Breached OT Kills. Zero Trust 2.0 Doesn’t
Find Threat Talks on
Patch Smarter, Not Harder
OT environments were never designed to be connected.
But with IT OT convergence, factory floors, industrial systems, and control environments are now integrated with IT, cloud, and external networks.
That changes the security model completely.
In this episode of Threat Talks, Lieuwe Jan Koning and Rob Maas break down why the traditional OT vs IT security divide no longer holds – and why applying IT controls directly to OT environments doesn’t work.
They explore how increased connectivity expands the attack surface, why legacy models fall short, and how Zero Trust provides a practical path forward without disrupting operations.
What you’ll learn
- How OT vs IT security differs in practice
Why availability, legacy systems, and operational constraints require a different approach than traditional IT security. - Why IT/OT convergence increases exposure
How connecting OT systems to IT, cloud, and remote access expands the attack surface across industrial environments. - Why traditional models like Purdue fall short
How horizontal segmentation alone enables lateral movement and fails to properly isolate systems. - How Zero Trust can be applied to OT
How defining protect surfaces and applying segmentation reduces risk without impacting critical operations.
Your cybersecurity experts
Lieuwe Jan Koning
Co-Founder and CTO
ON2IT
Rob Maas
Field CTO ON2IT
Episode details
Operational Technology (OT) was historically built around isolation. Systems were air-gapped, access required physical presence, and security relied on separation rather than control.
That model is disappearing.
With the rise of IT/OT convergence, industrial environments are increasingly connected to IT systems, cloud platforms, and data-driven processes. Maintenance, monitoring, and optimization now depend on real-time data and remote access.
This shift introduces a fundamental challenge.
The traditional OT vs IT security divide no longer applies, but the solutions are not interchangeable. In IT, patching, endpoint protection, and frequent change are standard. In OT, availability is critical, patching is often risky or impossible, and systems are designed to remain stable over long periods.
Legacy models such as the Purdue model, which focus on horizontal segmentation, are no longer sufficient in modern interconnected environments. Without additional controls, systems within the same layer remain exposed to lateral movement.
Zero Trust introduces a different approach.
By defining protect surfaces and applying segmentation both horizontally and vertically, organizations can isolate critical processes, limit communication paths, and reduce the risk of widespread disruption.
Rather than attempting to retrofit IT controls into OT, the focus shifts to applying proven principles in a way that aligns with operational requirements.
The conclusion is clear: OT is becoming more like IT in terms of connectivity—but it must be secured on its own terms.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
