The OT Security Problem Nobody Wants to Own

There’s a paper mill somewhere with equipment that has been running for 50 years. The plan is for it to run for 50 more. Nobody is patching it. Nobody is taking it offline for a maintenance window. And thanks to Industry 4.0 and the pressure to connect everything, that machine is now on the same network as systems that touch the internet.

Raghu Nandakumara, Head of Industry Strategy at Illumio, hears that exact scenario from customers regularly. I talked with him about how Illumio is approaching the convergence of IT and OT environments, and what became clear pretty quickly is that the technology side of this problem is almost secondary. The harder part is organizational.

According to Waterfall Security’s 2025 Threat Report, which tracks only verified incidents with physical consequences, the number of OT sites suffering operational impairment from cyberattacks jumped 146 percent in 2024—from 412 sites to more than 1,000. Whatever the trajectory looked like before, it is steeper now.

Availability Comes First

Anyone who has spent time in manufacturing knows that the security team is not running the show on the plant floor. Human safety comes first. Keeping the line running comes second. Everything else — including cybersecurity — gets fit in around those two priorities, and only if it doesn’t threaten either one.

I experienced that dynamic personally years ago, working with General Motors through EDS. I could walk out of a meeting with the C-suite and have full backing for a company-wide security initiative, then walk into a manufacturing plant and have the plant manager look at me like I had two heads. It didn’t matter if the directive came from the top. Human safety and uninterrupted production trump everything else. Those plant managers ran their own fiefdoms, and their success metric was units per hour, not patch compliance.

Nandakumara described the same dynamic. “What drives a lot of what happens in the factories is the plant managers. Their decision-making is first and foremost driven by human safety and availability. And after that, things like integrity and confidentiality come a very far second after those two things.”

Illumio’s approach starts from that reality rather than fighting it. You don’t drop controls onto machines that were never designed to have controls. You figure out where security can fit without breaking what’s already working.

Show Me What’s Happening First

Before recommending any controls, Illumio tries to give customers a clear picture of what’s actually communicating in their environment. Most OT environments have a significant gap between what people think is connected and what actually is. Assets that were never meant to talk to anything are talking to something. Paths exist that nobody deliberately created.

The foundation for this is Illumio’s security graph, which maps connectivity relationships across IT and OT assets and can pull in OT-specific context through integrations with platforms like Armis. The idea is that IT and OT can be viewed together or separately depending on what you’re trying to answer, with each asset annotated with enough context to know what it is and how it fits into the broader environment.

Where controls actually get placed is a separate question, and it doesn’t always land on the OT device itself. Sometimes the right move is to put the control at the IT boundary. Sometimes it’s somewhere in the middle. The point is to have enough visibility to make that call deliberately rather than guessing.

“Our approach is: let’s first show you what’s happening in your environment. Let’s show you how all these things are interacting. And then we can implement the security control where it is most appropriate, so that we give you the security without compromising the availability,” Nandakumara said.

The Air Gap Is Gone

For a long time, the OT security answer was physical separation. If the operational network was air-gapped, it didn’t matter how vulnerable the systems were — nobody could reach them from outside. That model has been dissolving for years, and at this point, it’s largely gone.

The pressure to connect OT systems came from legitimate business needs. Real-time production data, remote monitoring, integration with enterprise software — all of it required bridging what used to be isolated. Industry 4.0 accelerated that. Now every new layer of industrial digitization narrows the distance between operational systems and external networks further.

What makes this hard is that the connectivity was introduced on top of equipment that was built to a completely different set of assumptions. Legacy OT systems often can’t run agents. Firmware doesn’t get patched on a regular cycle. Taking a system offline isn’t always an option when it’s running a continuous process. So organizations are trying to retrofit security onto equipment that was designed to run for decades without interruption, now suddenly exposed in ways it was never intended to be.

OT Is Not Just IT With Different Hardware

One of the points Nandakumara made that stuck with me is that solving this problem requires treating OT on its own terms. The risk calculus genuinely is different. A misconfigured firewall rule in IT might cause a service disruption. The equivalent mistake in a manufacturing environment can mean halting production, or in certain industries, creating a safety hazard. The consequences of getting it wrong are not the same, which means the approach can’t just be scaled-down IT security.

The segmentation model Illumio has been built around does translate here, but not as a uniform control, applied in exactly the same way, everywhere. The more relevant framing is about limiting lateral movement intentionally in the right places — assuming an attacker gets into the IT environment and tries to move toward OT systems, what can you do to slow or stop that before it reaches something operational? That’s a containment problem, and containment is something segmentation is well-suited for even when you can’t harden the target itself.

For most organizations, the first step is just getting honest about what’s in the environment. Many have OT assets that aren’t properly inventoried, connections that were never documented, and communication patterns that accumulated over years without anyone setting them up intentionally. Getting that picture is unglamorous work, but until it’s done, the idea of applying the right controls in the right places is mostly theoretical.

• About
• Latest Posts

Tony Bradley

Editor-in-Chief at TechSpective

I have a passion for technology and gadgets and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 3 dogs, 5 cats, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Threads, Facebook, Instagram and LinkedIn.

Latest posts by Tony Bradley (see all)

• The OT Security Problem Nobody Wants to Own - June 3, 2026
• Coupa Is Betting Agentic AI Can Run Enterprise Procurement on Autopilot - May 14, 2026
• N-able’s SOC Data Shows Half of Attacks Never Touch the Endpoint - May 14, 2026