Podcast: Why IT and OT remain out of sync in modern manufacturing
Key Highlights
- OT/IT convergence boosts uptime, safety, and compliance, but misaligned incentives often slow progress.
- Legacy systems lacking identity awareness pose major risks when connected to modern networks.
- Zero Trust and identity-based access reduce attack surfaces without disrupting operations.
- Air gaps are no longer reliable; secure connectivity is essential for modern manufacturing.
In this episode of Great Question: A Manufacturing Podcast, Scott Achelpohl of Smart Industry and Almog Apirion, CEO and co-founder at Cyolo, explore why IT and OT often remain misaligned and what it takes to close the gap. The discussion highlights how digital transformation, cybersecurity risks, and regulatory pressures are driving the need for convergence. Together, they examine the role of Zero Trust, identity-based access, and secure connectivity in protecting legacy equipment while keeping operations productive and resilient.
Below is an excerpt from the podcast:
SA: Why do you think there's so much pressure now on manufacturers to tear down the silos that exist between OT and IT? What are the incentives to do so?
AA: Yeah, it's a great question. So first of all, OT is more connected than ever. The old approach basically said, “If it's not reachable, it's not breachable.” But that approach is dead. IT is expected to be a business enabler, not a blocker. So their practices are now tightly interdependent. When they work together, uptime, safety, and compliance improve—and the business wins. And that’s not even talking about all the future benefits coming from AI.
SA: Even when both IT and OT agree that cooperation is critical, why is it still so hard to make it happen?
AA: So, I think it’s mainly misaligned incentives and fear of losing control. If you give OT predictable uptime and IT enforceable policy and visibility at the identity and session level, suddenly IT empowers the line of business instead of slowing it—just as an example.
SA: When that alignment does click, what organizational benefits do you see first and foremost, clearly?
AA: It’s better business results at the end of the day—less downtime, lower cyber insurance rates, regulatory alignment, and better productivity. And I think that both security and OT are looking at uptime altogether. The guys from security are looking at the things that can compromise uptime for, you know, security reasons, but they’re serving basically the same need.
SA: Okay, Almog, so digital transformation and network operations connected to IoT—IIoT, excuse me—or even legacy plant equipment that must be connected is placing pressure on IT/OT convergence. What other forces are at work here?
AA: Yeah, you’re absolutely right, Scott. The demand for IoT integration and digital transformation is accelerating IT and OT convergence. But there are several other forces converging at the same time that add to the pressure, I may say.
First, there’s the growing demand for operational agility—whether it’s remote troubleshooting, predictive maintenance, real-time analytics, or even modern industrial operation. Operations require fast and flexible access to systems that were historically siloed. That means, basically, more external vendors, more remote access, and more interconnectivity—often with legacy systems that were never designed with security in mind.
Second, the regulatory pressure. Frameworks like NIS2 in Europe, TSA directives in the U.S., and sector-specific standards like IEC 62443 are pushing organizations to enforce stronger segmentation and access controls, all of which demand tighter coordination between IT and OT teams.
And third, there is a growing cyber risk landscape that we need to address. Threat actors are not waiting for organizations to finish convergence. They’re actively exploiting this transitional phase, I may say. So we’re seeing a clear need for solutions that can bridge this environment securely without requiring a full rip-and-replace approach.
SA: Almog, you mentioned cybersecurity. Obviously, IT/OT convergence and networking legacy equipment—when it was not originally built for that—poses severe cybersecurity concerns. Can you describe a few of those concerns?
AA: Certainly, Scott. So one of the biggest challenges is that legacy OT systems lack native identity awareness. They were never designed to verify who is accessing them—only how they’re accessed. So when you network them or expose them to modern interfaces, they can’t differentiate between a trusted technician and a malicious actor.
Another major concern is insecure remote access pathways. Many organizations still rely on VPNs, jump boxes, and hard-coded credentials to enable remote access. And these methods lack fine-grained control or visibility. They open the door wide, rather than allowing precise, just-in-time access to a specific system for a specific task.
Finally, there’s the lack of segmentation—and let’s call it traceability—in many OT environments. Once a user gains access, there are often few controls, maybe too few controls, to prevent lateral movement or detect suspicious behavior. That’s the major issue when you’re dealing with critical infrastructure, where uptime and safety are non-negotiable, and you also need to deal with legacy.
Smart Industry covers the digital transformation of manufacturing and the IIoT for industrial professionals.
SA: Why are techniques such as Zero Trust and identity-based access so critical in modern manufacturing environments?
AA: Great question. Zero Trust and identity-based access are critical because they allow you, as an organization, to apply control at the individual level. Even in environments that were not originally built for it, it can be applied.
So Zero Trust splits the traditional model. Instead of assuming everything inside the network is safe, it assumes that nothing is trusted by default. And one of the basic principles is the "never trust, always verify" mindset. That’s especially important in OT environments where third-party vendors, contractors, and even internal teams may need temporary access to critical systems. And all of us know, when production is down, all the doors are being opened, right?
Identity-based access takes it further by ensuring that every action is tied to a verified individual—not just a device, IP address, or even an applicative user. You can apply granular policies—not just “can this person log in,” but “can this person access this asset, for this purpose, during this window, and only perform this set of actions?” And it’s a big difference.
The level of granularity is how you balance security with productivity. Operators still get the work done, but you reduce the attack surface. You increase visibility and meet compliance requirements—all without adding friction or risking uptime.
SA: What types of cyber threats are most aggressively targeting OT environments today? And why are manufacturers particularly vulnerable?
AA: Yes. So ransomware is still a top threat, right? Especially those that target industrial operations. And the general intent is to disrupt production. We’ve seen several cases where attackers didn’t just lock up IT systems—they moved into OT networks to bring down plant operations and increase the ransom pressure.
Another growing threat is supply chain compromise. Attackers target trusted third-party vendors or even remote support connections as a backdoor into critical environments. And because OT environments often have limited visibility into these connections, they’re especially vulnerable to this kind of exploitation.
Manufacturers are also vulnerable because of what I call the “fragile mesh”—a patchwork of old and new technologies, vendors, protocols, and access mechanisms layered one on top of the other. So this complexity creates a lot of blind spots, and attackers are really good at finding and exploiting these blind spots.
SA: Final question for you, Almog. What are some of the biggest misconceptions that manufacturers still have about connecting legacy equipment?
AA: It’s a great question. One of the biggest misconceptions is that you have to replace legacy equipment in order to secure it. But that’s just not true. And for most organizations, it’s not even feasible. So the key is to layer secure access around the systems—enforcing identity, access policy, and oversight at the connection point, even if the system itself is unaware.
Another misconception is that more visibility equals more security. While visibility is essential, it’s not sufficient, right? If you can see a problem but can’t control or prevent it, you’re still at risk. So you need real-time enforcement, not just monitoring.
Finally, many manufacturers still assume that because OT networks are air-gapped—which they are not—they’re safe. But air gaps are becoming a myth. Maintenance, remote support, analytics—they all require connectivity. So it’s no longer about isolation; it’s about smart, secure connection.
About the Podcast
Great Question: A Manufacturing Podcast offers news and information for the people who make, store and move things and those who manage and maintain the facilities where that work gets done. Manufacturers from chemical producers to automakers to machine shops can listen for critical insights into the technologies, economic conditions and best practices that can influence how to best run facilities to reach operational excellence.
Listen to another episode and subscribe on your favorite podcast app
About the Author
Scott Achelpohl
Scott Achelpohl is the managing editor of Smart Industry. He has spent stints in business-to-business journalism covering U.S. trucking and transportation for FleetOwner, a sister website and magazine of SI’s at Endeavor Business Media, and branches of the U.S. military for Navy League of the United States. He's a graduate of the University of Kansas and the William Allen White School of Journalism with many years of media experience inside and outside B2B journalism.