When IT and OT meet: 3 classic mistakes management should avoid
Many energy and utility companies have significantly strengthened their work with cybersecurity in recent years. But as data, integrations and digital tools move closer to physical operations, a new management challenge emerges:
How do you create security when IT and OT systems can no longer be considered separately?
This question is becoming increasingly important in the energy and utility sector, where digital solutions are becoming an integral part of critical operations. And as the dependencies between IT and OT grow and become increasingly important to critical operations, it becomes clear that classic IT measures do not always work as intended in OT environments.
On the contrary, security measures that make good sense in administrative systems can create new problems when transferred directly into production and operations.
The perspectives in this post are based on experience and recommendations from Mjølner’s domain experts within the energy and utility sector, Jakob Hviid and André Bryde Alnor, as well as our partner Jørgen Hartig from SecuriOT.
In a previous post, we gathered 5 concrete recommendations for management on OT security. You can read it here.
In this post, we focus on 3 classic mistakes management should avoid when IT and OT meet.
1. Treating OT like ordinary IT security
The first mistake is to assume that OT can be secured using the same toolbox as IT.
At first glance, that seems logical. If something is cyber-related, IT security must be the natural answer. But there is a crucial difference: in IT, security is typically about protecting data, users and systems. In OT, security is largely about keeping operations running, ensuring uptime and preventing errors or attacks from having physical consequences.
OT security is therefore not only a question of protecting against malware or unauthorised access. It is also about ensuring that the company can continue operating when something goes wrong:
“The overriding focus areas are uptime and safety, meaning the safety of our employees. Uptime can be affected by many things, and malware can of course be one of them. But handling physical hardware failures in the supply chain, access to backup and contingency plans are major focus areas in OT. That is why the starting point for OT security is different,”
This is a crucial difference. While IT security often starts with access, data and system protection, OT security largely starts with the ability of operations to continue – even when something fails.
Jakob Hviid, Senior Solution Architect at Mjølner, points to the same fundamental difference between the two worlds. While IT can often respond to an incident by shutting down, isolating or rapidly changing systems, the premise is different in OT:
“In the OT world, it is about how you maintain the highest possible uptime. Security has a different perspective. It is also about physical infrastructure, spare parts, redundancy and contingency plans.”
Jørgen points out that classic IT requirements can create new risks if they are transferred directly to OT. He mentions an example from a company where a strict password policy was also applied on the production line, requiring operators working in three-shift rotation to log in with long passwords on an HMI interface. In an administrative IT context, that may seem sensible. But in an operational situation where fast action is required, it can have the opposite effect:
“The operator controlling this tank may not be able to remember their 13-character password in a critical situation. That could mean the tank explodes. It simply does not make sense.”
Jørgen’s point is simple: A strong password requirement may be sensible in an administrative system, but it can create a new risk in a critical operational situation where an operator needs to react quickly. When a security control is designed based on IT logic alone, it may come into conflict with the reality of OT.
This does not mean that classic IT controls are wrong. But it does mean that they cannot be copied directly into OT without being assessed in the right context.
For management, the lesson is clear: Security in OT must be assessed based on its consequences for operations, uptime and physical safety – not only based on whether the control looks right on paper.
2. Underestimating how integration between IT and OT changes the risk landscape
The second mistake is to see integration between IT and OT systems as a pure gain.
In practice, integration offers significant benefits. Data from plants and operations can be used for analysis, planning, troubleshooting, decision support and optimisation. It is an important part of the sector’s digital development.
André Bryde Alnor, Energy Solution Strategist at Mjølner, highlights that more and more digital solutions today are built on operational data:
”There are more and more decision-support tools being built for people working in control centres, owning a fleet of assets or maintaining facilities – and they are deeply dependent on data from OT environments.”
This creates major opportunities. But it also creates new dependencies.
When more systems, suppliers and business-critical processes are connected, the risk landscape becomes more complex. A decision about digitalisation is therefore not only a technical decision. It is also a management decision about risk, responsibility and resilience.
For André, the central question is therefore how companies can realise the benefits of modern architecture and better decision support without weakening security:
”How do you move towards a more modern architecture, and how can you create decision support with modern tools – without compromising security?”
In other words, digitalisation should not be stopped. But it must be carried out with an understanding of the new dependencies it creates.
”When IT and OT become more closely connected, some of the scenarios that were previously less likely suddenly become more realistic,”
This applies, for example, to supplier access, remote support, data exchange and other connections established to support efficient operations.
This is an important point for management. Many of the solutions that create value in day-to-day operations can also open up new vulnerabilities.
Jørgen points, for example, to how external supplier connections often arise for entirely legitimate reasons: faster support, less downtime and more stable operations. The problem is not the intention. The problem is that the solution can also create a new path into the OT environment.
That is why management should not only ask what digital opportunities the integration creates. They should also ask:
- Where do IT and OT meet in our organisation
- Which connections and dependencies do we have?
- Which practical shortcuts in operations may become potential attack surfaces?
- What do we do if an important connection, supplier or solution suddenly stops working?
3. Placing responsibility in one silo
The third mistake is organisational.
As OT security receives more attention, a natural question arises: Who is responsible?
And here, many organisations see the same tendency. Responsibility is placed in one function – often where the word “security” already exists. But if OT security is placed too narrowly, the company risks assigning the task to someone who only understands one half of the problem.
André Alnor puts it very directly:
“If you place responsibility with someone who does not understand the task, you have a major problem.”
That is precisely the challenge at the intersection of IT and OT. A classic IT security function may be strong in cyber disciplines, access control and network protection – but lack the necessary understanding of operations, contingency planning and physical infrastructure. Conversely, an operations function may have a strong focus on uptime and continuity, but not necessarily be equipped to handle the cyber threats that follow from digitalisation and integration.
“The most important thing is to assign responsibility. Someone needs to have the mandate to drive OT security, bring the right people together and identify the people who need to be involved in developing an OT security programme that is embedded in the organisation’s processes and becomes an active part of workflows in OT,”
The “bridge” between IT and OT is not something you can simply take off the shelf. It has to be built organisationally.
For management, this means that OT security should not be reduced to either a purely IT matter or a purely operational issue. It requires a structure where someone has the mandate to bring the perspectives together, coordinate the effort and raise the right risks to management.
But responsibility must not become a silo. It must create coherence between the functions that each hold part of the problem: management, IT, operations, contingency planning, risk management and supplier management.
What does this mean for management?
When IT and OT meet, it is not enough to ask whether security is strong enough. Management must also ask whether security has been thought through in the right way.
Among other things, this means:
- OT security must be assessed based on the reality of operations
- Integration between IT and OT must be seen as both a benefit and a new risk surface
- Responsibility must be anchored in a way that builds bridges between disciplines rather than reinforcing silos
That is ultimately the most important point.
Good security is not necessarily the control that looks strongest on paper. It is the solution that protects the organisation without undermining its ability to function.
In the energy and utility sector, security is not only about data. It is also about operations, uptime and critical functions in society.
That is why classic IT measures cannot stand alone when OT becomes a larger part of the digital risk landscape.
When IT and OT meet, management must understand both worlds. Otherwise, they risk creating new problems in the attempt to solve the old ones.
