New security paradigm needed for IT/OT convergence

The convergence of IT and operational technology (OT) systems is expanding the attack surface and exposing critical infrastructure to new threats. That was the central theme of a high-level panel discussion, where cyber security experts and industry leaders called for a fundamental change in how organisations secure increasingly interconnected environments.

Speaking at the recent Gitex 2025 conference in Singapore, Yuliya Shlychkova, vice-president of government affairs and public policy at Kaspersky, who moderated the panel, set the stage by noting that “every piece of ICT and industrial systems is being attacked nowadays”, adding that cyber security must be an “enabler of digitalisation and innovation” and not a stumbling block.

Eugene Kaspersky, founder and CEO of Kaspersky, noted that cyber sabotage, once played out only in movies, are being manifested in the form of sophisticated threats such as Stuxnet and an incident involving a German steel mill. While Kaspersky was surprised that more catastrophic attacks haven’t yet occurred, he warned against complacency.

His vision for a more secure future hinges on a radical rethinking of system architecture, pointing to KasperskyOS, Kaspersky’s operating system that is secure by design, going beyond implementing secure coding practices. “My dream is that future systems must be immune [to attacks],” he said, noting that this will require hardware makers and a new generation of engineers to work together to develop such systems.

Phannarith Ou, director of ICT security at the Ministry of Post and Telecommunications of Cambodia, provided a regional perspective, explaining why Southeast Asia is a prime target for OT attacks.

He identified five key factors: legacy infrastructure built for functionality, not security; rapid digitalisation where “cyber security is not catching up”; limited security awareness among OT staff; critical infrastructure like energy systems being “high value, low protection” targets; and the lack of unified OT security standards in the region.

Against this backdrop, Ou urged governments to consult with vendors and adopt a risk-based approach to policy. Critically, he pointed out that the current cyber security laws in ASEAN focus more on protecting enterprise IT rather than OT systems, leaving a significant loophole. He also called for sector-specific regulations for OT security to be brought to the fore.

Representing the industrial sector, Rajib Roy Chowdhury, group head of IT at India’s Avadh Sugar and Energy, shared his experience with deploying OT systems in one of the company’s plants. He discussed the challenges, including the misconception that OT security is only about implementing air-gapped environments and the immaturity of OT security offerings.

Despite the challenges, Chowdhury noted that IT/OT convergence is here to stay. “If we integrate IT and OT, then we can transform data into information which can be presented to the board," he said, citing real-time sugar crushing data as an example.

Ang Leong Boon, head of IT security at the National University of Singapore, spoke about the role of education and collaboration in bridging the IT/OT divide, calling for IT and OT teams to collaborate more.

For example, by leveraging “cyber twins” – digital replicas of OT environments such as water treatment plants – for training, NUS has been able to bring together different teams to understand OT security threats in the real world and simulating them in a safe environment, he said.

Ang also suggested expanding security thinking beyond traditional endpoint protection, advocating for virtual patching at the network layer and bolstering the human layer through better employee awareness of OT threats. He also urged organisations to apply IT security concepts like zero trust to OT systems, including microsegmentation to prevent lateral movement of attackers, multi-factor authentication, and stricter controls for third-party remote access, a common vector for breaches.

However, Ang said IT teams will need to put themselves in the shoes of their OT colleagues to ensure security measures don’t compromise the availability of OT systems. He also lauded Singapore’s Cyber Security Agency for its OT security competency framework, which outlines the required roles in OT security and guides career development in the field.

“People can now look forward to different job roles and get themselves trained,” Ang said. “It's about building competencies and having OT engineers with the right technical skills. But it’s not just the technical people, the CISO [chief information security officer] must also have the right mindset about OT.”