Hardening OT/IT Convergence Against State-Sponsored Threats

The historical “air gap” between Operational Technology (OT) and Information Technology (IT) has effectively vanished. In the drive for “Industry 4.0” efficiency, organisations have connected legacy control systems (ICS/SCADA) to internet-facing IT networks.

State-sponsored actors are now actively exploiting this convergence, “living off the land” in IT networks to pre-position themselves for disruptive attacks against physical infrastructure. The severity of this threat was cemented by the February 2024 CISA and FBI Joint Advisory (AA24-038A) regarding the state-sponsored group, Volt Typhoon.

Investigators discovered that these actors had maintained persistent access within U.S. critical infrastructure IT networks for years, with the specific intent to pivot into OT networks and cause physical disruption during potential geopolitical conflicts.

Best Practices & Mitigation Strategies

We must treat OT as “Hostile Territory” and assume the IT network is already compromised.

Passive Asset Inventory (Fixing the Blind Spot)

You cannot defend what you cannot see; most OT networks contain 30-50% more devices than documented. Deploy passive scanning tools (e.g., Dragos, Nozomi, Claroty) that listen to network traffic without actively scanning ports (which can crash fragile legacy PLCs) to build a real-time asset map.

Strict Segmentation via Unidirectional Gateways

Standard firewalls are insufficient as they can be misconfigured to allow two-way traffic. Install Data Diodes (hardware unidirectional gateways) at the IT/OT boundary. These physically permit data to flow out for monitoring, but make it physically impossible for malicious packets to flow in.

Virtual Patching (Shielding the Unpatchable)

If you cannot patch a legacy Windows XP controller, you must shield it. Place legacy systems behind an OT-aware Intrusion Prevention System (IPS) that detects and blocks exploit traffic before it reaches the vulnerable machine.

Secure Jump Hosts & Implement MFA

Immediately identify all remote access points or “Jump Hosts” (e.g., TeamViewer, RDP) bridging IT and OT networks and enforce strict, phishing-resistant Multi-Factor Authentication (MFA) on them.

Identify and Isolate “Crown Jewels”

Analyse to identify the specific PLCs that, if shut down, would halt 100% of production, and apply strict network whitelisting exclusively to them.

In OT security, Safety is the ultimate metric. A cyber breach in an industrial environment isn’t just an IT inconvenience; it is a physical safety risk. We secure these systems not just to protect data, but to protect human lives and our physical world.