What is the IT/OT convergence problem?

Key takeaways

• IT/OT convergence is not a project; it is a condition. Most mid-market manufacturing facilities are already converged whether the architecture diagram acknowledges it or not.
• The convergence problem is that IT-side compromises now produce OT-side consequences through paths that were not anticipated when the original architecture was designed.
• The four most common convergence patterns at mid-market manufacturers: shared identity, historian and reporting flows, vendor remote access, and engineering workstations on the IT side.
• Defense is governance of the boundary, not enforcement of an imaginary air gap.
• For mid-market manufacturers, the highest-leverage controls are documented vendor-access management, engineering-workstation hardening, and OT-aware passive monitoring.

What does IT/OT convergence actually mean on a plant floor?

The plant floor of a 2026 mid-market manufacturer is not what the original architecture diagram shows. The diagram has clean separation: IT network on one side, OT network on the other, a firewall in between, no traffic except what is explicitly permitted. The reality has the same shape on paper and a more complicated shape in practice.

What is actually on the plant floor:

• Engineering workstations that program PLCs and HMIs. They sit on the IT network for email, productivity, and software updates. They reach the OT network when they program. Some are dual-homed.
• Vendor remote-access tools (Bomgar, ConnectWise, TeamViewer, vendor-specific VPN clients) installed by various equipment vendors over years. Each one is a path from the internet into specific OT assets.
• Historian databases that aggregate process data for analysis. The historian sits in the DMZ, takes data from OT, and is read by IT-side dashboards and analytics tools.
• Operators carrying personal phones with corporate email and (sometimes) operator-app credentials.
• Maintenance staff carrying USB drives between control rooms and the office printer.
• A shared identity provider (Microsoft Entra, Active Directory) covering both office and plant staff with the same accounts.
• A shared SaaS for reporting (Power BI, Tableau) that pulls from both IT and OT sources.

Each of these is a real operational need; none of them is a mistake. Together they constitute the convergence. The architecture diagram still shows separation; the actual environment does not.

The four most common convergence patterns and their risks

ARG sees the same four convergence patterns repeatedly in mid-market manufacturer engagements.

1. Shared identity. Office and plant staff use the same identity provider. A compromised office account that has Active Directory group membership reaches OT-adjacent file shares, engineering workstations, or PI Historian. Risk: an IT-side spear phish becomes an OT-side reconnaissance position without crossing the firewall in the traditional sense; the firewall does not check identity context.

2. Historian and reporting flows. Process data flows from OT to a historian, from the historian to IT-side analytics. The flow is necessary (it is what makes operational visibility possible) but it requires the historian to be reachable from both sides. Risk: the historian becomes the lateral pivot; many compromises of mid-market manufacturers reach OT through historian or reporting-tool exploitation.

3. Vendor remote access. Each major OT vendor has its own remote-access mechanism for diagnostics and support. Some are Bomgar or ConnectWise; some are vendor-proprietary VPNs; some are open RDP through a static-NAT rule that has been in the firewall since 2014. Risk: vendor compromises (the vendor's own credentials, devices, or supply chain) become direct OT access. See What is a supply chain attack? and What is third-party risk for manufacturers?.

4. Engineering workstations on the IT side. Engineers need to read CAD files, send and receive email, attend meetings, and (during shop visits) actually program PLCs. The workstation usually sits on the IT network most of the time and connects to the OT network to program. Risk: a workstation compromise via spear phishing produces a direct path to PLC programming the next time the engineer plugs in.

Each pattern is a normal feature of a modern industrial environment. Each one is also the most common chain in real-world incidents that reach OT through the IT side. Defense is governance, not elimination.

Why the convergence problem is harder for mid-market manufacturers than enterprises

Three structural reasons.

1. Smaller staffing on both sides. Enterprise environments often have a dedicated OT-security function; mid-market manufacturers usually do not. The IT team owns OT security by default, often without OT-specific training. Convergence governance falls between the IT team's bandwidth and the engineering team's mandate.
2. Less budget for OT-aware tooling. Enterprise-grade OT monitoring platforms (Claroty, Dragos, Nozomi) cost more than mid-market budgets typically support without external help. The IT-side tooling does not understand OT protocols well enough to fill the gap.
3. Older equipment and tighter operational margins. Mid-market manufacturers run installed OT equipment for longer because hardware refresh is expensive and production margin pressure is constant. The equipment that exists is harder to update and more sensitive to operational disturbance, making security investment harder to justify case by case.

The combination produces facilities where convergence has happened, governance lags behind, and the IT-to-OT attack path is open. The fix is not big-bang investment; it is a sequenced program that addresses the highest-leverage governance gaps first.

Examples of incidents caused by IT/OT convergence

Patterns from public incidents and ARG engagement findings:

• Ransomware reaching the historian, forcing OT shutdown. A ransomware operator gains IT-side foothold via phishing, moves laterally to the historian server, and encrypts it. The OT systems themselves remain unencrypted, but the loss of historian access forces a production stop until restore.
• Vendor-supplied remote-access tool compromised by attacker. A vendor's own infrastructure is compromised; the attacker uses the vendor's remote-access pathway into multiple customer environments. The customer's perimeter never sees an unfamiliar connection.
• Engineering workstation compromised via spear phish, used to push modified PLC code. A spear phish lands on an engineer. The compromised workstation is used during a normal programming session to push subtly modified logic to a PLC. The change is small enough to be missed on a casual review and produces measurable quality loss.
• Shared identity gives ransomware operator access to engineering file shares. Domain credentials compromised on the IT side reach an engineering file share that contains CAD, BoM, and process documentation. The data is exfiltrated and used for extortion.
• Maintenance USB carries malware from infected vendor laptop to control room. A vendor's laptop is compromised. The vendor transfers a configuration file via USB to a control-room workstation. The malware reaches the OT environment through removable media.
• Office printer firmware compromise reaches plant network. A multifunction printer on the office network is compromised; the printer has access to a plant subnet for status reporting. The lateral move uses an unanticipated cross-segment path.

The pattern: small architecture and process choices compound into IT-to-OT attack chains that the defenders did not anticipate.

How to audit convergence risk in your facility

An IT/OT convergence audit covers five surfaces. The output is a documented inventory of the actual boundary, not the architecture-diagram boundary.

1. Identity and access. Map shared identities between IT and OT. Which IT accounts have access to OT-adjacent assets. Which OT-side accounts have IT-side access. Service accounts spanning both. Vendor accounts with cross-boundary access.

2. Network flows. Document actual network traffic between IT and OT zones, not just firewall rule sets. Passive monitoring or capture during normal operation reveals flows that the rules permit but the diagram does not show.

3. Engineering workstations. Inventory of workstations that program PLCs or HMIs. Their network connectivity, their patch state, their software stack, their physical location. Each workstation is a high-risk asset.

4. Vendor remote access. Inventory of every vendor that has remote access into the OT environment. Mechanism, authentication, logging, time-bounding. The list usually surprises the organization.

5. Removable media and physical movement. USB use between IT and OT. Personal devices on the plant floor. Documented removable-media policy versus observed practice.

The audit produces a finding list ranked by exploitability. The remediation backlog usually prioritizes vendor-access governance, engineering-workstation hardening, and identity separation in that order, because those three address the highest-volume real-world chains.

Best practices for governing the IT/OT boundary

1. Document the actual boundary. The architecture diagram and the real boundary diverge over time. The first deliverable of a convergence-governance program is the actual boundary mapped against the documented boundary.
2. Manage vendor remote access as privileged access. Named accounts, MFA, session recording, time-bounded access, periodic review. Vendor accounts get the same scrutiny as internal admin accounts.
3. Harden engineering workstations. Application allowlisting, removable-media controls, restricted network access, EDR where the vendor supports it. The engineering workstation is the most common IT-to-OT pivot in real incidents.
4. Separate identity domains where practical. Different accounts for engineering and office work; group memberships do not overlap unless explicitly justified. Where full separation is impractical, the cross-boundary group memberships are documented and reviewed quarterly.
5. Passive monitoring on the OT network. OT-aware tooling provides visibility into actual flows; it surfaces unexpected cross-boundary traffic before it becomes an incident.
6. Coordinated incident response. IT and OT response procedures share scenarios and contacts. The first hour of a real incident is not the time to figure out who is on the other side of the firewall.
7. Convergence as a recurring audit topic. The boundary moves over time; the audit needs to track it. ARG's engagement model includes convergence-state review as part of each on-site cycle.
8. Insurance and compliance alignment. Underwriters and (for regulated industries) auditors increasingly ask for documented IT/OT-boundary controls. The audit produces this evidence as a byproduct.

IT/OT convergence FAQs

Should IT and OT report to the same leader?

Sometimes, but not always. Same-leader structures encourage information sharing and coordinated investment; separate-leader structures preserve OT engineering judgment and safety-system independence. The right answer depends on the size of the organization and the maturity of the OT engineering function. What matters more than reporting structure is documented coordination on shared incidents, shared risks, and shared remediation.

Does air-gapping still work in 2026?

Pure air gaps are rare in practice. Vendor remote access, historian data flow, software updates, and operator personal devices all create paths across what is sometimes called an air gap. The realistic question is not whether to maintain an air gap but how to govern the documented and undocumented connections that already exist.

What is the difference between IT/OT convergence and IT/OT integration?

Convergence describes the broader trend of the two environments interacting (technologically, operationally, organizationally). Integration is one specific form of convergence: deliberate technical integration of IT and OT systems (data flow, shared identity, shared monitoring). All integrated environments are converged; not all converged environments are deliberately integrated.

How do remote-vendor connections complicate convergence?

They bypass the segmentation that the architecture diagram implies. A vendor with VPN access to a SCADA HMI is the same access as a vendor with physical access to that HMI; both circumvent perimeter controls. Vendor connections need to be inventoried, named, MFA-enforced, session-logged, and time-bounded, with the same rigor as any other privileged access.

How ARG assesses IT/OT convergence during on-site audits

IT/OT convergence assessment is a standard component of ARG's on-site audit during first-year engagement weeks. The assessment is conducted by David Ashby with engineering-team participation, and produces a documented view of the actual boundary alongside the documented one.

The work runs in three phases.

Phase 1: Documentation and interview. The auditor reviews the architecture diagrams, firewall rules, identity-provider group memberships, vendor remote-access documentation, and engineering workstation inventory. Interviews with the IT lead, the engineering lead, and key vendor liaisons produce the documented boundary.

Phase 2: Observation. The auditor walks the facility, observes the actual network connections (engineering workstations, historian server, plant-network jumps to office printers, vendor-side tools running on PLC engineering systems), and watches operations enough to see the cross-boundary patterns that documentation misses.

Phase 3: Validation. Where the engagement permits, controlled exercises validate specific convergence paths: a spear phish against an engineer's mailbox, an OAuth consent grant against an account with cross-boundary group membership, a vendor-impersonation pretext that probes how vendor remote access is verified.

Findings consolidate into the engagement report alongside the broader OT security audit, the physical security audit, and the continuous penetration testing findings. The remediation backlog prioritizes vendor-access governance, engineering-workstation hardening, and identity separation; the technical layer (network segmentation tightening, OT-aware monitoring) follows.

Apply as a founding client or see how the engagement works for the full delivery cycle.