Quick-reference answers on cyber-physical convergence, the IT/OT boundary, the Purdue Model, OT/ICS/SCADA security, and how threats cross domains. For Empyrean's approach to converged security, see Cyber/Physical Convergence capabilities.
What is cyber-physical convergence?
Cyber-physical convergence is the recognition - and the operational practice - that cybersecurity and physical security are no longer separate disciplines protecting separate domains. They are interconnected aspects of the same operational risk, and a threat in one domain frequently manifests as an impact in the other.
CISA's Cybersecurity and Physical Security Convergence Action Guide describes convergence as the condition created by increasingly interconnected cyber-physical systems, where siloed security functions create gaps that adversaries exploit. The Interagency Security Committee's 2022 best practice, chaired by CISA, provides methodologies for federal agencies to achieve integrated security across physical security, information security, cybersecurity, and information technology.
In practical terms, cyber-physical convergence means that a ransomware attack that enters through a phishing email can propagate into operational technology and shut down a port crane. A drone surveilling a facility perimeter may be part of a coordinated campaign that also includes network reconnaissance. A badge access anomaly at a restricted door, correlated with an unusual VPN login, may indicate insider threat activity that no single security team would detect in isolation.
Empyrean addresses cyber-physical convergence by providing a single operational picture that correlates events across physical security (cameras, access control, perimeter sensors), cybersecurity (SIEM, EDR, network telemetry), OT (PLC status, SCADA events, HMI activity), electromagnetic (RF monitoring, GPS timing, spectrum anomalies), and narrative (social media threats, open-source intelligence) domains. The correlation is automatic and continuous - the GSOC analyst or security operations team sees cross-domain events as connected incidents, not as unrelated log entries in separate systems.
What is the Purdue Model and why does it matter for OT security?
The Purdue Enterprise Reference Architecture (PERA), commonly called the Purdue Model, is a hierarchical framework developed at Purdue University in the early 1990s that defines how industrial control systems (ICS) should be organized and segmented. It divides the enterprise into levels ranging from Level 0 (physical processes - sensors, actuators, motors) through Level 5 (enterprise network - business applications, internet connectivity), with a demilitarized zone (DMZ) separating the OT environment (Levels 0-3) from the IT environment (Levels 4-5).
The Purdue Model was adopted by ISA-99 (now ISA/IEC 62443) as the industry standard for ICS network segmentation and continues to serve as the common language for discussing OT security architecture. NIST SP 800-82 uses the Purdue Model framework in its Guide to Industrial Control System Security.
The Purdue Model matters because it defines the security boundary between IT and OT - the boundary that modern threats increasingly cross. The model prescribes that communication between the IT and OT zones must pass through the DMZ, with no direct connections between enterprise systems and control systems. In practice, vendor remote access sessions, cloud-connected historians, predictive maintenance platforms, and building management system integrations have created paths that bypass the DMZ - paths that the Purdue diagram does not show but that adversaries have learned to find.
Empyrean does not require changes to your network segmentation or your Purdue architecture. It works with the telemetry your existing OT and IT systems already export - SIEM alerts, PLC status data, HMI logs, badge access events, camera analytics - and correlates them in a platform that sits alongside your security architecture, not inside your control network.
What is the IT/OT boundary and why is it a security problem?
The IT/OT boundary is the interface between an organization's information technology systems (email, business applications, enterprise network) and its operational technology systems (industrial control systems, SCADA, PLCs, HMIs that control physical processes). The Purdue Model defines this as the DMZ between Levels 3 and 4.
The boundary is a security problem because it is no longer a clean line. CISA has documented findings from threat hunt engagements at critical infrastructure organizations where OT environments had shared local admin accounts with identical plaintext passwords, poor network segmentation between IT and OT, and inadequate logging. The advisory notes that malicious actors could exploit these weaknesses to gain unauthorized access to critical OT systems, manipulate physical processes, and cause harm.
The paths that breach the IT/OT boundary in most organizations are not adversary-created - they are operationally created. Vendor remote access sessions that connect directly to PLCs for maintenance. Cloud-connected historians that upload process data for analytics. Predictive maintenance platforms that pull telemetry from control systems to enterprise dashboards. HMIs with network connectivity that was never documented in the security architecture. Each of these connections exists because it provides operational value. Each of them also creates an attack path that traditional perimeter-based security was not designed to monitor.
How does ransomware cross from IT to OT?
Ransomware typically enters through IT - a phishing email, a compromised remote access credential, an exploit in an internet-facing application. Once inside the IT network, it propagates laterally through standard enterprise protocols (SMB, RDP, WMI) to reach additional systems.
The ransomware crosses into OT when it reaches a system that has connectivity to both the IT and OT networks - a dual-homed engineering workstation, a historian server, a jump host for vendor remote access, or a file server shared between IT and OT users. From that bridging system, the ransomware can reach HMIs, SCADA servers, and engineering workstations in the OT environment. It does not need to understand OT protocols to cause damage - encrypting the Windows operating system running an HMI or a historian is sufficient to halt operations.
This attack pattern has been demonstrated at ports globally, where ransomware propagating from IT into crane control systems forced facilities to revert to manual cargo handling for days. The NotPetya attack in 2017 demonstrated how lack of segmentation between IT and OT enabled catastrophic lateral movement across organizations - a lesson that the Purdue Model's DMZ architecture was specifically designed to prevent.
Empyrean's cyber-physical convergence correlates IT security events (SIEM alerts, EDR detections, network anomalies) with OT status (PLC behavior, HMI activity, process changes) in real time. When ransomware begins propagating toward the IT/OT boundary, both the IT SOC and the OT operations team see the same alert simultaneously - before the operations team discovers the attack when equipment stops responding.
What is the difference between OT, ICS, and SCADA?
These terms are related but not interchangeable, and the distinction matters for security because each layer requires a different approach.
Operational Technology (OT) is the broadest term. It encompasses all hardware and software that monitors or controls physical equipment, processes, and events in industrial environments. OT includes not just the control systems themselves but the networks, engineering workstations, historians, HMIs, and all supporting infrastructure. CISA uses OT as the umbrella term for the full operational environment.
Industrial Control Systems (ICS) is a subset of OT. It refers specifically to the systems that directly manage industrial processes - including SCADA, Distributed Control Systems (DCS), Programmable Logic Controllers (PLCs), and safety instrumented systems. ICS is the control layer; OT includes ICS plus everything that supports it.
SCADA (Supervisory Control and Data Acquisition) is a type of ICS designed for monitoring and controlling geographically distributed assets. SCADA systems collect real-time data from remote sensors and allow centralized operators to monitor status and issue commands. Think power grids, water distribution networks, and pipeline systems - any process where the assets are spread across a wide area and need centralized oversight.
What is a PLC?
A Programmable Logic Controller (PLC) is a ruggedized, purpose-built computer that automates specific industrial functions. PLCs receive input from sensors (temperature, pressure, flow, position), execute programmed logic against those inputs, and send output commands to actuators (motors, valves, pumps, relays). They are the workhorse of industrial automation - a single manufacturing facility or utility may have hundreds or thousands of PLCs controlling different processes.
PLCs reside at Level 1 of the Purdue Model, directly above the physical process (Level 0) and below the supervisory control layer (Level 2). They are designed for determinism - the guarantee that a command will execute within a specific timeframe - because delayed signals in industrial processes can cause equipment damage, safety incidents, or environmental releases.
From a security perspective, PLCs present unique challenges. Many run on proprietary firmware that cannot be patched on a standard cycle. They often use industrial protocols (Modbus, DNP3) that transmit in cleartext without authentication. Unauthorized logic changes - an attacker modifying the program that controls a valve or a pump - can cause physical damage without triggering any traditional IT security alert. This is why cyber-physical convergence matters: the threat to a PLC cannot be detected by a SIEM that monitors IT traffic. It requires visibility into the control network itself.
What is an HMI?
A Human-Machine Interface (HMI) is the screen, panel, or workstation that allows a human operator to visualize and interact with an industrial process. HMIs display real-time data from sensors and PLCs - temperatures, pressures, flow rates, equipment status - and allow operators to issue commands, adjust setpoints, and respond to alarms.
HMIs sit at Level 2 of the Purdue Model and are a critical security target because they bridge the human operator and the control system. Many HMIs run on Windows operating systems - which means they are vulnerable to the same malware, ransomware, and exploitation techniques that affect any Windows computer. When ransomware encrypts the Windows OS running an HMI, the operator loses visibility into and control of the physical process, even if the underlying PLCs continue running their last programmed state.
What is NIST SP 800-82?
NIST Special Publication 800-82, the Guide to Operational Technology (OT) Security, is the National Institute of Standards and Technology's standard reference for securing industrial control systems. Originally published as the Guide to Industrial Control Systems Security, it has been updated through multiple revisions to address the evolving threat landscape and the convergence of IT and OT environments.
SP 800-82 provides guidance on ICS threats and vulnerabilities, risk management, security architectures (including the Purdue Model framework), and recommended security controls. It is widely referenced by CISA, sector-specific agencies, and critical infrastructure operators as the baseline for OT security programs. Many regulatory frameworks - including NERC CIP for the energy sector - align with or reference SP 800-82 guidance.
What is IEC 62443?
IEC 62443 (formerly ISA-99) is the international standard series for industrial automation and control system (IACS) cybersecurity. Developed by the International Society of Automation (ISA) and adopted by the International Electrotechnical Commission (IEC), the standard provides a comprehensive framework for securing industrial control systems across their lifecycle - from design and integration through operations and maintenance.
IEC 62443 is significant because it formalized the Purdue Model's zone-and-conduit architecture into a security standard and introduced the concept of Security Levels (SL-1 through SL-4) that define the degree of protection required based on threat assessment. It applies to asset owners, system integrators, and component manufacturers - making it the most comprehensive OT security standard in terms of stakeholder coverage.
What are CISA's Cross-Sector Performance Goals (CPGs)?
The Cross-Sector Cybersecurity Performance Goals (CPGs) are a set of measurable cybersecurity actions published by CISA for critical infrastructure owners and operators to achieve a foundational level of cybersecurity. Updated to version 2.0, the CPGs are organized around the six functions of the NIST Cybersecurity Framework: Govern, Identify, Protect, Detect, Respond, and Recover.
The CPGs are voluntary but carry significant weight - they represent CISA's baseline expectation for what critical infrastructure operators should demonstrate. For organizations subject to sector-specific regulation (NERC CIP, MTSA, CFATS), the CPGs provide a cross-sector overlay that may inform future regulatory requirements.
Empyrean's audit trail architecture captures the detection, assessment, and response data that CPG compliance documentation requires - across physical, cyber, OT, and electromagnetic domains - as a byproduct of operational use, not as a separate compliance activity.
What happened in the Colonial Pipeline attack?
In May 2021, the Colonial Pipeline Company - which operates the largest refined products pipeline in the United States, delivering approximately 45% of the East Coast's fuel supply - was hit by a ransomware attack attributed to the DarkSide cybercriminal group. The attack targeted the company's IT systems, but Colonial shut down pipeline operations as a precautionary measure because they could not confirm that the OT systems controlling the pipeline were not also compromised.
The shutdown lasted six days, caused fuel shortages across the southeastern United States, triggered panic buying, and resulted in emergency declarations in multiple states. Colonial paid a ransom of approximately $4.4 million (of which the DOJ later recovered approximately $2.3 million). The incident demonstrated that even when OT systems are not directly compromised, the lack of visibility across the IT/OT boundary - the inability to confidently determine whether OT is affected - can force operational shutdowns with cascading consequences.
This is why cyber-physical convergence is not an abstract concept. The Colonial Pipeline shutdown was caused not by a failure of OT security, but by a failure of IT/OT visibility. If the security team had been able to confirm in real time that the ransomware had not crossed into the OT environment, the pipeline might never have been shut down.
Related
- Cyber/Physical Convergence - Empyrean's converged security capability
- Energy & Utilities - OT/SCADA security for energy infrastructure
- Critical Infrastructure - converged GSOC operations
- Transportation & Logistics - OT security for ports, airports, and hubs
- Sensor Fusion - the fusion engine that correlates cross-domain events
- Common Operational Picture - the operator surface for converged security