vital for bridging the gap and ensuring that security becomes an integrated part of the organization’s overall strategy, rather than just a technical concern.
