In January 2025, Southern Water became the latest utility to face operational disruption from a cyber incident. Just months earlier, American Water, the largest water utility in the U.S., shut down customer portals and billing systems following a ransomware attack. These aren’t isolated incidents. According to Dragos, industrial ransomware victims surged 87% year-on-year in 2024, with 1,693 organizations appearing on leak sites [1].
What unites these attacks isn’t sophisticated Operational Technology (OT) exploitation; it’s the cascading impact of IT compromises on industrial operations. As digital transformation accelerates, the boundary between IT and OT has dissolved, creating interdependencies that many organizations fail to address. Building cyber resilience demands fundamental changes in how IT and OT teams collaborate.
Breaking down dangerous silos
For decades, IT and OT operated independently. IT prioritized data confidentiality and system standardization. OT focused on safety, reliability, and continuous uptime. This separation worked when industrial control systems remained isolated, but modern operations depend on interconnected systems where enterprise platforms feed production schedules and SCADA data streams to cloud analytics.
Threats have evolved faster than organizational structures. In September 2024, attackers breached Arkansas City’s water treatment facility, gaining access to operational systems [2]. Manufacturing now accounts for 69% of all industrial ransomware cases, with attackers understanding that production downtime creates intense pressure for ransom payments [3]. Adversaries are not just targeting IT systems; they’re studying how IT failures cascade into operational shutdowns.
Building a shared security focus between IT and OT teams isn’t optional. It’s essential for operational survival.
Reframing security as safety protection
Many OT professionals worry that overfocusing on cybersecurity could result in failure points that could compromise critical systems and jeopardize safety. Given that poorly implemented security has historically caused operational disruptions, this concern is not misplaced.
Yet, recent incidents prove cybersecurity has become inseparable from safety. Water sector attacks attempting to manipulate chemical dosing, ransomware disabling safety systems, and targeted intrusions into industrial controls demonstrate that cyber threats directly target human safety.
Training programs must help OT teams understand this evolution. Properly implemented security enhances safety by:
- Protecting safety-critical systems from unauthorized modifications
- Ensuring secure remote access prevents malicious manipulation
- Containing incidents through network segmentation
- Maintaining the integrity of safety logic and control systems
When OT professionals recognize security as essential to protecting their safety systems, resistance transforms into advocacy.
Building mutual understanding
IT professionals often don’t grasp OT’s unique operational requirements. In enterprise IT, rebooting a server is routine. In OT environments, an unplanned shutdown might cost millions, damage equipment, or risk lives. Availability isn’t a business preference; it’s often a safety imperative.
That control system running Windows XP isn’t necessarily negligent. It might be a validated system requiring extensive regulatory testing for any changes. Patching cycles measured in months reflect the complexity of testing modifications where mistakes have physical consequences.
Successful organizations create immersive cross-training programs. IT staff should be given opportunities to shadow OT operations, witnessing firsthand how five-minute network outages can spoil entire pharmaceutical batches or destabilize chemical processes. This experiential learning builds empathy that no documentation can provide.
Understanding critical interdependencies
Modern industrial operations reveal IT/OT interdependence everywhere:
- Manufacturing execution systems depend on ERP data
- SCADA systems require IT network infrastructure
- Remote monitoring relies on VPN and authentication systems
- Billing and logistics systems enable continuous operations
The Colonial Pipeline incident in 2021 exemplified these connections. IT ransomware never touched operational systems, yet a billing system failure forced a voluntary pipeline shutdown. Organizations must recognize these dependencies before adversaries exploit them.
IT teams must understand they’re safeguarding industrial processes with safety, environmental, and economic impacts. OT teams must acknowledge that their systems no longer operate in isolation.
Navigating complex regulatory requirements
OT cybersecurity regulations present unique challenges spanning multiple jurisdictions:
EU NIS2 directive mandates risk-based controls for essential entities, including energy, water, and manufacturing, with penalties up to €10 million or 2% of global turnover [4].
Uk national cyber security centre caf v3now explicitly maps to OT environments, requiring organizations to demonstrate resilience across 14 principles, including supply chain security [5].
Us regulations include NERC CIP for electric utilities, TSA Security Directives for pipelines, and the SEC’s cyber-incident disclosure rule forcing public companies to reveal material OT downtime [6].
Success requires IT teams to understand not just what regulations require, but why. Extensive change control protects against introducing instabilities in life-critical systems. This understanding transforms compliance from a burden to a framework for secure operations.
Four-part IT/OT resilience playbook
1. Map dependencies
Create a single view showing which OT units rely on which IT services. Document data flows, authentication dependencies, and network connections.
2. Implement defense-in-depth
Apply IEC 62443 zones and conduits, deploy unidirectional gateways for critical systems, and maintain tested failsafes that prioritize safety.
3. Conduct joint incident cyber drills
Include OT engineers in ransomware tabletop exercises. Practice scenarios where IT failures impact operations. Build muscle memory for crisis response.
4. Measure what matters
Develop shared KPIs: mean-time-to-recovery for production lines, incidents reaching Safety Integrity Level limits, percentage of critical OT assets with current security patches.
Building sustainable cyber resilience
Creating effective IT/OT collaboration requires sustained commitment:
Integrated governance: Establish cybersecurity governance, including both IT and OT representatives, ensuring decisions consider operational impacts alongside security benefits.
Common language: Develop terminology that both teams understand, for example, instead of talking about “data loss,” frame the risk as “loss of view or control”, a concept OT engineers immediately recognise as a threat to operational safety.
Continuous learning: Technology and threats evolve rapidly. Regular joint training ensures teams stay current on emerging threats and defensive capabilities.
Shared accountability: Move beyond blame when incidents occur. Focus on systematic improvements that strengthen overall resilience.
The path forward
As industrial ransomware accelerates and regulations tighten globally, maintaining separation between IT and OT teams is a luxury organizations cannot afford. The convergence of these domains isn’t just a technology trend; it’s an operational reality demanding new approaches.
Building cyber resilience requires leveraging both teams’ strengths: IT’s security expertise and OT’s operational knowledge. Organizations that successfully bridge this divide position themselves to defend against current threats while adapting to future challenges.
The question isn’t whether IT and OT teams should collaborate on cybersecurity. It’s how quickly organizations can break down silos before adversaries exploit them. In an interconnected industrial landscape, unified cyber defense isn’t beneficial. It’s essential for operational survival.
References
[1] Dragos Year in Review 2024: ICS/OT Cybersecurity, January 2025
[2] Arkansas City Water Treatment Facility Breach Report, September 2024
[3] Dragos Industrial Ransomware Analysis, Q4 2024
[4] EU NIS2 Directive Implementation Guidelines, October 2024
[5] UK NCSC Cyber Assessment Framework v3.0, 2024
[6] SEC Cybersecurity Risk Management Rules, December 2023
The views expressed in this article belong solely to the author and do not represent The Fast Mode. While information provided in this post is obtained from sources believed by The Fast Mode to be reliable, The Fast Mode is not liable for any losses or damages arising from any information limitations, changes, inaccuracies, misrepresentations, omissions or errors contained therein. The heading is for ease of reference and shall not be deemed to influence the information presented.
