IT/OT Convergence: Why Utilities Must Act Now to Fund Cyber Resilience

Home
IT/OT Convergence: Why Utilities Must Act Now to Fund Cyber Resilience

Valuable Defensive Trends in IT/OT Convergence Support Cost Justifications

By Jack Wagnon, Principal Consultant, SIM

Across the utility sector – whether electricity, water, wastewater, or gas -the convergence of information technology (IT) and operational technology (OT) is reshaping how critical infrastructure is monitored and defended. This convergance between IT and OT brings powerful opportunities for visibility, control, and efficiency with an eye towards service resilience and recoverability. For leaders of utility districts and cooperatives, the question is no longer if to act, but how soon.

A New Reality: Trends in IT/OT Convergence

Utilities are deploying IT/OT convergence strategies that were once only theoretical.

  • Unified Visibility & Monitoring is enabling system-wide detection of anomalies across enterprise IT, SCADA networks, and field sensors.
  • Zero Trust Expansion into OT ensures only verified users and devices access sensitive systems.
  • AI/ML for Predictive Defense leverages telemetry to spot irregularities before they become outages.
  • Edge Security & Micro-Segmentation isolates substations and pumping stations to contain breaches.
  • Regulatory Alignment with NERC CIP, EPA directives, and TSA mandates is forcing convergence into a compliance necessity, not just an operational choice.

The trend is clear: cyber and physical reliability are now inseparable.

The Security Imperative

Investment in core infrastructure defenses is overdue. Boards and constituents need to understand that basic upgrades are no longer optional. Key priorities include:

  • Network Segmentation & Firewalls for OT to separate operational networks from corporate IT.
  • Modernization of Legacy Systems like end-of-life PLCs and RTUs that cannot be secured.
  • Multi-Factor Authentication (MFA) Everywhere to stop credential misuse.
  • Encryption & Secure Protocols to eliminate clear-text industrial traffic.
  • Continuous Monitoring & Threat Intelligence using OT-aware intrusion detection tools.
  • Resilient Backup & Recovery with immutable system images ready for redeployment.

Each of these upgrades reduces the risk of cascading failures that could cripple essential services.

Resilience vs. Recovery: The Strategic Balance

Should utilities focus on preventing attacks or bouncing back after the inevitable breach? The answer is both, but with a weighted emphasis:

  • Primary Focus: Resilience—because outages to water or power services translate immediately into public health and safety risks.
  • Secondary Focus: Recovery—through tested incident response playbooks and pre-staged system images.

Boards should recognize that the best way to keep communities safe is to build a system that can absorb attacks without failing.

Making the Case: Positioning Defensive Costs to Buy Down Risk

Cybersecurity investments are often invisible, making them harder to justify. Utility leaders must reframe the conversation: The mantra is clear: Cybersecurity is not overhead—it is core infrastructure protection.

  • Public Safety & Trust: Protecting clean water, grid reliability, and public confidence is non-negotiable.
  • Regulatory & Legal Liability: Penalties for non-compliance can reach millions; executives can be held personally liable.
  • Cost of Outage vs. Defense: A single day without power or water service can exceed the annual cybersecurity budget.
  • Insurance & Risk Transfer: Carriers now demand MFA, segmentation, and backups just to qualify for coverage.
  • Incremental Investment: Frame costs as phased, aligning with capital improvement plans and bond funding, rather than as one-time hits.

Call to Action for Critical Infrastructure Leaders

Utility district CEOs and GMs face a pivotal choice. The convergence of IT and OT is advancing rapidly, but adversaries are evolving faster. Cyber defense is no longer just a compliance checkbox; it is a frontline requirement for operational continuity and community safety.

Now is the time to proactively lobby for funding, educate boards and ratepayers, and implement phased investments in IT/OT hardening. Waiting for a major breach is not leadership – it is negligence.

The cost of inaction is measured not in dollars, but in blackouts, unsafe water, and broken trust. The communities you serve are counting on you to act before that happens.

References

  • Dragos. “The Industrial Cybersecurity Year in Review 2024.” Dragos, Dec. 2024.
  • Environmental Protection Agency. “Evaluating Cybersecurity in Water Utilities: Guidance for State Regulators.” U.S. EPA, Jan. 2024.
  • Claroty. “Securing the Extended Internet of Things (XIoT): 2024 Global Insights Report.” Claroty, April 2024.
  • Federal Energy Regulatory Commission. “North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standards.” FERC, 2023.
  • National Institute of Standards and Technology. “Guide to Industrial Control Systems (ICS) Security: NIST Special Publication 800-82 Rev. 3.” NIST, 2022.
  • Nozomi Networks. “OT & IoT Security Report: Mid-Year Review 2024.” Nozomi Networks, July 2024.
  • TSA Pipeline Security Branch. “Security Directives for Pipeline Owners and Operators.” Transportation Security Administration, 2023.

Recent Posts