Attack Paths Don't Care About Your Org Chart

Your IT security team monitors the enterprise network. Your OT team manages the plant floor. The CISO oversees both on paper. In practice, they use different tools, attend different meetings, and measure success in different ways.

Attackers don't have any of those constraints. They operate across your entire infrastructure simultaneously, flowing from an IT phishing email through shared credentials to a process control system without stopping to check who owns which domain. The shadow current doesn't wait for a handoff meeting.

This is the organizational gap most industrial organizations face: they fight half a war while attackers fight a full one.

The connection between organizational structure and security posture isn't theoretical. According to a Dragos/Ponemon Institute survey, 43% of organizations report a lack of clear ownership for industrial cyber risk, with uncertainty around who leads initiatives, implements controls and supports the program. Only 35% have a unified security strategy covering both IT and OT environments.

That 65% gap? Attackers find it every time.

A 2024 survey by Palo Alto Networks and ABI Research of nearly 2,000 executives and practitioners across 16 countries found that 40% of IT and OT teams are "frictional" with each other. Only 12% are truly aligned. Given that IT is the primary attack vector into OT, this friction is more than a management headache. It's a structural vulnerability in your defenses.

The invisible line between IT team responsibility and OT team ownership is exactly where attackers do their best work.

MITRE maintains two separate ATT&CK frameworks: Enterprise ATT&CK for IT attacks and ICS ATT&CK for OT attacks. That's not redundancy. It's acknowledgment of a reality that Mandiant researchers put plainly: "Threat actors do not respect theoretical boundaries between IT or ICS when moving across OT networks" and "both knowledge bases are necessary for tracking threat actor behaviors across OT incidents."

An IT team using only Enterprise ATT&CK misses the OT phase of an attack. An OT team using only ICS ATT&CK misses the IT precursor phase. Each team sees half the picture.

This plays out in practice as what Dragos calls the "persistent mischaracterization of OT incidents as IT only." Engineering workstations and human-machine interfaces run Windows. IT teams see Windows machines, log them as IT incidents and close tickets. The OT team never gets the notification. The attacker's foothold in the OT-adjacent zone goes unaddressed, and the dead zone between teams becomes persistent access.

Research published in January 2026 covering global OT security assessments found that where SOC coverage stopped at the IT boundary, attacker activity often went undetected once it moved into operational zones, extending dwell time and delaying containment. The same assessments found identity-related issues in approximately 60% of engagements, including credential reuse across IT and OT, non-rotated credentials and missing multi-factor authentication. These aren't exotic exploits. They're the normal trusted connections that cross organizational boundaries.

Dragos's 2026 OT/ICS Cybersecurity Report found that organizations with comprehensive OT visibility contained ransomware incidents in an average of five days. The industry-wide average is 42 days. That's an 8x difference, largely attributable to whether teams could see and act across the IT-OT boundary.

The Colonial Pipeline incident from May 2021 makes the organizational lesson concrete. DarkSide ransomware hit the company's IT billing systems through a single compromised VPN credential with no multi-factor authentication. The pipeline's OT systems were not directly compromised. Yet Colonial shut down the entire 5,500-mile pipeline carrying 45% of East Coast fuel because the organization couldn't quickly determine whether OT systems were also at risk.

That's a coordination failure that looked like a cybersecurity one. Had IT and OT teams shared situational awareness and cross-domain protocols, the precautionary shutdown may have been avoided or significantly shortened.

According to SANS Institute's 2024 State of ICS/OT Cybersecurity survey, only 56% of industrial organizations have ICS/OT-specific incident response plans. When a cross-domain incident occurs, nearly half improvise OT response while IT follows established playbooks. That divergence creates delays, and delays create impact.

IT teams prioritize confidentiality, integrity and then availability. OT teams invert that order: availability first, then safety, then integrity, then confidentiality. They're not wrong. They're optimizing for different outcomes.

Even when IT and OT teams do communicate during an incident, inverted priorities mean they may disagree on what to do next. Jason Christopher, a SANS ICS expert, frames the required mindset directly: "Attackers do not care if you have an IT team and a separate OT team for security. They are simply attacking the organization. So, internally, it's vital to minimize friction as much as possible."

No one is suggesting that every industrial organization restructure into a unified IT-OT function; organizational change is slow, expensive and disruptive. The path forward is coordination, not reorganization.

The model gaining the most consensus is IT-OT SOC convergence: maintaining separation of duties while enabling coordinated detection and response across domains. Palo Alto Networks Unit 42 describes it directly: "IT teams often identify the early indicators of compromise, while OT teams apply operational context and execute domain-appropriate response actions."

Jonathon Gordon of Takepoint Research describes IT and OT convergence as "fundamentally a governance challenge," requiring unified ownership of assets, identities, access and change control across IT, OT, engineering and third parties. CISA recognized this directly in December 2025 when it released Cross-Sector Cybersecurity Performance Goals version 2.0, explicitly consolidating OT and IT goals into unified "universal goals," stating: "OT and Information Technology goals are now consolidated into universal goals, eliminating silos across IT, IoT and OT environments."

Practical coordination starts without restructuring: shared threat intelligence between IT and OT functions, joint incident response playbooks that cover cross-domain scenarios, regular tabletop exercises that include both teams, and unified monitoring that doesn't stop at the IT-OT boundary. According to SANS 2024 data, centralizing threat intelligence across IT and OT into a single team or senior leader ranks among the highest-correlation maturity indicators in the survey.

The shadow current flows through your org chart's invisible lines because those lines create blind spots. Shared visibility is the remedy. The question isn't who owns OT security. It's whether your teams can act together before attackers finish crossing from IT to your critical systems.