When IT, OT, and IoT Collide
As IT, OT, and IoT converge, the security landscape fundamentally changes. Environments that were once more or less isolated are suddenly connected, legacy systems meet modern platforms, and business‑critical processes are exposed in ways they were never designed for.
The challenge is rarely a lack of will to do the right thing — that almost always exists. The hard part is understanding how to actually do it in reality, in environments that already exist, are already in use, and cannot be rebuilt from scratch without someone becoming very, very upset.
These are a few principles that repeatedly prove to be decisive.
OT Is Not IT — and That Has to Be Okay
One of the most common mistakes is treating OT environments as if they were traditional IT. That rarely ends well.
In reality, OT often involves:
- Systems that cannot be patched regularly — or at all
- Limited or non‑existent authentication
- Equipment with very long lifecycles
- Availability requirements that outweigh almost everything else
Accepting this is not giving up on security — it is being realistic. When fundamental protections are missing, you must instead work with compensating controls.
A classic and highly effective example is network segmentation: protecting vulnerable systems by strictly limiting which flows are allowed to reach them at all.
Visibility First — Get “Eyes and Hands” into the Environment
Many organizations want to start with the perfect architecture and full segmentation. The problem is that this often takes a long time. In the meantime, you are… fairly blind.
Putting the following in place early:
- Monitoring
- Logging
- Detection
- Incident response capability
…provides immediate impact. A SOC function — internal or external — creates visibility into what is actually happening and makes it possible to act when something deviates from the norm.
This is often one of the most valuable first steps, even if the rest of the infrastructure is still far from ideal.
Network Segmentation — the Foundation Everything Else Rests On
No matter where you start, almost all roads eventually lead to segmentation.
By separating IT, OT, and IoT, creating clear zones, and allowing only necessary flows, you reduce both the likelihood of compromise and the impact when something goes wrong. Because it will. Sooner or later.
At the same time, segmentation is often complex, time‑consuming, and sometimes politically sensitive. The question is therefore not if it should be done, but how, in what order — and what should actually be segmented.
We see everything from completely horrific segmentations that protect nothing at all, to environments where segmentation is entirely absent. Knowing how to do it right is not trivial.
From Network to Identity
In many OT environments, access is still based on IP addresses, network location, and implicit trust. It works — until it doesn’t. And when it fails, it usually becomes very painful.
For some reason, many still believe that threat actors follow the rules. They don’t.
Gradually shifting toward identity‑based access is therefore a critical step:
- Who are you?
- Why do you need access?
- When — and for how long?
PAM solutions, jump hosts, and strong authentication often serve as a bridge between old and new. They provide better control and also solve a very common problem: the management of shared and generic admin accounts.
If you want to do it properly, you should also use PAWs. A jump host, after all, is only marginally better than nothing at all.
Vendors Are Part of Your Security Model
In OT and IoT, vendors are often deeply embedded in the environment — sometimes more so than your own IT organization.
Without clear security requirements, you risk:
- Insecure remote access
- Lack of logging and traceability
- Dependency on solutions that cannot be updated or controlled
Starting to impose long‑term security requirements is rarely easy, but absolutely necessary. Your security level will never be higher than the weakest external link.
We have seen solutions where vendors are connected in ways that make them the single largest risk factor. And when you also hear things like:
“We use the same password for all service accounts at all our customers”
— and realize that those customers are interconnected through the vendor — it becomes uncomfortable. For real.
Remote Access and the Internet — Often the Fastest Impact
In many environments, there is a historically evolved mix of:
- Different remote access tools
- Temporary solutions that became permanent
- Generous outbound internet access
Mapping this and replacing it with a single, controlled solution often delivers rapid risk reduction. When outbound traffic is restricted, many unwanted remote access paths disappear automatically.
A question that often ask the customer is:
“Why does that sewing machine need access to Facebook?”
There is rarely a good answer.
Draw the Target Architecture — Even If You Can’t Build It Today
Even if you don’t have the ability to rebuild everything, it is invaluable to:
- Sketch how you would design the environment from scratch
- Define clear principles for zones, flows, and access
- Use the target architecture as a compass for future decisions
This creates alignment between IT, OT, and the business — and ensures that every improvement becomes a step in the right direction, rather than an isolated point solution.
Final Thought
Understanding what actually happens when the major incident occurs is crucial. Many still believe it’s about a quick restore, and then everything goes back to normal.
It never does.
A threat actor has been inside. It is a crime scene. And if you don’t understand how they got in, they will do it again.
Trusec will run a full day of sessions with this as a topic, maybe you should attend (the event is in Swedish)
Konferens med Truesec – Processteknik
In my everyday work i recover broken enviroment, i rebuild and build new IT, OT and IoT envirment that can stand a fight against threat acttors, haredware failure and a really bad day, need to know more, ping me.
Mikael Nyström
The Deployment Bunny 