As digital and physical systems become increasingly intertwined, organizations face a major challenge: how can IT and OT operate securely both side by side and in collaboration?
The pressure to integrate both worlds is mounting, but in practice, this integration proves to be highly complex. Different priorities, technologies, and cultures make secure cooperation between IT and OT far from straightforward.
According to Jef Pauwels, Project Manager at Fox Crypto, the lack of mutual understanding between IT and OT is one of the biggest stumbling blocks.
“IT and OT have different priorities, different cultures, different standards — and as long as we ignore that, we’ll keep playing catch-up.”
The gap between OT and IT: more than just technology
For anyone who still thinks IT security measures can simply be copied into an OT environment, Jef has a clear message: “IT is not the same as OT.” He says assumptions are often made that don’t match the reality of operational technology.
“What I often see happening is that OT is treated like an IT system. But the OT environment is built differently, managed differently, and sometimes runs on technology that’s twenty years old or more — and that’s totally fine.”
This gap isn’t just technical, but also organizational. “In OT, everything revolves around process availability. In IT, it’s often about confidentiality and integrity. If those priorities aren’t aligned, you’ll get friction. A security update coming from IT might be seen as a risk in OT.”
Visibility as the foundation of security
The first problem Jef regularly encounters in the business world: no one really knows what’s running. “In many cases, companies don’t have sufficient visibility into what’s on their network at any given moment. If you don’t know what’s in your network, how are you going to secure it?”
This lack of visibility makes it impossible to implement targeted measures.
“Asset management is often seen as boring and procedural, but it’s truly the foundation. Without it, you simply don’t know what you’re dealing with.”
He also notes that OT systems often still operate under the illusion of an ‘air gap.’ “People think: if the network isn’t connected to the internet, it’s safe. But we often see that’s not entirely true. Someone brings a laptop everywhere, maybe plugs in a USB stick, runs an update from an external device — and the air gap is already broken. So, you need to think beyond just physical segmentation.”
Trust, communication, and shared responsibility
One key message Jef wants to share: the solution isn’t just in technology, but mainly in collaboration. “Security is a shared responsibility, but it has to grow. You need to get the right people at the table and make sure OT and IT understand each other. That also means: learning to speak each other’s language.”
He gives the example of organizations where IT imposes a security policy on OT without involving OT in the process. “That doesn’t work. You need to understand the impact of a measure. In OT, a bad update can lead to a production shutdown. That risk is too high.” That’s why he advocates for a step-by-step, context-driven approach. “You shouldn’t try to change everything at once. Look at what’s really needed and build from there.”
He also emphasizes the importance of process-oriented thinking.
“Security is not a product, it’s a process. It’s about continuously improving, adapting to the reality of your organization, and above all: working together.”
Sign up for the webinar on June 12
Jef’s insights are more relevant than ever. IT/OT integration is on the rise, as are the vulnerabilities that come with it. Want to learn how to shape that integration in a safe, sustainable way?
During this webinar, experts from Fox-IT, Batenburg Techniek, and Splunk will share practical examples, current threat landscapes, and technical solutions to successfully bridge the gap between IT and OT — without compromising on security or continuity.