The Convergence Reality
IT/OT convergence is no longer a future state to prepare for. It is the operating reality for most organisations in energy, water, oil and gas, transport, manufacturing, and critical national infrastructure. Historically isolated SCADA, DCS, and PLC systems are now connected to corporate IT networks. Distributed energy resources, smart grids, and remote monitoring platforms have extended the operational perimeter far beyond the traditional control room.
The security industry has responded primarily with technical solutions: network segmentation, industrial firewalls, OT-aware monitoring, and anomaly detection. These are necessary investments. But they address only one dimension of the convergence challenge — the network dimension. The governance dimension, which determines whether an organisation can demonstrate coherent assurance across both IT and OT, remains largely unresolved.
Two Domains, Two Governance Cultures
The difficulty is structural. IT and OT have developed their security governance independently, with different frameworks, different risk models, different evidence cultures, and often different organisational reporting lines. IT security is typically governed through ISO 27001, with risk framed around confidentiality, integrity, and availability. OT security is governed through IEC 62443, with risk framed around safety, reliability, and process continuity.
These are not merely different standards asking the same questions in different ways. They reflect fundamentally different operational priorities. In IT, a control failure typically results in data loss, service disruption, or regulatory penalty. In OT, a control failure can result in physical harm, environmental damage, or loss of life. Patching cycles that are routine in IT may be impractical or dangerous in OT, where system availability is measured in years of continuous operation and where unscheduled downtime carries safety implications.
The result is that most organisations manage IT and OT security as parallel programmes: separate control sets, separate evidence repositories, separate risk registers, separate reporting lines. Each programme may be individually sound, but the organisation lacks a unified view of its assurance posture across the converged environment.
Why Network Solutions Alone Are Insufficient
Network segmentation, monitoring, and firewalling address the attack surface created by convergence. They reduce the likelihood that a compromise in one domain propagates to the other. This is essential work. But it does not answer the governance questions that boards, regulators, and operational stakeholders increasingly need answered.
Questions such as: which controls span both IT and OT, and are they assessed consistently? Where evidence supports a control in one domain, does it satisfy the equivalent requirement in the other? If a vulnerability is identified in a shared system, which risk register captures it, and which governance process drives remediation? When the board receives a cyber risk report, does it reflect the converged environment or only the IT estate?
These are governance questions, not network architecture questions. And they cannot be answered by monitoring tools, no matter how capable those tools are. They require a governance model that treats IT and OT as a single assurance domain whilst respecting the operational differences between them.
The Regulatory Pressure
Regulatory expectations are accelerating this governance requirement. The NCSC Cyber Assessment Framework applies to operators of essential services across both IT and OT. The NIS Regulations — and the forthcoming UK Cyber Security and Resilience Bill — do not distinguish between IT and OT when defining security obligations. IEC 62443 applies specifically to industrial automation and control systems but must coexist with enterprise-wide frameworks like ISO 27001.
Organisations operating under multiple concurrent regulatory obligations — NIS, CAF, IEC 62443, sector-specific instruments from Ofgem, the CAA, or the ONR — face a compounding problem. Each framework expects evidence of effective governance. When IT and OT are governed separately, the organisation must produce separate evidence sets for each, with no mechanism to demonstrate coherent, cross-domain assurance. The duplication is not just inefficient; it creates inconsistency, because the same underlying control may be described, assessed, and evidenced differently depending on which framework lens is being applied.
The Safety-Security Intersection
Perhaps the most consequential governance gap in converged environments is the intersection of safety and security. OT environments frequently include safety instrumented systems designed to prevent hazardous conditions. These systems have their own integrity requirements, often governed under IEC 61511 or sector-specific safety standards.
Security controls applied to OT environments must not compromise safety system operation. A firewall rule that blocks unexpected traffic may also block a safety system communication path. A patching regime designed for IT systems may destabilise a safety-critical controller. An access control policy that strengthens authentication may impede emergency shutdown procedures.
Managing this intersection requires explicit governance: documented safety-security dependencies, joint risk assessment processes, and assurance models that evaluate security controls in the context of their safety impact. This cannot be achieved through network segmentation alone. It requires a governance framework that models the relationship between safety and security controls and ensures that improvements in one domain do not create risks in the other.
Towards Unified Assurance
Resolving the governance challenge requires a model that achieves three things simultaneously. First, it must provide a single control baseline that spans both IT and OT, so that controls are defined once, assessed once, and evidenced once — regardless of which framework lens is applied. This eliminates the duplication that fragments evidence and creates inconsistency between parallel programmes.
Second, it must respect the operational differences between IT and OT without forcing either domain into a framework designed for the other. OT-specific controls — zone and conduit architecture, security level targeting, safety instrumented system governance, industrial protocol security — must be modelled as dedicated extensions to the baseline, not as awkward adaptations of IT controls. This is the difference between a governance model that accommodates OT and one that is genuinely designed for it.
Third, it must produce a unified assurance view that gives boards and regulators genuine confidence in the organisation's converged security posture. This means a single reporting model that synthesises IT and OT compliance status, maturity scores, risk treatment positions, and evidence currency — not separate reports from separate teams using separate methodologies.
The Evidence Challenge
A unified governance model also requires rethinking what constitutes valid evidence in converged environments. IT evidence cultures tend towards policy documents, access control reports, vulnerability scans, and audit logs. OT evidence cultures tend towards engineering drawings, process and instrumentation diagrams, network architecture documentation, configuration baselines, and commissioning records.
Both are legitimate evidence types, but they must be managed within a single evidence lifecycle if the organisation is to maintain coherent assurance. Evidence must be linked to specific controls, refreshed within defined cycles, and traceable to its source — regardless of whether it originates from an IT system or an OT environment. Without this discipline, the organisation may be able to demonstrate compliance for each domain individually, but cannot demonstrate unified assurance across the converged estate.
The Bottom Line
IT/OT convergence is a governance problem that manifests as a network problem. Organisations that address only the network dimension — segmentation, monitoring, firewalling — manage the technical attack surface but leave the governance gap unresolved. The harder, more consequential work is building a unified assurance model that spans both domains: one control baseline, one evidence lifecycle, one assessment process, one reporting view.
Until the governance model catches up with the network reality, organisations will continue to manage converged environments through parallel programmes that are individually compliant but collectively incoherent.