The air gap that once shielded our industrial systems is disappearing, and with it, a vital layer of security. In the drive to cut costs and streamline efficiency, companies are wiring their operational technology (OT) systems directly into corporate IT networks.
The tradeoff is stark, environments that once ran in isolation, from manufacturing plants to energy grids, are now exposed to the same attack paths that breach IT networks. What once required a nation-state to disrupt can now begin with a single phishing email, cascading from an office inbox to a factory floor, a pipeline, or even a hospital ward.
Physical separation once kept OT obfuscated from most cyber threats. Now, integration is giving attackers a direct line into critical infrastructure. In response, governments are scrambling to mandate protections and pass legislation aimed at limiting the potential negative impact of having those systems so closely intertwined.
In fact, the National Security Agency (NSA) has joined the Cybersecurity and Infrastructure Security Agency (CISA)and other organizations to publish guidance that helps OT owners and operators integrate security when selecting OT products. But legislation and frameworks are just paper shields if organizations aren’t ready to fight back. Real defense comes down to three things:
- The skills we forge.
- The systems we lock down.
- The unity of our teams on the front lines.
Bridging the OT Skills and Visibility Gap
The Fortinet 2025 Operational Technology Security Report reveals that 50 percent of organizations still report experiencing one or more cybersecurity incidents across their OT systems. While the persistent attacks are a concern, the more critical issue is lack of preparedness.
In many organizations, the responsibility of securing OT systems is handed to IT teams by default, often without additional resources, training, or dedicated OT security expertise. IT teams, now tasked with securing OT systems they’ve never worked with, face a growing skills and visibility gap that attackers are quick to exploit.
Threat intelligence shows that 85 percent of attacks on OT environments start with an IT breach, after which attackers either pivot into industrial networks or disrupt OT indirectly by targeting the IT systems they rely on. Only 13 percent of incidents use OT-specific attack methods, indicating that most intrusions follow familiar IT paths.
This has blown open a dangerous exposure gap for organizations that stop their cyber strategy at the edge of IT. For too long, OT cybersecurity training has been an afterthought. Now that these systems are squarely in the crosshairs, neglect is no longer just risky, it’s a direct invitation to attack.
Navigating the Complex Landscape of OT Legislation
Driven by high-profile incidents like the Colonial Pipeline breach and heightened by the current geopolitical climate, legislators are calling for a renewed focus on OT security to safeguard critical national infrastructure. In recent years, global frameworks like NIS2, IEC 62443, and NIST SP 800-82 have emerged to support risk management, operational resilience, and threat identification, specifically across industrial automation and control systems.
Yet, legislation alone won’t fix the issue. Too often, compliance becomes a checkbox exercise that appeases auditors and calms executives worried about fines or board scrutiny, but does little to strengthen real defenses. It can even create friction with technical teams who understand that threats are not stopped by paperwork.
True protection requires more than rules. It demands bold investment in the people, processes, and technologies that build real cyber resilience, especially as IT and OT grow more tightly intertwined.
Organizations that fail to go beyond compliance to foster a more robust security culture risk becoming compliant on paper, but vulnerable in practice.
Cross-Functional Training and Collaboration
The price of inaction on OT security keeps escalating. In the industrial sector, breaches can cost companies upwards of $5.56 million per incident, with downtime often lasting weeks and triggering widespread supply chain disruptions that multiply losses. But the financial toll is only part of the story: attacks like the Colonial Pipeline breach have also created fuel shortages, panic buying at gas stations, and even jet fuel constraints that disrupted air travel.
In response, organizations must shift their approach to training to help their employees prove and improve their understanding of the OT environment and risks. This process can take a few different forms:
- Discovering assets and assessing risk. You can’t protect what you don’t know exists. Most OT networks have hidden assets or legacy systems that pose serious risks. A proper asset inventory and risk mapping exercise is a foundational step toward reducing exposure.
- Strengthening access controls and network segmentation. Flat, open networks make it far too easy for attackers to move laterally. Segmentation between IT and OT, combined with strict identity and access controls, is the best approach to drastically reducing the blast radius.
- Exercising incident response plans. Most incident response plans are still IT-centric. OT requires a different playbook that considers the impact of physical processes, safety, and time-sensitive coordination. Simulate OT-specific incidents as part of your preparedness strategy, and, most importantly, regularly exercise your incident response plan to benchmark skills and track progress.
- Implementing OT-focused cybersecurity training. Most organizations don’t offer OT-specific security training. By upskilling in this area, employees can bridge the gap between IT and OT teams, ensuring everyone understands the risks and how to effectively respond.
- Breaking down silos between IT and OT teams. Security is a team sport. When IT and OT work together, you get faster detection, better response, and fewer blind spots. Create shared governance, joint threat exercises, and appoint security champions across both domains.
The truth is, the time to secure OT environments was the moment they were installed, not as an afterthought. While this shift may seem daunting, organizations that fail to act now risk being left vulnerable, while those who take decisive steps will build strong cyber resilience.
With the air gap shrinking, the priority today must be to strengthen visibility across IT and OT systems. Steps taken now can’t undo the past, but they can sharply reduce the impact of tomorrow’s inevitable attack and protect both business resilience and the people who depend on it.