Podcast Summary: Embracing Digital Transformation

Episode #310: Why IT–OT Convergence Is the Future of Cybersecurity in Critical Infrastructure

Date: December 4, 2025
Host: Dr. Darren Pulsipher
Guest: Santosh Kivetti, CEO of ProArch

Overview of the Episode

In this episode, Dr. Darren Pulsipher delves deep into the critical topic of IT–OT convergence in cybersecurity, particularly within the realm of public sector and critical infrastructure. Featuring OT cybersecurity expert Santosh Kivetti, the conversation demystifies legacy approaches, challenges the efficacy of air gapping, and explores how combining IT (Information Technology) and OT (Operational Technology) is transforming cybersecurity, risk management, and organizational culture in sectors where downtime can have life-and-death consequences.

Key Discussion Points and Insights

1. Santosh Kivetti’s Background & Unique Perspective

• Santosh’s Journey:
  • Came from humble beginnings, migrated to the US in 1998, entered programming, then moved into companies serving electric utilities.
  • Experienced both IT and OT domains, leading to expertise in convergence.
  • “OT is still unfortunately riddled with legacy systems, proprietary softwares, you know, low visibility. It's so data rich, but functionally data poor or information poor, as you would say.” (03:35)
• Superheroes Theme: Santosh thanked Darren for making him feel like a “superhero” and briefly discussed the value of mentorship and community involvement.

2. Legacy OT Environments: Why Are They "Data Rich, Information Poor"?

• Historical Reasons for Air-Gapping:
  • Due to fears over security and the prevalence of proprietary, vendor-driven hardware, data has been siloed and often unavailable to drive intelligence or business value.
  • Santosh debunks the myth of safety in air-gapped systems, especially after attacks like Stuxnet proved vulnerabilities still exist.
  • Quote: “That's the myth, right? Yes. I think everybody assumed that just because I'm not connected to the Internet, you know, I'm not open or susceptible to hacking. That is not true at all.” (05:45)

3. Risks and Visibility in Critical Infrastructure

• Uptime Expectations & Risk Tolerance:
  • OT has drastically higher uptime requirements than IT; four-nines (99.99%) is not sufficient in OT—anything less can be catastrophic.
  • Impact of outages in OT can involve loss of life and national security threats.
  • Darren paints a vivid picture:
    • “If the power grid went down worldwide for 18 hours? What would happen? I mean, there'd be wars, mass chaos.” (07:11)

4. The Pressures of Digital Transformation

• Energy Infrastructure Under Strain:
  • Surge in demand—especially with AI and data center growth—has underlined the urgency for more efficiency, better cost control, and robust SLAs.
  • Financial and reputational penalties for downtime are significant.

5. The Path to Real IT–OT Convergence

• Culture and Process Over Technology:
  • Both agree that technology isn’t the barrier—it’s the culture and communication gap between IT and OT teams.
  • Quote (Dr. Pulsipher): “Technology was not the impediment at all. It didn't even show up in the research as being a factor...What I found was cultural differences between OT and IT departments in the same companies. They didn't talk, they don't even use the same language.” (13:28)
• Data Governance and Federated Models:
  • “Start creating a federated domain centric governance and accountability… Data mesh is essential fabric. Before you really can apply any kind of automation or AI.” (10:28)
• Security as a Foundation:
  • “Security first mindset has to be imperative. You can't just come in later and then say I'm going to bolt on security.” (10:51)

6. Achieving Visibility and Risk Awareness

• Trend Toward Observability:
  • Giving organizations near real-time visibility into their environments surfaces unexpected risks and assets, and is a prerequisite for effective converged cybersecurity.
  • Santosh on First Steps:
    • “The first thing we do is give them the visibility of what's on their OT network...they go, 'Oh my God, I didn't realize I had so many devices on my OT network.'” (13:57)
• Fear of Compromise:
  • Helping organizations move from fear-driven, reactive security to proactive, intelligence-driven approaches.
  • Santosh asks:
    • “Which path would you rather choose? A path where you don't know what your risks are...Or you pick a path where you know what your risks are, you know what your security controls are, you can monitor in real time...” (15:34)

7. Data Fusion and the Role of AI

• Bridging IT–OT for Predictive Maintenance and Efficiency:
  • Fusion of IT and OT systems enables use cases like natural language queries for troubleshooting and proactive maintenance (e.g., LLMs can answer "What's wrong with this pump and what should I do about it?").
• AI as a Game-Changer:
  • AI creates a semantic layer, aids decision-making, offers security recommendations, and processes vast threat intelligence feeds.
  • “We can definitely create those parameters where it can give the recommendation, say, look, by the way, based on what I'm seeing right now in the hacking world...We would recommend these things right now for you to do.” (17:19)

8. Modernization Tactics: Digital Twins and Data Diodes

• Digital Twins for Risk-Free Experimentation:
  • Rapid advances allow organizations to create digital twins in weeks, offering a safe “proxy gap” to simulate interventions and test outcomes before affecting physical assets.
  • Dr. Pulsipher: “In our data center, this hasn't gone down in five days. Way. Yay. You can't do that in OT.” (24:47)
• Data Diodes and Legacy Device Challenges:
  • Even with legacy devices, visibility and limited interaction (e.g., outbound data only) help mitigate operational risk without compromising core uptime.

9. The Expanding Role of Robotics and Edge Computing in OT

• Robots as New Attack Surfaces:
  • With robotics and drones proliferating in OT spaces (e.g., mining, power), the attack surface grows.
  • Santosh:
    • “Anytime you introduce a robot or it's another OT device. Just like your SCADA system...You have to understand the vector deeply to say, where are my exposures now?” (28:52)
• Fusion of IT and OT in Modern Devices:
  • Many new OT devices (e.g., autonomous drones, robots) now feature embedded edge computing and AI, blurring the IT–OT line.

10. The Future — No More IT vs. OT?

• Blurring Boundaries:
  • Both foresee a future (possibly within a decade) where the distinction between IT and OT dissolves as devices and software become inextricably linked.
  • Quantum computing and advances in silicon fabrication hasten this trend.
  • “I definitely foresee that...At that point...there won’t be any delineation between IT and OT systems. But even now they’re converging very fast.” (29:44)
• Dr. Pulsipher’s Mind-Boggling Chip Size Analogy:
  • “1.8 nanometers, that's 18 Angstroms…The coronavirus is 72 nanometers across...I can stack 32 easily...transistors across the diameter of a coronavirus.” (30:41)

11. Persisting Threats and Cybersecurity Hygiene

• Shift in Threat Vectors:
  • While hardware hacking is possible, Santosh stresses that lack of “basic hygiene” in software and metadata privacy is the primary concern.
  • Recent Example: Despite encrypted chat between humans and AI, analysis of unencrypted metadata revealed over 90% of the topic—spotlighting a new challenge.

Notable Quotes & Memorable Moments

• On Air Gaps:
  • “Everyone assumed that just because I'm not connected to Internet, I'm not susceptible to hacking. That is not true at all.” – Santosh Kivetti (05:45)
• On Data Rich, Information Poor:
  • “It's so data rich, but functionally data poor or information poor.” – Santosh Kivetti (03:35)
• On Culture vs. Technology:
  • “Cultural differences between OT and IT departments...They didn't talk, they don't even use the same language.” – Dr. Darren Pulsipher (13:28)
• On Unlocking Trapped Value:
  • “There might be something—I call it trapped value. There's enormous trapped value by just letting these things be silos.” – Santosh Kivetti (20:37)
• On Human vs. AI in the Loop:
  • “Instead of human in the loop, why don't we call it AI in loop?...We're still in control, we're just using AI to help us.” – Dr. Darren Pulsipher (25:50)
• On Assessing and Managing New Vectors:
  • “The attack surface is growing. Anytime you introduce a robot or it's another OT device...You have to understand the vector deeply.” – Santosh Kivetti (28:52)
• On the Fundamental Change Ahead:
  • “I definitely foresee that...there won’t be any delineation between IT and OT systems.” – Santosh Kivetti (29:44)
• On Security Hygiene and Metadata:
  • “They were able to look at the metadata and predict...what the topic was and what they were talking about.” – Santosh Kivetti (32:03)
• On Why This Work Matters:
  • “There aren't a lot of people in the world that can talk OT and IT. So it's great to find another person that enjoys talking about this stuff.” – Dr. Darren Pulsipher (32:39)

Timestamps for Important Segments

• [01:04] – Guest introduction and superhero origin story
• [03:35] – Santosh defines the challenge: “data rich, information poor”
• [05:45] – The air gap myth and Stuxnet case study
• [07:11] – The real-world risk of OT downtime
• [10:28] – The federated approach to data governance and the importance of security-first
• [13:28] – Cultural barriers, not technology, block convergence
• [15:34] – Moving from reactive to proactive, visibility-driven security
• [17:19] – Real-time security intelligence and AI’s role
• [24:47] – Digital twins and safe experimentation
• [28:52] – The challenge and inevitability of robotic/AI convergence in OT
• [29:44] – “No more IT vs. OT” in the future
• [32:03] – Emerging cybersecurity threats: Metadata and basic hygiene
• [32:39] – The importance of cross-domain expertise

Summary Table: Convergence Drivers and Recommendations

| Challenge | Traditional Practice | New Approach/Recommendation | |---------------------------|----------------------------------|-------------------------------------------------------------| | Security | Air gapping | Proactive, real-time monitoring, intelligence-driven defense | | Data Utilization | Centralized lakes, Siloed data | Federated, domain-centric data mesh, digital twins | | Tech vs. Culture | Tech assumed the barrier | Overcome cultural/language divides in IT–OT groups | | Risk Visibility | Low visibility | Observability and governance as a foundation | | Supply Chain Risk | Limited assessment | Inclusion of third-party risk in security posture | | Robotics/Automation | Minimal or isolated OT automation | Integrated, monitored, converged IT–OT systems | | Role of AI | Minimal, siloed | AI as a semantic, decision-support and security-enabling tool|

Conclusion

This episode provides a masterclass in the challenges, risks, and transformative potential of IT–OT convergence in critical infrastructure. The key is not technology, but cultural and organizational willingness to break silos, invest in governance and visibility, and adopt a future-facing, security-first mindset—unlocking value and securing the backbone of modern society.

For further exploration, Dr. Pulsipher invites listeners to connect via the show's community and resources at embracingdigital.org.