IT/OT Convergence Security for Utilities: Holding the Boundary Between Corporate IT and the Grid

For decades, the systems that ran the grid lived in a different world from the systems that ran the business. That separation is gone. As utilities connect operational technology to corporate IT for efficiency, analytics, and remote work, they extend the attack surface straight into the equipment that opens breakers and balances load. Z Cyber operates the security program at that boundary on behalf of utility clients, running the segmentation, monitoring, and remote-access controls on our Glance platform so the convergence delivers business value without handing adversaries a path to physical operations.

The convergence is real, and so is the new attack surface

IT/OT convergence is not a slogan. It is the practical merging of business information technology with the operational technology that monitors and controls physical processes. In a utility, that operational technology includes SCADA systems, energy management systems, remote terminal units, programmable logic controllers, and protective relays. These systems were engineered for availability and safety over decades, not for exposure to a connected enterprise network.

The business case for connecting them is strong. Operators want real-time production data in corporate analytics. Engineers want remote access so they do not have to drive to a substation for every change. Asset-management and predictive-maintenance programs pull telemetry from field devices into enterprise applications. Each of these connections delivers value, and each one also creates a path that an attacker on the IT side can potentially follow down into systems that control the flow of electricity.

The risk is not theoretical for the sector. Utilities sit in the crosshairs of nation-state actors and criminal groups precisely because the physical consequences of a successful intrusion are severe. The honest framing is qualitative: the threat landscape facing energy operators is active and well-documented by national authorities, and the systems at risk were never designed to defend themselves. That is the gap a utility security program has to close. We cover the broader operating model on our utilities security and industrials and OT pages.

Why flat networks are the core failure mode

The single most common and most dangerous weakness we find at the IT/OT boundary is a flat network. When corporate IT and operational technology share routable connectivity with no enforced separation, a phishing email that compromises an office laptop becomes a foothold that can reach a control-system workstation. There is no architectural barrier forcing the attacker to stop, slow down, or reveal themselves.

Several conditions compound the problem in utility environments. Legacy OT protocols such as Modbus, DNP3, and OPC were built for reliability on isolated networks, and many implementations lack authentication and encryption, so a device on the same segment will trust commands it should not. OT devices often run for fifteen or twenty years and cannot be patched on enterprise timelines, leaving known vulnerabilities exposed. Remote access is frequently bolted on through vendor tools or shared credentials rather than controlled gateways. And monitoring in the OT environment is thin, so an intrusion that would trigger alerts in the enterprise can move quietly below the DMZ.

None of these is solved by a single product. They are solved by an architecture and an operating discipline applied consistently, which is the work Z Cyber takes on as an operating partner rather than handing a client a tool and a checklist.

The Purdue model as a reasoning tool, not a rulebook

The Purdue Enterprise Reference Architecture, usually called the Purdue model, gives utilities a shared vocabulary for segmentation. It describes layered levels, with enterprise and business IT at the top, a demilitarized zone in the middle, and operational control levels below it that run progressively closer to physical equipment. The deeper levels host the supervisory control, the controllers, and ultimately the sensors and actuators that touch the process itself.

The value of the model is that it forces a question for every connection: which level does this traffic originate from, which level does it need to reach, and what sits between them to mediate that crossing. A well-designed boundary does not allow enterprise systems to talk directly to control-level devices. Traffic crosses through the DMZ, where it can be brokered, inspected, and restricted to exactly the flows the business requires.

The Purdue model is a reasoning aid, not a literal blueprint for every site. Modern architectures with cloud analytics and remote operations rarely match the original diagram exactly. What matters is preserving the principle the model encodes: enforce separation between business systems and control systems, and make every crossing deliberate, brokered, and monitored.

The standards that govern the boundary

Three frameworks do most of the work at the IT/OT boundary, and a utility security program has to operate against all of them at once. They overlap in intent and differ in scope, which is why coordinating them is itself part of the job.

Framework	What it governs	Relevance to IT/OT boundary
NERC CIP	Mandatory reliability standards for the North American bulk electric system.	CIP-005 defines Electronic Security Perimeters and governs Interactive Remote Access, requiring access through an Intermediate System with multi-factor authentication for high and medium impact systems.
IEC 62443	A standards series for industrial automation and control system security.	Contributes the zones-and-conduits model and defined security levels, giving engineers a structured way to group assets and control the conduits between them.
NIST SP 800-82	NIST guidance on securing operational and industrial control systems.	The reference guide for OT security practice, covering segmentation, monitoring, and the operational constraints that make OT different from IT.

NERC CIP is mandatory and enforceable for the bulk electric system, IEC 62443 supplies the engineering model that makes compliance defensible, and NIST SP 800-82 grounds the practice in OT-specific reality. For a deeper comparison of two of these, see our breakdown of IEC 62443 versus NERC CIP.

What a defensible IT/OT boundary actually looks like

Closing the gap is a finite set of controls applied with discipline. The work is not exotic, but it has to be done completely and kept current, which is where programs usually fall down.

Segment IT from OT with an enforced DMZ. No enterprise system talks directly to a control-level device. Data and management traffic cross through brokered services in the DMZ, restricted to the specific flows the business needs. This is the architectural barrier a flat network lacks.

Control and monitor every remote access path. Interactive access into OT should route through an intermediate system that enforces multi-factor authentication, terminates the session, and logs it. Vendor access, the most common blind spot, must run through the same controlled gateway rather than a parallel tool with shared credentials.

Inventory the OT estate. You cannot defend assets you have not catalogued. A current inventory of devices, firmware versions, protocols, and connections is the foundation for every other control, and it is the input that feeds segmentation, vulnerability management, and monitoring.

Monitor with OT-aware, passive techniques. Active scanning can disrupt fragile control devices, so visibility in OT relies on passive monitoring that observes traffic without injecting into it. This surfaces unexpected flows across the boundary, the early signal of an intrusion moving from IT toward control systems.

Apply least privilege everywhere. Accounts, services, and conduits get only the access the function requires. The goal is to ensure that a single compromised credential or workstation cannot pivot freely across the boundary.

Why utilities run this as an operating partnership

The controls above are well understood. The reason utility security programs still fail at the boundary is that the work is continuous, specialized, and unforgiving, and most operators cannot staff it deeply enough to run it well year-round. Segmentation drifts as new connections get added. Remote-access gateways accumulate exceptions. Asset inventories go stale within months. Monitoring generates alerts that nobody is positioned to triage at three in the morning.

This is why Z Cyber operates as a security operating partner rather than a vendor that ships a tool. Each utility client gets a dedicated forward-deployed team that implements the boundary architecture, runs the remote-access and monitoring controls day to day, and delivers the remediation when something drifts or an alert fires. We carry the operational load so the utility's own engineers stay focused on running the grid.

The platform underneath that work is Glance, our AI-native governance, risk, and compliance platform. Glance is where the OT asset inventory, the segmentation posture, the remote-access controls, and the mapping to NERC CIP, IEC 62443, and NIST SP 800-82 all live in one place, continuously maintained rather than reconstructed for the next audit. The combination of a forward-deployed team and a single live system of record is what turns a pile of one-time projects into a program that actually holds the boundary.

Frequently asked questions

What is IT/OT convergence?

IT/OT convergence is the merging of business information technology with operational technology, the systems that monitor and control physical processes such as SCADA, energy management systems, remote terminal units, and programmable logic controllers. Utilities pursue it for analytics, efficiency, and remote operations. The tradeoff is an expanded attack surface, because connecting these previously isolated environments creates paths an attacker on the IT side can follow into systems that control physical grid operations.

How do you segment IT and OT networks?

You separate the two environments with an enforced demilitarized zone so no enterprise system communicates directly with a control-level device. Traffic that must cross is brokered through services in the DMZ, inspected, and restricted to the specific flows the business requires. The IEC 62443 zones-and-conduits model provides a structured way to group assets into zones and govern the conduits between them, and least privilege is applied so a compromise in one zone cannot pivot freely into another.

What is the Purdue model?

The Purdue Enterprise Reference Architecture is a layered reference model for industrial control systems. It places enterprise and business IT at the top, a DMZ in the middle, and operational control levels below that run progressively closer to physical equipment. Utilities use it as a reasoning tool to decide which traffic should cross between levels and what should mediate each crossing. It is a guide to segmentation thinking, not a literal blueprint that every modern architecture must match.

How do you secure remote access to OT systems?

Route all interactive remote access through a controlled intermediate system that enforces multi-factor authentication, terminates and brokers the session, and logs it. NERC CIP-005 requires exactly this for high and medium impact systems on the bulk electric system. Vendor access, a frequent blind spot, must use the same gateway rather than a separate tool or shared credentials, and least privilege should limit each session to only what the task requires.