Most IT networking professionals are so busy with their day-to-day responsibilities that they don\u2019t have time to consider taking on more work. But for companies with an industrial component, there\u2019s an elephant in the room that is clamoring for attention. I\u2019m talking about the increasingly common convergence of IT and operational technology (OT) networking and security.\nTraditionally, IT and OT have had very separate roles in an organization. IT is typically tasked with moving data between computers and humans, whereas OT is tasked with moving data between \u201cthings,\u201d such as sensors, actuators, smart machines, and other devices to enhance manufacturing and industrial processes. Not only were the roles for IT and OT completely separate, but their technologies and networks were, too.\nThat\u2019s changing, however, as companies want to collect telemetry data from the OT side to drive analytics and business processes on the IT side. The lines between the two sides are blurring, and this has big implications for IT networking and security teams.\n\u201cThis convergence of IT and OT systems is absolutely on the increase, and it's especially affecting the industries that are in the business of producing things, whatever those things happen to be,\u201d according to Jeff Hussey, CEO of\u00a0Tempered Networks, which is working to help bridge the gap between the two. \u201cThere are devices on the OT side that are increasingly networked but without any security to those networks. Their operators historically relied on an air gap between the networks of devices, but those gaps no longer exist. The complexity of the environment and the expansive attack surface that is created as a result of connecting all of these devices to corporate networks massively increases the tasks needed to secure even the traditional networks, much less the expanded converged networks.\u201d\n\nHussey is well versed on the cultural and technology issues in this arena. When asked if IT and OT people are working together to integrate their networks, he says, \u201cThat would be ideal, but it\u2019s not really what we see in the marketplace. Typically, we see some acrimony between these two groups.\u201d\nHussey explains that the groups move at different paces.\n\u201cThe OT groups think in terms of 10-plus year cycles, whereas the IT groups think in terms of three-plus years cycles,\u201d he says. \u201cThere's a lot more change and iteration in IT environments than there is OT environments, which are traditionally extremely static. But now companies want to bring telemetry data that is produced by OT devices back to some workload in a data center or in a cloud. That forces a requirement for secure connectivity because of corporate governance or regulatory requirements, and this is when we most often see the two groups clash.\u201d\nBased on the situations Hussey has observed so far, the onus to connect and secure the disparate networks falls to the IT side of the house. This is a big challenge because the tools that have traditionally been used for security in IT environments aren\u2019t necessarily appropriate or applicable in OT environments. IT and OT systems have very different protocols and operating systems. It\u2019s not practical to try to create network segmentation using firewall rules, access control lists, VLANs, or VPNs because those things can\u2019t scale to the workloads presented in OT environments.\nOT practices create IT security concerns\nSteve Fey, CEO of Totem Building Cybersecurity, concurs with Hussey and points out another significant issue in trying to integrate the networking and security aspects of IT and OT systems. In the OT world, it\u2019s often the device vendors or their local contractors who manage and maintain all aspects of the device, typically through remote access. These vendors even install the remote access capabilities and set up the users. \u201cThis is completely opposite to how it should be done from a cybersecurity policy perspective,\u201d says Fey. And yet, it\u2019s common today in many industrial environments.\nFey\u2019s company is in the building controls industry, which automates control of everything from elevators and HVAC systems to lighting and life safety systems in commercial buildings.\n\u201cThe building controls industry, in particular, is one that's characterized by a completely different buying and decision-making culture than in enterprise IT. Everything from how the systems are engineered, purchased, installed, and supported is very different than the equivalent world of enterprise IT. Even the suppliers are largely different,\u201d says Fey. \u201cThis is another aspect of the cultural challenge between IT and OT teams. They are two worlds that are having to figure each other out because of the cyber threats that pose a risk to these control systems.\u201d\nFey says major corporate entities are just waking up to the reality of this massive threat surface, whether it\u2019s in their buildings or their manufacturing processes.\n\u201cThere\u2019s a dire need to overcome decades of installed OT systems that have been incorrectly configured and incorrectly operated without the security policies and safeguards that are normal to enterprise IT. But the toolsets for these environments are incompatible, and the cultural differences are great,\u201d he says.\nTotem\u2019s goal is to bridge this gap with a specific focus on cyber and to provide a toolset that is recognizable to the enterprise IT world.\nBoth Hussey and Fey say it\u2019s likely that IT groups will be charged with leading the convergence of IT and OT networks, but they must include their OT counterparts in the efforts. There are big cultural and technical gaps to bridge to deliver the results that industrial companies are hoping to achieve.