The historical separation of IT and OT 

How were IT and OT networks traditionally organized? 

For decades, IT and OT lived in separate worlds.  

IT networks handled business applications, email, and user productivity. OT networks managed physical processes: manufacturing lines, building systems, industrial equipment. Different teams owned them. Different vendors supplied them. They barely spoke to each other.  

That separation is dissolving. And the security implications are significant.  

IT networks: 

• Handled business applications, email, and user productivity 

• Supported office workers and business processes 

• Connected to the internet and external partners 

• Managed by IT departments with cybersecurity focus 

OT networks: 

• Managed physical processes: manufacturing lines, building systems, industrial equipment 

• Operated in isolation for reliability and safety 

• Avoided internet connectivity to reduce risk 

• Managed by operations teams (facilities, engineering, production) 

Key characteristics of the separation: 

• Different teams owned each network 

• Different vendors supplied equipment and systems 

• Networks barely communicated with each other 

• Security approaches differed fundamentally 

That separation is dissolving. And the security implications are significant. 

The Purdue model is breaking down 

What is the Purdue model for industrial security? 

Industrial security has traditionally followed the Purdue model, a hierarchical architecture that separates enterprise IT from operations with security controls in between. 

Purdue model structure: 

• Levels 4-5: Enterprise IT (business systems, email, databases) 

• Level 3.5: Demilitarized zone (DMZ) with firewalls and security controls 

• Levels 0-3: Operations (controllers, sensors, actuators, SCADA) 

Security philosophy: The idea was isolation. Keep the factory floor separate from the business network. Air gaps and firewalls prevent lateral movement. OT stays safe because attackers cannot reach it from IT. 

Why is the Purdue model failing in modern environments? 

In practice, those air gaps have become porous due to business and operational requirements. 

Forces breaking down separation: 

• Cloud connectivity: Building management systems now report to vendor platforms over the internet for monitoring and maintenance 

• Remote access: Technicians manage industrial equipment from anywhere, requiring network connectivity 

• Data integration: OT telemetry must flow into enterprise analytics platforms for business intelligence 

• Vendor management: Equipment manufacturers require remote access for support and updates 

• Business pressure: Real-time operational data drives business decisions, requiring IT/OT integration 

Result: The walls between IT and OT are full of holes. And attackers are walking through them. 

Why IT/OT convergence creates risk 

What security risks does IT/OT convergence create? 

When IT and OT were truly separated, a compromise in IT stayed in IT. An attacker who breached the email server could not reach the building management system. The damage was contained by network architecture. 

Convergence changes that equation fundamentally. 

How do attackers exploit converged networks? 

Attack chain in converged environments: 

1. Attacker compromises user's laptop through phishing email 

2. Uses stolen credentials to move laterally within IT network 

3. Discovers connection points between IT and OT networks 

4. Pivots from IT into building automation or industrial control networks 

5. Compromises OT systems that lack security monitoring 

6. Deploys ransomware on building management systems or disrupts operations 

Real-world example: A phishing email targeting a facilities manager becomes a building security incident when the attacker uses those credentials to access the building management system.

Why do attackers target the IT-to-OT path? 

This is not theoretical. We are seeing attack chains that start with IT compromise and end with OT impact across multiple industries. 

Attacker perspective: 

• IT security is more mature with multiple defensive layers 

• OT security is immature with fewer controls and monitoring 

• Path from IT to OT provides access to less-defended high-value targets 

• OT compromise creates immediate operational impact 

• Building operators pay ransoms quickly to restore operations 

The convergence gap is the attacker's opportunity. 

The visibility problem in converged networks 

Why do most security tools fail in converged environments? 

Here is the challenge for defenders: most security tools only see half the picture. 

What traditional IT security sees: 

• Endpoint protection watches the IT side (laptops, servers, workstations) 

• SIEM collects logs from servers and applications 

• MDR monitors for threats on Windows machines 

• Cloud security platforms track SaaS and IaaS activity

• Identity systems monitor user authentication 

What remains invisible: 

• Building management systems 

• Industrial controllers and PLCs 

• HVAC and access control systems 

• IoT devices throughout facilities 

• Industrial protocols (BACnet, Modbus, OPC-UA) 

The blind spot: You are defending half the environment while attackers can move through the whole thing.

Why is lack of correlation dangerous? 

Worse, you cannot correlate signals across the IT/OT boundary when using separate tools. 

Correlation problem: 

• Alert in IT: Suspicious credential use 

• Anomaly in OT: Unusual commands on building network 

• These might be parts of the same attack 

• But if your tools cannot connect them, you investigate each in isolation and miss the pattern 

Without unified visibility, coordinated attacks across IT and OT boundaries appear as disconnected events. 

What unified security visibility looks like 

What is unified security visibility? 

Closing the convergence gap requires security tools that see both IT and OT in the same view, with correlation between signals across both environments. 

What data sources must unified visibility include? 

IT side data sources: 

• Endpoints (laptops, servers, workstations) 

• Cloud platforms (SaaS, IaaS, PaaS) 

• Identity systems (Active Directory, SSO, MFA) 

• Network infrastructure (firewalls, switches, routers) 

• Applications and databases 

OT side data sources: 

• Building controllers and BMS platforms 

• Industrial protocols (BACnet, Modbus, OPC-UA) 

• Access control and video surveillance 

• HVAC controllers and sensors 

• IoT devices throughout facilities 

• SCADA and industrial control systems 

Why is correlation across IT and OT critical? 

More importantly, unified visibility means correlating signals across both domains. 

Correlation scenarios: 

• User credentials used suspiciously in IT + unusual commands on building network = coordinated attack 

• Malware detection on endpoint + anomalous OT traffic = lateral movement attempt 

• Failed authentication in IT + access control anomalies = credential compromise affecting physical security 

Result: One correlated alert with full context, not two separate investigations missing the connection.

What is the definition of unified visibility? 

This is what we mean by unified security visibility: seeing the whole environment, regardless of which side of the old IT/OT boundary it sits on, with the ability to correlate threats across both domains. 

The Open XDR approach to converged network security 

Why do traditional XDR platforms fail for IT/OT convergence? 

Traditional XDR platforms focused exclusively on IT. They integrate endpoints, cloud, and identity. Some have network detection capability. But few extend into OT protocols and building systems. 

Traditional XDR limitations: 

• Built around IT security use cases 

• Lack protocol parsers for industrial communication (BACnet, Modbus, OPC-UA) 

• Cannot ingest data from building controllers or industrial systems 

• SOC analysts lack OT expertise 

• Detection rules designed for IT threats only 

What is Open XDR and why does it enable IT/OT convergence? 

Open XDR changes the equation by design. Open XDR platforms ingest data from any source through open integration frameworks. 

Open XDR advantages for converged environments: 

• Flexibility: Can integrate any data source (IT or OT) 

• Protocol support: Can add parsers for industrial protocols 

• Unified correlation: Single engine analyzes signals across all sources 

• No rearchitecting: Adding OT sources does not require platform rebuild 

• Single pane of glass: One view of entire environment 

How does enhanced.io provide unified IT/OT visibility? 

At enhanced.io, we leverage Open XDR flexibility to provide unified IT/OT visibility for MSPs and their clients. 

Our approach: 

• Same platform ingests IT security data and OT network traffic 

• Correlation engine connects endpoint alerts with cloud anomalies AND building system anomalies 

• Protocol-aware detection understands BACnet, Modbus, OPC-UA communication 

• SOC analysts trained in both IT and OT threat patterns 

• Fractional security directors translate findings across IT and OT domains 

Result: One platform, one view, one SOC team watching both IT and OT. 

What unified visibility means for MSPs 

Why is unified visibility becoming essential for MSPs? 

For MSPs serving clients with converged environments, unified security visibility is becoming essential for both risk management and competitive positioning. 

What risks do MSPs face without unified visibility? 

Risk considerations: 

• If you monitor IT but not OT, you leave gaps that attackers exploit 

• If your client gets compromised through building systems you were not watching, that reflects on your service quality 

• Clients increasingly understand they have converged environments and need comprehensive coverage 

• Liability increases when attacks succeed through unmonitored systems 

What competitive advantages does unified visibility provide? 

Differentiation opportunities: 

• Most MSPs cannot offer unified IT/OT visibility 

• Showing clients a single view of their entire environment demonstrates advanced capability 

• Addressing building systems that previous providers ignored creates immediate value 

• Clients cannot get this capability from endpoint-focused competitors 

• Premium pricing justified by comprehensive coverage 

How does unified visibility change client conversations? 

Client conversation shifts: 

• From: "We need endpoint protection and email security" 

• To: "We need comprehensive visibility across our IT and building systems" 

Clients with converged environments increasingly understand the risk and seek MSPs who can address it. 

Getting started with unified IT/OT visibility 

What prevents MSPs from offering unified visibility? 

If you are not currently monitoring OT, starting can feel daunting. 

Common barriers: 

• Industrial protocols are unfamiliar (BACnet, Modbus, OPC-UA) 

• Building systems work differently from IT 

• Learning curve seems steep for OT security 

• Investment in specialized tools appears expensive 

• Hiring OT security expertise is difficult 

How can MSPs achieve unified visibility without years of investment? 

The good news is you do not have to build that expertise internally. Partnering with a provider who already has OT capability gets you to market faster than developing it yourself. 

What enhanced.io provides: 

• Platform with IT and OT integration 

• Protocol parsers for industrial communication 

• SOC analysts with OT expertise 

• Fractional security directors for client conversations 

• Assessment frameworks for converged environments 

What MSPs provide: 

• Client relationships 

• Local service delivery 

• Account management 

• Integration with broader managed services 

Through this partnership, you can reduce the timeline to capability from months to weeks.

Key takeaways 

IT/OT convergence is happening: 

• Cloud connectivity, remote access, and data integration are breaking down historical separation 

• The Purdue model's air gaps have become porous 

• Attackers exploit paths from IT into less-defended OT environments 

The visibility problem: 

• Most security tools only see IT side (endpoints, cloud, identity) 

• OT networks remain in blind spot (building systems, industrial controllers, IoT) 

• Lack of correlation means coordinated attacks appear as disconnected events 

• Defending half the environment while attackers move through the whole thing 

Unified visibility solution: 

• Open XDR platforms can integrate both IT and OT data sources 

• Correlation across IT and OT enables detection of cross-domain attacks 

• Single pane of glass provides comprehensive environment view 

• One SOC team watches both domains with appropriate expertise 

MSP opportunity:

• Unified visibility is becoming essential for converged environments 

• Most MSPs cannot offer this capability, creating differentiation 

• Partnership models enable capability without years of internal investment 

• Competitive advantage for MSPs who address the convergence gap 

What should MSPs do next? 

The IT/OT divide is disappearing. Security visibility needs to follow. 

Take action: 

1. Assess your current capability: Do you monitor OT networks or only IT? 

2. Identify clients with converged environments: Commercial real estate, healthcare, manufacturing, hospitality 

3. Understand the visibility gap: What percentage of client attack surface is unmonitored? 

4. Explore partnership options: How can you achieve unified visibility without years of investment? 

Want to assess your clients' visibility gaps? 

Contact us to discuss a converged environment assessment and learn how enhanced.io enables MSPs - like Onsite Technologies - to provide unified security visibility across IT and OT networks. 

Or read our complete guide to OT security for MSPs to understand how converged network security fits into your service portfolio and competitive strategy.