Full Report
ISA President Scott Reynolds moderated a panel on the cybersecurity risks related to the convergence of enterprise-level IT systems and industrial OT systems.
Analysis Summary
# Main Topic
Cybersecurity risks originating from the convergence of enterprise-level IT systems and industrial OT systems, as discussed during a panel moderated by ISA President Scott Reynolds at the ISA OT Cybersecurity Summit 2025.
## Key Points
- The discussion revolved around three primary definitions of IT/OT convergence and the associated security implications.
- **Definition 1: IT systems used on OT networks:** Acknowledges decades-long usage of Ethernet and Windows OS in OT. The primary security risk is IT-centric threats (like ransomware from the IT network or vendors) bleeding into OT, often complicated by IT personnel treating OT systems inappropriately ("I'm from IT and I'm here to help").
- **Definition 2: IT taking over OT networks:** Occurs when IT enforces IT management practices (patching, network communications) directly onto OT infrastructures. Risks include IT breaking sensitive systems through inappropriate patching schedules or maintenance, and creating security vulnerabilities through shared Windows domains or trust relationships between IT/OT networks.
- **Definition 3: Being intentional with IT/OT connections (e.g., ISA-95 models):** Focuses on defined data flow between systems (like ERP and MES). Risks include the creation of "black boxes" where IT is unaware of what resides behind the firewall on the OT side, leading to a lack of holistic security awareness.
- A core finding is the mutual opportunity and challenge: IT skills can help identify misconfigurations, while OT teams need to learn modern system recovery and backup strategies.
## Threat Actors
- Not explicitly named or attributed to specific threat groups.
- Threat actors mentioned are generalized as the source of common threats migrating from the IT environment, specifically **ransomware attacking OT networks**.
## TTPs
- **Migration of IT Risks to OT:** The general TTP is the direct exposure of OT networks to IT-based threats (e.g., ransomware).
- **Inappropriate Patching/Maintenance:** IT attempting to apply standard IT patching schedules or maintenance practices that disrupt the availability/time dependencies of critical control systems.
- **Network Flooding:** IT performing backup traffic that causes network outages on OT systems.
- **Domain/Trust Misconfiguration:** Establishment of shared Windows domains or trust relationships between IT and OT that allows unauthorized access or lateral movement.
- **Shadow IT:** Introduction of insecure direct remote access solutions into the process control network.
## Affected Systems
- Industrial Control Systems (ICS) / Operational Technology (OT) networks.
- Systems leveraging COTS solutions and Ethernet/Windows OS infrastructure.
- Databases requiring specific backup procedures.
- Process control networks (PNC).
## Mitigations
- For Definition 1: Rely on security professionals who understand COTS solutions, leveraging the fact that COTS are generally well-tested for vulnerabilities.
- For Definition 2: Maintain a default stance of **not trusting the IT network** and architecting systems to remain operational even if the IT network is compromised. Leverage IT skills only to identify systemic misconfigurations or shadow IT.
- For Definition 3: Establish **clearly defined roles and ownership** for every component of integrated systems based on standards like ISA-95 to prevent security awareness gaps across the boundary.
- **Collaboration:** Foster an environment where IT and OT professionals work together, leveraging the strengths of both skillsets to achieve secure, functional implementations.
## Conclusion
The convergence of IT and OT introduces significant, multifaceted risks dependent on how that convergence is defined and managed. The immediate threat vector involves ransomware migrating from IT networks. Effective defense requires strict boundary enforcement, clear operational ownership, and leveraged collaboration between IT and OT staff to manage inherent security gaps while optimizing system functionality.