This chapter covers the convergence of Operational Technology (OT) and Information Technology (IT) networks, a critical topic for the SY0-701 Security+ exam under Objective 4.5 (Security Operations). As organizations adopt Industry 4.0, the traditional air gap between OT and IT is disappearing, creating new attack surfaces that can lead to physical damage. You will learn the fundamental differences between OT and IT, the security risks of convergence, and the specific controls used to protect industrial environments—knowledge directly tested on the exam and essential for any security professional working in critical infrastructure.
Jump to a section
Imagine a chemical plant with two control rooms. The IT control room manages business systems—email, payroll, and inventory—using standard Windows PCs and Ethernet. The OT control room manages the actual chemical processing: valves, pumps, temperature sensors, and pressure relief systems. These OT systems run on proprietary controllers (PLCs) that communicate via specialized protocols like Modbus. In the past, these two control rooms were physically separated—no network link. If the IT room got a virus, the OT room was unaffected. But for efficiency, the company runs a single cable between them so the OT team can check email and the IT team can monitor production metrics. Now, a ransomware attack on the IT network can traverse that cable and infect the OT network, causing a valve to open uncontrollably. The analogy: the cable is the convergence point. Just as a single connection can turn an IT incident into a physical disaster, OT/IT convergence creates a bridge for attacks that can have kinetic consequences—fires, explosions, or toxic releases. The security challenge is to manage this bridge safely, using firewalls, unidirectional gateways, and strict segmentation to allow necessary data flow without exposing critical processes to IT threats.
What is OT/IT Convergence?
Operational Technology (OT) refers to hardware and software that monitors and controls physical processes, devices, and infrastructure. Common OT systems include Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Programmable Logic Controllers (PLCs), and Remote Terminal Units (RTUs). These systems manage everything from electrical grids and water treatment plants to manufacturing assembly lines and pipeline valves. Information Technology (IT), by contrast, manages data-centric systems like servers, databases, email, and enterprise resource planning (ERP) software.
Traditionally, OT networks were physically air-gapped from IT networks—no connectivity at all. This isolation provided inherent security: an attacker compromising the corporate email system could not reach the PLC controlling a turbine. However, business demands for real-time data, remote monitoring, predictive maintenance, and integration with enterprise systems have driven convergence. Today, most OT environments have at least some connectivity to IT networks, often through a demilitarized zone (DMZ) or direct connections.
How Convergence Works Mechanically
The convergence typically occurs at multiple layers:
Network Level: OT devices are connected to the corporate network via switches, routers, or firewalls. Common protocols include Modbus TCP (port 502), DNP3 (port 20000), Profinet, and EtherNet/IP. These protocols were designed for reliability and real-time control, not security—they lack authentication, encryption, or integrity checks.
Data Flow: Historian servers collect process data from PLCs and send it to IT databases for analysis. Remote access solutions allow engineers to troubleshoot OT systems from corporate laptops. Patch management servers push updates to OT workstations.
Identity Integration: Active Directory may be used to authenticate users accessing OT systems. Single sign-on (SSO) extends to HMIs (Human-Machine Interfaces).
Key Components and Standards
PLCs (Programmable Logic Controllers): Industrial computers that execute control logic. They run proprietary firmware (e.g., Siemens S7, Allen-Bradley ControlLogix).
RTUs (Remote Terminal Units): Field devices that interface with sensors and actuators, often in remote locations.
HMIs (Human-Machine Interfaces): Operator consoles that display process data and allow control input.
SCADA Servers: Centralized systems that collect data from multiple RTUs/PLCs and provide supervisory control.
Historian: Time-series database that logs process values for analysis.
Relevant standards: - IEC 62443: International standard for industrial communication network security. Defines security levels (SL 1-4) and zones/conduits. - NIST SP 800-82: Guide to Industrial Control System (ICS) security. - ISA/IEC 62443: Defines roles, risk assessment, and security requirements for IACS (Industrial Automation and Control Systems).
How Attackers Exploit Convergence
Attackers leverage the trust relationship between IT and OT. The most infamous example is the 2015 Ukraine power grid attack (CVE-2015-5374, BlackEnergy malware). The attack chain:
Phishing emails compromised IT networks (Microsoft Office macros).
Lateral movement via VPN credentials to reach the SCADA network.
Direct manipulation of HMIs to open breakers, causing blackouts.
KillDisk wiped OT workstations to delay recovery.
More recently, TRITON malware (CVE-2017-17674) targeted Schneider Electric Triconex safety controllers by exploiting a programming error in the firmware. The malware was delivered through the IT network and leveraged a zero-day to reprogram safety instrumented systems, potentially causing physical damage.
Common attack vectors: - Ransomware: Encrypts Windows-based HMIs or historian servers, halting production. - Protocol exploitation: Modbus lacks authentication; an attacker can send forged read/write commands to PLCs. - Remote access abuse: Weak credentials on VPNs or jump boxes allow unauthorized control. - Supply chain attacks: Compromised software updates for OT equipment.
How Defenders Secure Convergence
Defense-in-depth for OT/IT convergence includes:
Network Segmentation: Use firewalls, VLANs, and unidirectional gateways (data diodes) to strictly control traffic. The Purdue Model (ISA-99) defines levels from Level 0 (physical process) to Level 5 (enterprise network). Traffic should only flow between adjacent levels through a DMZ.
OT-Specific Firewalls: Traditional IT firewalls may not understand OT protocols. Specialized firewalls (e.g., from Claroty, Nozomi, or Palo Alto with OT signatures) can inspect Modbus, DNP3, and Profinet for malicious commands.
Unidirectional Gateways: Hardware devices that physically allow data flow in only one direction—from OT to IT. This prevents any attack from IT reaching OT. Example: Waterfall Security Unidirectional Gateway.
Jump Boxes / Bastion Hosts: Dedicated hardened servers in a DMZ that provide the only access point for IT users to reach OT systems. All access is logged and monitored.
OT Asset Inventory and Monitoring: Tools like Shodan for external discovery, but internal passive monitoring (e.g., using port mirroring) to detect rogue devices or anomalous traffic.
Secure Remote Access: VPN with multi-factor authentication (MFA) and session recording. Use a vendor-agnostic solution like CyberArk for privileged access management.
Patching and Vulnerability Management: OT systems cannot be patched like IT—they require scheduled downtime. Virtual patching via intrusion prevention systems (IPS) or application whitelisting (e.g., using whitelisting of allowed executables) is common.
Real Command/Tool Examples
Nmap for OT discovery: nmap -p 502,20000,44818 192.168.1.0/24 — scans for Modbus, DNP3, and EtherNet/IP.
Modbus TCP exploitation: Using modbus-cli or Metasploit module auxiliary/scanner/scada/modbusdetect.
Wireshark filter for OT traffic: modbus or dnp3.
IEC 62443 zone example: Configure a firewall rule allowing only specific IPs (jump box) to access PLC subnet on port 502.
# Example iptables rule for OT DMZ
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 502 -s 10.0.1.10 -d 192.168.100.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j DROPThis rule allows only the jump box (10.0.1.10) to initiate Modbus connections to the OT network (192.168.100.0/24) and blocks all return traffic from OT to IT, enforcing unidirectional data flow.
Key Exam Terms
Purdue Model: Reference architecture for ICS security levels.
Data Diode: Hardware that enforces one-way data transfer.
IEC 62443: The primary security standard for IACS.
SCADA vs. DCS: SCADA is geographically distributed; DCS is local.
Modbus, DNP3, Profinet: Common OT protocols with no security built-in.
Air Gap: Complete physical isolation (rare today).
Jump Box: Hardened intermediary for OT access.
Historian: OT data collection point that often bridges to IT.
Summary
OT/IT convergence is inevitable but introduces risks that can lead to physical damage. The Security+ exam expects you to understand the unique security properties of OT (safety, availability, real-time) and the controls (segmentation, unidirectional gateways, jump boxes) that protect converged environments. Focus on the Purdue Model, the differences between IT and OT priorities, and the specific protocols and attack vectors.
Identify OT and IT Assets
Begin by inventorying all OT devices (PLCs, RTUs, HMIs, historians) and IT devices (servers, workstations, network gear) that are connected. Use passive scanning tools like Wireshark to capture traffic and identify protocols (Modbus, DNP3). Active scanning with Nmap can be done carefully during maintenance windows. Document IP addresses, firmware versions, and network connections. This step reveals the attack surface—every crossover point where IT can reach OT. In a SOC, this might be done using an asset management platform like Claroty or Tenable OT Security.
Map Data Flows and Trust Relationships
Diagram all data flows between IT and OT. Common flows: historian sends data to ERP, engineers RDP from IT to HMIs, patch management connects to OT workstations. Identify which protocols are used (e.g., Modbus TCP, OPC UA, SQL). Note any direct connections without firewalls. This step highlights potential attack paths. For example, if a historian server in IT can write to a PLC, an attacker compromising the historian can send malicious commands. Use network flow analysis tools like SolarWinds or manual review of firewall rules.
Segment Using the Purdue Model
Implement network segmentation based on the Purdue Model (Level 0-5). Place OT devices in Level 0-2, DMZ in Level 3, and IT in Level 4-5. Use firewalls to restrict traffic to only necessary protocols and IPs. For example, allow only Modbus from a specific jump box IP to the PLC subnet. Use VLANs and ACLs to enforce boundaries. Unidirectional gateways (data diodes) can be used for one-way data transfer from OT to IT. This step isolates OT from direct IT access, reducing the blast radius.
Harden Remote Access and Jump Boxes
Configure a hardened jump box (bastion host) in the DMZ as the only entry point from IT to OT. Require MFA for all remote access. Log all sessions and use session recording. Disable direct RDP or SSH from IT workstations to OT devices. Apply application whitelisting on the jump box to allow only approved tools (e.g., specific SCADA client). Regularly audit access logs. This step prevents an attacker from using stolen IT credentials to directly access OT.
Deploy OT-Specific Monitoring and Detection
Install passive monitoring sensors that can inspect OT protocols for anomalies. Tools like Nozomi, Dragos, or Zeek with OT plugins can detect unauthorized read/write commands, protocol violations, or new devices. Set up alerts for changes to PLC logic or firmware. Integrate with SIEM (e.g., Splunk) for correlation with IT events. For example, an alert if a Modbus write command originates from an unexpected IP. This step provides visibility into OT network traffic, enabling detection of attacks like TRITON or Industroyer.
Establish Incident Response for OT
Create a dedicated incident response plan for OT incidents that prioritizes safety and availability over forensic evidence. Define procedures for isolating affected OT segments (e.g., pulling network cables) without causing physical harm. Train responders on OT-specific artifacts (PLC memory dumps, historian logs). Coordinate with IT IR team but maintain OT-specific playbooks. Conduct tabletop exercises simulating a ransomware attack on HMIs. This step ensures that when an incident occurs, the response does not worsen the situation (e.g., shutting down a safety system).
Scenario 1: Water Treatment Plant Ransomware
A mid-sized water utility integrated its SCADA system with the corporate network for remote monitoring. An employee clicked a phishing email containing LockBit ransomware. The ransomware encrypted the corporate file server and spread to a shared drive that also mapped to the SCADA historian server. The historian, running Windows, became encrypted. Operators lost access to historical data, but the PLCs continued running autonomously. The SOC detected the ransomware via endpoint alerts on the corporate side. The correct response: immediately disconnect the OT network from IT (pull the network cable between the DMZ and OT). Then restore the historian from offline backups. The common mistake: attempting to remove the ransomware while leaving the network bridge intact, allowing the ransomware to spread to HMIs. The analyst should have identified that the historian was in the DMZ and acted as a bridge.
Scenario 2: Unauthorized Modbus Write Command
A manufacturing plant uses Modbus TCP to control conveyor belts. The SOC's OT monitoring tool (Nozomi) alerted on a Modbus write command to a PLC from an IP address that was not on the authorized list. The command set a motor speed to maximum. The analyst investigated: the IP belonged to a vendor laptop that was connected to the OT switch for maintenance but had been left connected after the vendor left. The correct response: immediately block that IP at the OT firewall, physically disconnect the laptop, and verify the PLC state. Then review logs for any other unauthorized commands. The common mistake: assuming the vendor's laptop was trusted because it was used for legitimate maintenance. The analyst should enforce a policy that all temporary connections require a change request and are monitored.
Scenario 3: TRITON Malware in a Petrochemical Facility
A petrochemical company had a converged network with a jump box for remote access. Attackers used spear-phishing to gain access to the IT network, then moved laterally to the jump box using stolen VPN credentials. From the jump box, they scanned the OT network and discovered a Triconex safety controller. They uploaded a malicious firmware update (TRITON) that modified the safety logic, intending to cause a catastrophic failure. The SOC missed the initial compromise because IT and OT monitoring were separate. The correct response: after discovery, the facility was shut down safely, and the safety controller was reflashed with known-good firmware. The common mistake: not correlating IT alerts (unusual VPN logins) with OT alerts (firmware change). The lesson: integrate IT and OT SIEM feeds and monitor for cross-domain indicators.
What SY0-701 Tests on OT/IT Convergence
The exam focuses on understanding the unique security considerations of OT, the risks of convergence, and the controls used to mitigate those risks. Key sub-objectives under 4.5 include:
Differentiating between IT and OT security priorities (availability vs. confidentiality).
Identifying common OT protocols (Modbus, DNP3, Profinet) and their lack of security.
Describing the Purdue Model and its levels.
Explaining the purpose of data diodes, jump boxes, and network segmentation in OT.
Recognizing attack scenarios like Stuxnet, Ukraine power grid, and TRITON.
Common Wrong Answers and Why Candidates Choose Them
Choosing 'air gap' as the primary security control: Many candidates think air gaps still exist. The exam tests that air gaps are rare; convergence is the reality. Wrong answer: 'The best way to secure OT is to maintain an air gap.' Correct: 'Use segmentation and unidirectional gateways.'
Confusing SCADA and DCS: Candidates often think SCADA is local and DCS is distributed. Actually, SCADA is geographically distributed, DCS is local. This distinction appears in scenario questions.
Selecting 'patch all OT devices immediately': IT mindset. The exam expects that patching OT requires scheduled downtime and may not be possible due to vendor support. Wrong answer: 'Apply critical patches within 24 hours.' Correct: 'Use virtual patching or application whitelisting.'
Assuming OT protocols have security features: Modbus and DNP3 lack authentication/encryption. Candidates may think DNP3 Secure Authentication is always used. The exam tests that legacy protocols are insecure.
Specific Terms and Values
Purdue Model Level 0-5: Know the levels: 0 (physical process), 1 (sensors/actuators), 2 (control), 3 (operations), 4 (site business), 5 (enterprise).
Modbus port 502, DNP3 port 20000, EtherNet/IP port 44818.
IEC 62443: The standard for IACS security.
Data diode: Also called unidirectional gateway.
Jump box: Also called bastion host.
Common Trick Questions
A question may describe a scenario where a technician uses a laptop to directly connect to a PLC for troubleshooting. The correct control is 'jump box' or 'DMZ', not 'air gap' or 'firewall' (since the laptop bypasses the firewall).
Another question might ask about the primary goal of OT security. The answer is 'safety and availability', not 'confidentiality' (which is IT's primary goal).
Decision Rule for Eliminating Wrong Answers
On scenario questions about OT security, eliminate any answer that:
Prioritizes confidentiality over availability (e.g., 'encrypt all OT traffic' when it could cause latency).
Suggests immediate patching without considering downtime.
Relies on an air gap as the sole control.
Assumes OT protocols have built-in security.
Proposes a control that could disrupt real-time operations (e.g., deep packet inspection with high latency).
OT/IT convergence eliminates air gaps, creating new attack surfaces that can lead to physical damage.
The Purdue Model (Levels 0-5) is the reference architecture for ICS segmentation.
Common OT protocols (Modbus TCP port 502, DNP3 port 20000) lack authentication and encryption.
Data diodes (unidirectional gateways) allow one-way data flow from OT to IT, preventing attacks from IT.
Jump boxes (bastion hosts) in a DMZ provide the only authorized access point from IT to OT.
IEC 62443 is the international standard for industrial communication network security.
The primary security objectives for OT are safety and availability, not confidentiality.
Real-world attacks: Ukraine power grid (BlackEnergy), TRITON (safety controller), Stuxnet (centrifuge destruction).
These come up on the exam all the time. Here's how to tell them apart.
IT Security
Primary goal: confidentiality, integrity, availability (CIA triad)
Patching is frequent and automated
Standard protocols: HTTP, SSH, TLS
Network changes are routine and can be done quickly
Security tools: antivirus, EDR, SIEM
OT Security
Primary goal: safety, availability, then integrity (confidentiality last)
Patching requires scheduled downtime and vendor approval
Legacy protocols: Modbus, DNP3, Profinet (no security)
Network changes are rare and must be carefully planned to avoid disruption
Security tools: passive monitoring, OT-specific firewalls, data diodes
Mistake
OT networks are still air-gapped from IT.
Correct
True air gaps are extremely rare today. Most OT networks have some form of connectivity to IT for business efficiency. The exam tests that convergence is the norm.
Mistake
OT protocols like Modbus are secure because they are proprietary.
Correct
Modbus, DNP3, and Profinet are open protocols with no built-in authentication, encryption, or integrity checking. They are vulnerable to spoofing, replay, and command injection.
Mistake
Patching OT systems is the same as patching IT systems.
Correct
OT systems cannot be patched without scheduled downtime. Patches may not be vendor-approved or could break real-time control. Virtual patching or compensating controls are often used.
Mistake
The primary security goal for OT is confidentiality.
Correct
The primary goals are safety and availability. Confidentiality is secondary. In IT, confidentiality is often primary.
Mistake
A firewall between IT and OT is sufficient to protect OT.
Correct
Firewalls alone are insufficient because OT protocols operate on non-standard ports and may be allowed through. Specialized OT firewalls with protocol inspection, combined with segmentation and unidirectional gateways, are needed.
IT security prioritizes confidentiality, integrity, and availability (CIA) in that order. OT security prioritizes safety and availability first, then integrity, with confidentiality last. Why? Because in OT, a breach of confidentiality (e.g., data leak) is less critical than a breach of availability (e.g., a power outage) or safety (e.g., a chemical release). The exam tests this distinction: if a question asks about the primary goal of OT security, choose 'safety' or 'availability'.
The Purdue Model (ISA-99) is a reference architecture that divides industrial control systems into six levels: Level 0 (physical process), Level 1 (sensors/actuators), Level 2 (control), Level 3 (operations), Level 4 (site business), and Level 5 (enterprise). It defines how data flows between levels and where security controls should be placed. For the exam, know that traffic should only flow between adjacent levels, and a DMZ is typically placed between Level 3 and Level 4. It helps in designing network segmentation for OT.
A data diode is a hardware device that allows data to flow in only one direction—typically from a high-security network (OT) to a lower-security network (IT). It physically enforces one-way communication, so no packets can travel back. This prevents an attacker on the IT side from sending any data to the OT side. Data diodes are used when OT data needs to be monitored from IT but no control commands need to go back. They are more secure than firewalls because they cannot be misconfigured to allow return traffic.
A jump box (or bastion host) is a hardened server located in a DMZ that provides the only access point for IT users to connect to OT systems. Users first authenticate to the jump box (often with MFA), then from the jump box they can initiate RDP or SSH sessions to OT devices. All access is logged and monitored. This prevents direct connections from IT workstations to OT, reducing the attack surface. For the exam, know that jump boxes are a key control for secure remote access in converged networks.
Common OT protocols include Modbus TCP (port 502), DNP3 (port 20000), Profinet, and EtherNet/IP (port 44818). They were designed for reliability and real-time performance, not security. They lack authentication (anyone can send commands), encryption (traffic is in cleartext), and integrity checks (packets can be modified). This makes them vulnerable to spoofing, replay attacks, and command injection. The exam expects you to know these protocols and their port numbers.
Ransomware can encrypt Windows-based OT components like HMIs, historian servers, and engineering workstations. While PLCs themselves are rarely encrypted (they run real-time OS), losing the HMI or historian can halt operations. For example, the 2021 Colonial Pipeline ransomware attack affected IT billing systems, but the OT pipeline controls were disconnected as a precaution. The correct response is to isolate OT from IT immediately and restore from offline backups. The exam may ask about the priority: safety and availability over ransom payment.
IEC 62443 is a series of international standards for the security of Industrial Automation and Control Systems (IACS). It covers security levels (SL 1-4), zones and conduits, and requirements for secure product development. For the exam, know that it is the primary standard for OT security, analogous to ISO 27001 for IT. It defines how to segment networks and apply security controls based on risk.
You've just covered OT/IT Convergence Security — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?