What to Expect in This Article
This blog walks through what IT OT convergence really looks like in practice, based on real-world experience in critical infrastructure and Industry 4.0 environments. It focuses on why identity and privileged access have become the main risk across connected environments, where common assumptions break down, and how CISOs can start reducing risk without disrupting operations.
You’ll find practical examples, lessons learned from the field, and clear guidance on how to take the first steps toward stronger identity security across information technology (IT) and operational technology (OT), including OT security, industrial control systems, and industrial internet of things (IIoT) deployments that are increasingly focused on data, network connectivity, and real-time insights from the factory floor.
The Risks of Siloed IT, OT, and IoT Environments
Segmentation Made Security Feel Manageable
For most of my career, security felt manageable because it was segmented. IT had its problems, OT had its own priorities, and IoT was something that arrived later, usually driven by digital transformation and convenience rather than security.
Each environment came with different risks, different owners, and different assumptions about what mattered most. As long as those assumptions held, security teams could cope, focusing only on what they managed directly rather than what other teams introduced, often through OT-focused initiatives, predictive maintenance programs, or new IIoT sensors designed to collect real-time data from operational environments.
What changed wasn’t a sudden technological shift. It was the slow erosion of network separation.
- Network connectivity increased quietly.
- Remote access became normal.
- Sensors began feeding data into analytics platforms in the cloud or located in third-party data centers. As more data is collected from operational systems, it increasingly flows into enterprise dashboards and cloud services.
- Operational systems and industrial control systems started talking directly to enterprise systems.
- Identity systems that were once purely “IT” suddenly sat in the middle of everything, enabling integration that supports automation, predictive maintenance, and business-driven outcomes.
By the time many organizations realized what was happening, IT, OT, and IoT were no longer separate environments. They were one interconnected system, where integration enables efficiency, but also concentrates risk, secured by teams that were still thinking in silos.
The Power Station Lesson: When Isolation Isn’t Protection
I first felt the weight of that reality during a penetration test at a power station. On paper and physically, it looked like a textbook example of good operational security, and it was a real fortress. The OT network was segmented. Firewalls were in place.
There was a strong belief that critical industrial control systems were isolated and therefore protected. But as is often the case, the real story wasn’t in the diagrams. It was in how people worked.
In the control room, sitting openly on a desk, was a printed spreadsheet. It contained system names, usernames, and passwords. Some credentials were shared between engineers. Some were default. Others had clearly been reused for years, and yes, at least 4 years.
There was no intent to hide it, because no one saw it as dangerous. The prevailing belief was simple: even if someone had these credentials, they couldn’t be used outside the OT network. Segregation was assumed to be sufficient. OT security was equated with isolation, not with identity or data security.
That moment stayed with me, not because it was shocking, but because it was so familiar.
I’ve seen variations of that spreadsheet in factories, utilities, hospitals, and transport environments across the world. Sometimes it’s printed. Sometimes it’s stored on a shared drive. Sometimes it’s saved in a Notes app in a folder on the desktop.
The format changes, but the assumption is always the same. Identity is treated as secondary because the network is assumed to be the primary control, even as environments become more connected, data-driven, and focused on real-time operational data.
IIoT at Scale: Business Success, Identity Fragility
Not long before the power station, I encountered the same mindset in a completely different context while assessing a ship management company.
This time, the focus wasn’t on OT systems in a power station, but IIoT devices deployed across an entire infrastructure to improve energy costs, enable predictive maintenance, and deliver improved efficiency.
From a business perspective, it was a success story. From a security perspective, it was fragile.
Many of those devices were still using default configurations and default passwords. They were deployed quickly, at scale, and then largely forgotten from an identity perspective. They weren’t considered “users” in the traditional sense, and they weren’t treated as privileged systems, even though they had persistent access to production networks.
Once again, the assumption was that segregation and obscurity would limit risk. Once again, identity was the unprotected link.
Attackers Don’t See Silos. They See Identity Paths.
These experiences, repeated across industries, shaped how I think about convergence today. The real risk of IT, OT, and IoT convergence isn’t connectivity itself. It’s the continuation of old assumptions about trust built to support digital transformation, Industry 4.0, and always-on data flows.
In my experience, many OT convergence challenges stem from legacy assumptions about trust and ownership, not integration. Attackers understand this better than most defenders. They don’t approach environments the way organizations structure them. They don’t see IT here and OT there. They see identity paths. They look for credentials that are reused, shared, forgotten, or overly privileged.
Once they find a way to authenticate, segmentation becomes less relevant. Movement across environments becomes a matter of opportunity rather than effort.
Different environments. Same risk. Identity was trusted because segregation was assumed.
IT/OT Convergence Maturity Model for CISOs
Every effective IT OT convergence maturity model begins with identity visibility.
For CISOs building a unification strategy across information technology (IT) and operational technology (OT), maturity is less about tools and more about visibility and accountability.
One of the hardest conversations in converged environments isn’t about tools or budgets. It’s about honesty. Maturity in IT, OT, and IoT security is often uneven, and pretending otherwise only delays progress.
In mature organizations, the question is no longer “Are IT and OT connected?” but “Do we understand how identity moves across them?”
Maturity begins with awareness. Do you know how many identities exist across IT, OT, and IoT? Not just users, but service accounts, vendor credentials, machine identities, certificates, API keys, edge computing workloads, IIoT devices, Agentic AI identities, and hardcoded secrets.
In most critical infrastructure environments, the answer is no, and that’s not a failure; it’s a starting point.
The next marker of maturity is context:
- Which identities matter most?
- Which can affect safety, availability, or regulatory exposure?
- Which provide pathways between corporate IT and operational systems?
Maturity isn’t measured by how many identities you have discovered, but by whether you understand which ones create real business risk.
Organizations that progress in this space stop chasing theoretical completeness. Instead, they focus on reducing uncertainty where it matters most.
Actionable Framework for Unified Risk Management
Unified risk management doesn’t mean forcing IT risk models onto OT teams or pretending IoT behaves like traditional infrastructure. It means aligning around a shared understanding of impact in environments built for real-time data, automation, and improved efficiency.
In practice, this becomes a converged risk assessment process, where identity exposure is evaluated across both IT and OT rather than in isolation.
In converged environments, identity provides that common language. A compromised credential is no longer just an IT incident. It becomes a potential operational disruption, a safety issue, or a compliance event depending on where that identity leads across IT and OT.
This is where identity metrics become powerful.
Rather than counting vulnerabilities or identities, the focus shifts to questions that leadership understands:
- Which identities have privileged access?
- Which are shared?
- Which authenticate continuously without oversight?
- Which crosses trust boundaries?
In the power station example, the spreadsheet was not inherently risky because it existed. It was risky because it contained credentials capable of controlling critical systems.
In the ship management environment, default passwords were dangerous not because they were weak, but because they granted persistent access to operational networks.
Risk emerges from context. Unified risk management means evaluating identity exposure in terms of business consequence, not technical purity.
Implementing Centralized OT Monitoring and Detection
Discovery and assessment are necessary, but they are not enough. In converged environments, security becomes effective only when it’s continuous.
Many organizations treat identity discovery as a one-time exercise. In reality, identities change constantly as environments evolve to support predictive maintenance, analytics, and automation. Devices are added, replaced, or reconfigured. Integration enables speed, but also introduces drift.
Centralized OT monitoring doesn’t require invasive controls in operational environments or fragile agents on legacy systems.
Understanding how identities are actually used reveals risks that design documents never show. Dormant accounts suddenly become active. Privileged access is used for convenience rather than necessity. Device identities communicate in unexpected ways.
This continuous insight turns identity security into a learning process. It allows organizations to adapt controls gradually, based on evidence rather than fear.
Frameworks like MITRE ATT&CK for ICS help ground this monitoring in real attacker behavior. Identity abuse appears repeatedly because it works. When teams map monitoring gaps to attacker techniques, detection and response priorities become clearer and less political.
Governance, Compliance, and Collaboration
Technology alone doesn’t unify security. Governance does.
In siloed environments, risk ownership is fragmented. IT reports on cyber risk. OT reports on operational risk, often using OT data to support their analysis. IoT often reports to no one at all. Convergence exposes how ineffective this model has become.
Effective governance creates a shared risk narrative. It clarifies roles and responsibilities across IT, OT, and engineering teams, eliminating ambiguity about who owns identity risk.
There is one view of identity risk, one understanding of business impact, and one accountability structure. This doesn’t remove domain expertise. It aligns it.
Compliance improves naturally in this model. When identity controls are understood, monitored, and governed consistently, audits become less painful and far more meaningful. Evidence reflects reality rather than policy intent.
Perhaps most importantly, collaboration improves. When IT, OT, and engineering teams talk about identity behavior instead of blaming architectures, trust grows. Security stops being something imposed and starts becoming something shared.
Measuring Success and Future-Proofing
Success in converged security environments isn’t defined by reaching an end state. It’s defined by reducing uncertainty over time. Organizations that succeed do not assume they are finished.
They expect their environments to change and their identity landscape to evolve. They measure success by how quickly they can detect risky behavior, how clearly they can explain identity risk to leadership, and how confidently they can adapt controls without disrupting operations.
Future-proofing doesn’t mean predicting every new technology. It means building security programs that learn. Identity discovery becomes continuous. Risk assessment evolves with the business. Monitoring feeds improvement rather than compliance alone.
The most resilient critical infrastructure organizations I have worked with share this mindset. They do not rely on segregation as a safety net. They recognize that identity is now the true perimeter and treat it accordingly.
Key Reflections
Looking back at the spreadsheet on the desk in the power station and the default passwords on IoT devices, it’s clear that those weren’t isolated failures. They were signals. Signals that security thinking had not yet caught up with operational reality.
IT, OT, and IoT convergence didn’t create identity risk. It exposed how much trust had accumulated without governance. In critical infrastructure, where the consequences of failure are physical and far-reaching, that exposure changes everything.
For CISOs, the path forward isn’t about tearing down what exists. It’s about unifying how identity is discovered, understood, monitored, and governed across everything that connects. Discovery first. Context next. Improvement where it matters most. Continuous learning always.
In a connected world, identity is no longer just an IT concern. It’s the foundation of resilience.
Five Practical Ways to Get Started to Protect Critical Infrastructure
After years of working in critical infrastructure environments, I’ve learned that most organizations don’t fail because they don’t care about security. They fail because they try to fix everything at once or because they wait for the “perfect” architecture before taking the first step. Getting started with identity security across IT, OT, and IoT doesn’t require perfection. It requires focus.
Here are five practices that consistently make the biggest difference early on:
1. Start by discovering every identity, not just users
Most organizations believe they understand their identity landscape because they can see users in their directory. In converged environments, that view is dangerously incomplete.
The real risk often sits with service accounts, shared OT credentials, vendor access, device identities, certificates, and hardcoded secrets embedded in systems that have been running for years.
In many environments, those identities are tied directly to operational asset management systems and industrial control platforms.
Discovery isn’t about assigning blame. It’s about building a factual baseline. Until you know which identities exist across IT, OT, and IoT and where they are used, you are operating on assumptions. In critical infrastructure, assumptions are rarely safe.
The organizations that make progress treat discovery as a continuous activity, not a one-time project. They expect to find surprises, and they plan for that reality.
2. Identify which identities actually matter to the business
Not all credentials represent equal risk. The mistake many teams make is trying to treat every identity problem the same way. That approach quickly becomes overwhelming.
Instead, the focus should be on context. Which identities can affect safety, availability, or critical operations? Which accounts provide paths between IT and OT? Which device credentials authenticate continuously without human oversight? These are the identities attackers care about, and they should be the ones defenders prioritize.
This is where identity metrics become powerful. Measuring identity risk in terms of business impact, not just technical exposure, creates clarity. It allows CISOs to explain why certain issues must be addressed now, while others can wait.
3. Understand what controls you already have before buying more
In many environments, controls already exist but are unevenly applied. Multi-factor authentication might protect IT users, but not remote OT access. Logging might exist in systems, but it’s never reviewed. Network segmentation might be strong, but identity controls are weak.
Before introducing new tools or architectures, it’s worth understanding what is already working and where it can be extended. Often, meaningful risk reduction comes from better use of existing capabilities rather than wholesale replacement.
This approach also builds trust with OT and engineering teams. It shows that security is there to strengthen operations, not disrupt them.
4. Focus early on privileged access and remove implicit trust
If there is one place where effort consistently pays off, it’s privileged access. Shared admin accounts, permanent elevated rights, vendor credentials that never expire, and service accounts no one owns are common across critical infrastructure.
Reducing risk here doesn’t mean eliminating access. It means making it intentional. Privileged access should have a clear owner, a clear purpose, and, where possible, a clear time limit. Activity should be monitored so that abnormal use stands out.
This is where Zero Trust for OT environments makes sense, not as a rigid doctrine, but as a practical way of removing implicit trust. Trust should be earned through identity, not implied by network location.
5. Keep learning by monitoring how identities are actually used
The final shift is cultural as much as technical. Identity security in converged environments isn’t something you “finish.” Systems change, people change roles, vendors come and go, and devices are added faster than documentation can keep up.
Continuous monitoring turns identity security into a learning process. It reveals which privileged accounts are used daily and which exist only out of habit. It shows where access patterns drift over time. It highlights risky behavior long before it becomes an incident.
Organizations that succeed don’t assume their original design remains valid. They observe, adapt, and improve based on evidence from their own environments.
Closing Thoughts
Convergence has made one thing unmistakably clear. Network separation alone is no longer a sufficient defense, especially in critical infrastructure. Identity, human and machine, has become the primary way systems are accessed, controlled, and abused.
The good news is that identity security scales across IT, OT, and IoT precisely because it focuses on how access is granted and used, not on forcing environments to look the same. By starting with discovery, prioritizing what matters most, strengthening privileged access, and committing to continuous learning, CISOs can reduce real risk without compromising operations.
In environments where safety, availability, and trust truly matter, identity security isn’t just a technical discipline. It’s a foundational element of resilience.
Where to Go Next
If convergence has made one thing clear, it’s that identity now sits at the center of operational resilience.
Strengthening identity security across IT and OT doesn’t require ripping out what works. It requires visibility, control, and continuous insight into privileged access.
If you’re evaluating how to reduce identity risk in converged environments, explore how Segura® Privileged Access Management supports discovery, governance, and monitoring across critical infrastructure.
