Air gaps and static perimeters fail because modern OT rarely stays isolated. Hybrid connectivity, remote administration, and virtualised gateways create new paths that traditional zone designs do not capture. Once those paths exist, attackers can traverse them laterally unless access policy, monitoring, and containment are updated to reflect the live environment.
Why This Matters for Security Teams
IT/OT convergence changes the security model from isolated zones to connected services, shared identities, and operational dependencies. That makes air gaps and static perimeters fragile assumptions rather than reliable controls. Once engineering workstations, remote vendors, historians, or cloud connectors become part of the path, security teams need a live control model that reflects actual trust relationships, not diagrams frozen at design time. The NIST Cybersecurity Framework 2.0 is useful here because it pushes organisations to manage outcomes across governance, identification, protection, detection, response, and recovery rather than relying on boundary myths.
The main risk is that defenders assume the perimeter still contains the blast radius, while attackers target the administrative routes, protocol bridges, and supplier access that bypass it. In OT, those routes often exist for valid operational reasons, which is why simplistic deny-all models usually fail in practice. The real task is to reduce implicit trust, expose all access paths, and treat every exception as a control that must be monitored and reviewed. In practice, many security teams encounter perimeter failure only after remote access or vendor connectivity has already become business-critical, rather than through intentional architecture review.
How It Works in Practice
Effective convergence security starts by mapping every pathway into the operational environment, including remote support tools, jump servers, cloud management planes, data historians, API bridges, and engineering laptops. Static segmentation alone is not enough if identities can move across zones or if shared credentials can be reused on both IT and OT assets. Best practice is evolving toward identity-aware access, strong device posture checks, continuous logging, and explicit approval for high-risk actions. Where remote privileged access is unavoidable, many organisations align the operational model with CISA Zero Trust guidance and apply least privilege with short-lived elevation rather than standing administrative reach.
A practical control pattern usually includes:
- Separate administrative identities for IT and OT, with no shared credentials.
- Brokered remote access through monitored jump points rather than direct device-to-device links.
- Asset and protocol inventory that includes vendor tools, virtual appliances, and maintenance interfaces.
- Telemetry from identity, network, endpoint, and process layers so anomalous access can be correlated quickly.
- Containment plans that assume perimeter compromise and focus on stopping lateral movement and unsafe commands.
For asset visibility and control validation, many teams also use the CISA Known Exploited Vulnerabilities Catalog to prioritise exposed systems that sit on convergence paths. The operational reality is that OT security is as much about trusted pathways and change control as it is about network boundaries. These controls tend to break down when legacy controllers require flat trust relationships and direct vendor access because compensating monitoring cannot fully inspect proprietary traffic or safety-critical command paths.
Common Variations and Edge Cases
Tighter segmentation often increases operational friction, requiring organisations to balance safety and uptime against faster maintenance and troubleshooting. That tradeoff becomes especially sharp in plants that rely on legacy controllers, outsourced support, or thinly documented integrator dependencies. Current guidance suggests that the goal is not to eliminate every connection, but to make every connection explicit, justified, and observable.
There are important edge cases. Some OT environments cannot tolerate aggressive authentication changes, which means identity controls may need phased deployment around maintenance windows and vendor agreements. In highly regulated sectors, converged environments may also need to align with NIS2 expectations for resilience and incident handling, especially where operational outage has wider service impact. The security lesson is that air gaps are often replaced by “connected gaps” such as jump hosts, wireless maintenance links, or cloud-managed OT tooling. That is where identity governance matters most, because access paths now behave like NHI or privileged admin routes rather than fixed physical boundaries. A final edge case is safety engineering: some systems prioritise deterministic availability over rapid patching, so monitoring and recovery controls often provide more value than attempting perfect isolation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the technical controls, and NIS2 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Converged IT/OT access paths need explicit identity and access governance. |
| NIST Zero Trust (SP 800-207) | SA-4 | Static perimeters fail where trust is implicit and access is broad. |
| NIS2 | Critical service resilience and incident response are central in converged environments. | |
| OWASP Non-Human Identity Top 10 | Shared machine and service identities often create hidden OT traversal paths. |
Build incident handling and recovery plans that assume perimeter compromise and operational disruption.