Practical security for IT, OT, and IoT, when you can’t start from scratch.
Ten years ago, infrastructure was usually in one place. One datacenter, maybe two. A clear perimeter to defend. Today, the same company is spread across offices, factories, warehouses, and edge locations, often across national borders, preferably in multiple Azure regions, sometimes even across multiple clouds. Hybrid is no longer the exception. It’s the normal state.
Every new location is a new attack surface. Every region brings a new identity context, new access paths, and new governance rules to keep in sync. That applies to both IT and OT. A production line in Sweden talks to an SAP system in Azure North Europe, a SCADA system in a German factory, and a sensor on the other side of the globe. The threat landscape grows linearly with the surface area, complexity grows exponentially.
A system on the factory floor, a robot, an HMI (Human-Machine Interface), something, posts to TikTok. A supplier uses the same service-account password at your site as for forty other customers. A PLC from 2008 can’t be patched, but it’s reachable from a normal office network. Not hypothetical. This is what we see in most hybrid IT/OT environments we assess.
Tearing it down and rebuilding is rarely an option. It has to work while it’s running. Here are the seven sentries we put in place ourselves to move vulnerable environments in the right direction, without stopping them.
1. OT doesn’t play by IT rules
A variable frequency drive isn’t a file server. A PLC isn’t a laptop. Force OT into IT’s patching and access model, and you end up with production outages, or a burned-out operations organization.
Reality:
- Systems that can’t be patched regularly, if at all
- Authentication that is weak, shared, or non-existent
- Hardware with a 15-20 year expected lifespan
- Availability that outweighs almost everything else
Accepting that is not surrender. It’s moving the security work away from the equipment and into what surrounds it, network, identity, monitoring. That’s where the leverage is.
2. You can’t protect what you can’t see
Many people want to start with the elegant target architecture. That takes months. Meanwhile, nobody knows what talks to what, and an environment you can’t see, you can’t defend.
Logging, detection, and a SOC (internal or external is secondary) deliver impact in days, not quarters. Defender for IoT, or equivalent passive traffic analysis in the OT segments, gives you the map before you start redrawing it.
3. Zones, or nothing
Clear zones, IT separated from OT, OT separated from IoT, consistent across all locations and regions, and only the necessary flows between them. That reduces both likelihood and impact. Because something will go wrong. The question is when.
The challenge isn’t the theory. It’s the sequencing, and what actually needs to be segmented.
With a Nordic industrial customer, we recently landed on a Purdue-adjacent model: Layer 4 for IT and users, 3.5 as a dedicated OT access zone, and 3 for the OT environment itself. Per-supplier isolation in 3.5, micro-segmentation in 3. It solves a concrete problem: five OT suppliers who previously shared a jump host, a network, and sometimes accounts.
4. Identity is the new perimeter
A lot of OT access is still governed by IP address and implicit trust. It works, until it doesn’t. And then it really hurts. In an environment that spans regions and locations, identity is also the only thing that actually follows the user, an IP address doesn’t.
Many still assume threat actors follow the rules. They don’t.
Zero Trust asks four straight questions: who are you, why do you need access, when, and for how long? The bridge from old to new is PAM (Privileged Access Management) and strong authentication. That also solves the shared admin-account problem. If you want to go all the way, PAW (Privileged Access Workstation). A jump host, after all, is only marginally better than nothing.
With the same industrial customer, we replaced a jungle of jump hosts and RDS servers with per-supplier AVD on Azure Local. Result: controlled entry points, session recording, MFA via Microsoft Entra ID, and auditable tracking, instead of a shared service-account mess.
5. The supplier is already inside
In OT and IoT, suppliers are often more deeply integrated than your own IT organization. Without clear security requirements, you get uncontrolled remote access, empty log history, and dependencies on solutions that can’t be updated. Your security level stops where the supplier’s begins.
And then you hear:
“We use the same password for all service accounts across all our customers.”
…and you realize the customers are interconnected through the supplier’s own platform. It gets genuinely uncomfortable, fast.
6. Block outbound traffic. Period.
Most environments are a historical sediment of remote-access tools, temporary fixes that became permanent, and generous outbound internet access. Map it. Consolidate to a controlled path. When outbound traffic is blocked, a large share of the unwanted remote routes disappears automatically.
A question we often ask:
“Why does that system actually need internet access?”
There’s rarely a good answer.
7. Draw the map anyway
Even when you can’t rebuild everything: sketch how you would design the environment from scratch. Define principles for zones, flows, and access. The target state becomes the compass, and each improvement becomes a deliberate step, not yet another point solution.
It’s a crime scene
The big incident is not a restore exercise. Rolling back and pretending nothing happened is not a strategy, it’s an invitation to the next intrusion.
Someone has been inside. It’s a crime scene. If you don’t understand how they got in, they’ll be back.
Want to talk further?
This is what we do every day, build and operate secure Azure-based hybrid environments with Azure Local or Hyper-V, where IT, OT, and IoT coexist without compromising security. Grounded in CAF, WAF, and Zero Trust. Not PPT slides, real environments.
Reach out to and we’ll continue the discussion in your context.
The trolls are on watch.
