IT-OT convergence is the architectural decision most operators have already made. They just made it accidentally, over fifteen years, in the form of remote-access expediency, vendor connectivity, and historian replication. The question is not whether to converge — it is whether the convergence is governed.

The accidental convergence pattern

Almost every operator I work with has the same convergence pattern when I look closely. A vendor remote-access path was added in 2014 for a single rotating-equipment supplier. Active Directory integration was added because engineering authentication was hard to maintain locally. Historian replication was added because someone in finance wanted dashboards. A jump host was added because the original air gap broke a workflow.

None of these decisions were wrong individually. Together they form the IT-OT convergence path that the adversary in Cyber War: One Scenario exploits.

Why the Purdue model is still useful

The Purdue Reference Model is sometimes dismissed as outdated. It is not — it is misapplied. The model is a defense-in-depth backbone, not an architectural prescription. The levels (0 through 5) are still meaningful as zones of trust, and the boundaries between them are still where the meaningful security decisions happen.

The historical assumption — that the boundaries between levels are physical — is the part that has aged. Modern convergence has produced logical boundaries that the original model did not anticipate. The fix is to update the boundary mechanism, not to discard the model. See Purdue Model keynote.

The four convergence categories that have to be governed

1. Vendor remote access

The single most under-governed category in OT cybersecurity. Most operators cannot list every vendor with active OT access, cannot describe the access path, and cannot independently terminate the connection. The fix is straightforward in concept and unglamorous in execution: vendor inventory, brokered access, session recording, and time-bounded access tokens.

2. OT identity

Shared engineer accounts, vendor accounts that nobody can deactivate, and service accounts with passwords that have not rotated in five years. The fix is OT-specific identity governance, separate from but federated with the IT identity environment. The phrase “federated, not fused” captures the architectural commitment.

3. Cross-zone replication

Historian replication, configuration replication, and operational data replication that crosses Purdue boundaries. Most of it is technically sound and governance-loose. The fix is one-directional, brokered, and signed replication paths.

4. Engineering workstation hygiene

The endpoint that touches the OT environment is usually a Windows workstation that also touches IT. The hygiene of that endpoint is the single most under-invested control in most OT environments. The fix is a dedicated OT engineering workstation profile with the IT-side coupling minimized.

The decision rights that distinguish safe convergence

The architecture is half the problem. The decision rights are the other half. The convergence-related decisions that need explicit ownership:

  1. Authority to grant new vendor remote access. Whose signature is required, against what evidence.
  2. Authority to disconnect IT from OT in an active event. Whose signature is required, on what evidence, against what cost.
  3. Authority to add new replication paths across the boundary. Whose signature is required, with what review.
  4. Authority to deploy software changes to engineering workstations. Whose signature is required, with what testing.

In most operators, the answers to these four are unwritten or contested. The architectural fix without the decision-rights fix is incomplete.

The 90-day baseline

The pattern that produces the most movement in 90 days, across the operators I advise, is unglamorous:

  1. Inventory every active vendor remote access path. Time-bound them.
  2. Inventory every shared and vendor account in OT. Time-bound them.
  3. Inventory every replication path across Purdue boundaries. Document each one.
  4. Establish authority for the four decisions above. Get audit-committee acknowledgement.

That is a 90-day program. It is not the entire convergence remediation, but it is the baseline that lets the rest of the program run on a defensible footing.

Where this fits in the broader OT discipline

For the broader 2026 view of OT cybersecurity, see OT Cybersecurity in 2026. For the executive scenario that walks through what happens when convergence is ungoverned, see Inside Cyber War: One Scenario.