IT CISOs' Guide to OT: The OT Renovation will be Televised

‍Note: This is the introduction to a blog series in which Tom Sego, CEO, and Vince Zappula, CRO for BlastWave, will walk through the key steps to help an IT CISO secure their OT network after inheriting it as part of an IT/OT convergence initiative.

Tom Sego: Vince, how many times have we sat in a boardroom or on a Zoom call over the last six months and had a conversation with an IT CISO looking for help securing the OT network they have just inherited?

Vince Zappula: Too many to count, Tom. The conversation always starts the same way. The CEO or the Board logs in and says, "Great news, we are converging our infrastructure. You are now also officially responsible for the operational technology (OT) network."

Tom: It reminds me exactly of inheriting an old family estate from a distant relative. On the surface, the curb appeal is fantastic. The real estate agent tells you it has "great bones," the paint looks fresh, and from the driveway, it looks like a million bucks. You think, “How hard can this be? It’s just another piece of property to manage.” 

Vince: And don’t forget, the board also wants regular updates (just like the home improvement shows we watch on TV), and you think this is going to be a piece of cake. But then you get the keys, walk inside, and start pulling back the drywall. That’s when the horror show begins. You find knob-and-tube wiring from the 1940s, structural load-bearing walls that were casually cut through by a previous DIY owner, and a foundation that’s shifting in the mud.

Tom: That is exactly what it feels like to inherit an OT network as an IT CISO. From the corporate office, the automation layer looks stable, profitable, and clean. But the moment you step onto the plant floor in a hard hat and look under the hood, you realize you've inherited a sprawling mesh of unpatched legacy systems, ancient protocols, and fragile infrastructure. The IT security playbook you’ve spent decades mastering is suddenly completely useless. You can't just treat this like a modern, modular smart-home. If you yank the wrong wire or push an aggressive IT network scan, the whole house collapses on top of you.

Vince: So, after listening to dozens of IT teams navigate the sheer panic of discovering what’s actually behind the walls of their new "inherited home," we decided to distill our boardroom notes into a concrete renovation manual. We want to give the newly minted OT CISO a practical roadmap to stabilize the foundation and secure the structure without breaking production or bankrupting the company.

Tom: We’ve broken this renovation project down into four core structural steps that we’ll be exploring over the next few weeks. Here are the high points of what we’re going to cover:

Step 1: Dispel the Air-Gap Myth & Hide the House from the Street

Tom: When you take over the house, the old-timers love to tell you, "Don't worry, the place is totally secure, it’s completely hidden from the main road by those trees." That’s the classic OT air-gap myth. The reality? Between remote vendor maintenance access, continuous industrial data analytics, and modern supply chains, there are a dozen hidden dirt roads leading straight to your backyard. If an automated threat engine like Mythos or an active nation-state actor drives by scanning for a way in, they will find those exposed windows. Our first action point is shifting from building expensive, obvious perimeter fences to implementing Network Cloaking. We are pulling the house completely off the public map and suppressing discovery protocols, so your critical assets literally vanish from public scans. If intruders can't see the house, they can't break in.

Step 2: Stop the Patching Treadmill to Protect the Foundation

Vince: When an IT mind sees a cracked, ancient pipe behind the wall, their first instinct is to rip it out and replace it immediately (what we call emergency patching). But on the plant floor, tearing out that pipe means shutting off the water to the entire neighborhood, costing the company $500,000 per hour in lost production uptime. We are going to discuss how to gain operational flexibility. By structurally cloaking your environment, you put a protective sleeve over those known, unpatched vulnerabilities. This allows your engineering teams to handle updates on their terms during naturally occurring maintenance windows, protecting both your risk profile and your corporate profit margins.

Step 3: Contain the Spillover with Micro-Segmentation

Tom: Here is the ugliest truth we found during our home inspection: the house doesn't have any interior firewall doors. It’s a completely flat, open-concept floor plan. If a fire breaks out in the upstairs corporate IT home office, say, a phishing attack or a ransomware breach, it will roar downstairs and consume the entire factory floor in minutes. We will detail how to use a software-based Software-Defined Perimeter (SDP) to enforce strict, room-by-room segmentation (or microsegmentation, depending on your needs). By separating your legacy brownfield assets into isolated digital rooms, you ensure that if the corporate office catches fire, the physical manufacturing lines are completely sealed off and can keep running safely.

Step 4: Change the Locks & Kill the Master Password

Vince: Finally, we have to talk about who has the keys. As you investigate your inherited house, you realize the previous owner gave spare keys to the plumber, the electrician, the delivery driver, and the neighbors. In OT, third-party vendors and remote OEMs are constantly logging into your machinery using shared, static text passwords over legacy VPNs. It’s an open invitation for credential harvesting. We will explain how to completely change the locks, replacing traditional passwords with phishing-resistant, hardware-bound cryptographic identities combined with Just-in-Time (JIT) access that automatically melts the vendor's key the second their specific maintenance window closes.

Vince: Look, inheriting a house that requires a massive, hidden renovation doesn’t have to be a career death sentence. It’s actually an incredible opportunity to champion a first-principles approach to security that enterprise IT has desperately needed for years.

Tom: Security shouldn't be a zero-sum game between fixing the structure and keeping the house livable. Over the next four blogs, Vince and I will show you exactly how to achieve structural invisibility, protect your bottom line, and give your asset owners the flexibility they need to keep the world moving. Stay tuned for Blog 2, where we pull back the drywall and look at why the air-gap is dead, and what you need to do about it.