Metricstream Logo

AI-First Connected GRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

webinar

MetricStream Ranked #1 in Operational Risk and Audit Categories

Learn More

Discover Connected GRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Your Insight Hub for Simpler, Smarter, Connected GRC

Download this report to explore why cyber risk is rising in significance as a business risk.

Explore the forces reshaping governance, risk, and compliance in 2026

Download the eBook

Learn about our vision and mission

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close
Blogs

When IT Meets OT: Why Managing Cyber Risk in Critical Infrastructure Has Never Been More Important

blogimage
6 min read

Introduction

“Jaguar Land Rover was breached recently… it was costing them fifty million pounds a week in disruption. And it didn’t just impact them, it impacted their entire supply chain.”

During our recent webinar, cyber risk expert Sandra Taylor from Cyber Critical Solutions Ltd, shared this striking example to highlight a growing reality where the line between IT (information systems) and OT (operational technology) has disappeared. With 30+ years of experience managing cyber risk across critical infrastructure sectors — including healthcare, energy, aviation, and organizations like Petronas and Shell — Sandra underscored that IT/OT convergence is now one of the biggest concerns for CISOs and boards. The gaps in preparedness and skilled talent make the risk even more urgent.

In this blog, we unpack why IT–OT convergence is now a critical cyber risk priority, highlight practical strategies from Sandra, and provide a CISO checklist to build stronger OT cyber resilience.

IT–OT Convergence and OT Cyber Risk: Why It’s a Critical Concern in 2025

The Jaguar Land Rover breach isn’t an outlier. It’s part of a growing pattern where cyberattacks on IT systems spill into OT environments, halting operations and disrupting economies.

The American Water cyber attack that occurred in February 2024 caused the temporary shutdown of OT systems, forcing operators into manual mode. American Water Works is the largest regulated water and wastewater utility in the U.S., serving more than 14 million customers. In another incident in January 2024, ransomware shut down parts of French industrial giant Schneider Electric’s sustainability business division systems, impacting OT customer access and delaying operations.

According to PwC’s 2026 Global Digital Trust Insights, OT and IIoT are now among the top concerns for boards and CISOs, with major capability gaps. Critical infrastructure — manufacturing plants, power grids, hospitals, railways, and utilities — now depend on thousands of connected devices that were never designed for cybersecurity.

OT environments in 2025 are facing heightened cyber exposure due to multiple converging factors:

  • Expanded attack surface: IT–OT convergence and the explosion of connected devices create more entry points than ever before.
  • More sophisticated attacks: Threat actors are using AI-driven techniques and “living off the land” tactics that blend into normal activity and evade traditional security tools.
  • Geopolitical targeting: State-sponsored and state-aligned groups are increasingly focusing on critical infrastructure for disruption and intimidation.
  • Limited visibility and weak access controls: Many organizations still lack full visibility into OT assets, and insecure remote access (e.g., Remote Desk Protocol (RDP)) remains widespread.
  • Ransomware and supply chain exposure: Ransomware groups are now actively targeting OT systems, while vulnerabilities in third-party components expand risk beyond corporate boundaries.

7 Practical Strategies for CISOs to Strengthen OT Cyber Resilience

In our webinar, Sandra shared practical strategies for CISOs, risk leaders, and GRC professionals to enhance cyber and operational resilience in critical infrastructure sectors and beyond.

  1. Integrate Governance Frameworks and Unify Risk Assessment for Holistic Cyber Resilience

    To achieve a comprehensive cyber risk management function, organizations must integrate IT and OT domains under adaptable governance frameworks such as NIST, ISO 27001, and IEC 62443. Organizations benefit from aligning cyber risk programs with enterprise risk and compliance strategies to maintain a holistic view of risks and regulatory requirements. Using consistent business impact and vulnerability assessments based on enterprise-approved scoring models enables prioritization and a common language that resonates across business units, facilitating informed decision-making.

  2. Deduplicate Controls and Implement Changes in Phases for Effective Risk Reduction

    To manage regulatory complexity and audit demands effectively, organizations should deduplicate controls across the multiple standards they adhere to. This reduces redundant efforts and audit fatigue by allowing a single control to serve multiple compliance requirements, supported by maintaining evidence centrally. Adopting a phased approach to control deployment, starting with the highest risk vulnerabilities, helps avoid overwhelming teams, encourages cultural adoption of security practices, and enables more manageable progress toward full compliance, especially within operational technology environments.

  3. Foster Strong Collaboration Across Domains with Clear Project Scoping

    Precisely defining the scope of assessments, including systems and their interfaces, is essential to ensuring appropriate coverage without unnecessary complexity. Cyber functions must also coordinate clearly with other organizational functions such as legal compliance, procurement, and physical security to delineate responsibility and assure coverage without duplication. Documenting agreed control boundaries and assurance responsibilities fosters transparency and operational efficiency.

  4. Address Legal Regulatory and Geographical Nuances in Cyber Risk Strategies

    Cyber risk management must encompass the legal and regulatory environments of all operating regions. Differences like those between GDPR and local privacy laws require tailored approaches, including engaging local legal experts to confirm compliance obligations and integrate these into risk assessments and control requirements. Treating regulations as part of the risk matrix links cyber risk directly with business risks, increasing business stakeholder engagement and relevance.

  5. Manage Third-Party Risks with Robust Contractual Controls

    Third-party vendors often possess access to critical data or systems. This requires organizations to embed robust cyber controls into contracts and actively manage the associated risks. Contractual clauses should mandate timely notification of personnel changes and breaches, and gaps between regulatory requirements and third-party capabilities must be tracked and managed through remediation or risk acceptance within the organization’s cyber risk framework.

  6. Build AI Security on a Foundation of Strong Cyber Hygiene Practices

    While artificial intelligence introduces new risk dimensions, such as transparency, fairness, and accountability, these cannot be addressed in isolation. A strong foundation of IT and OT cybersecurity hygiene, including confidentiality, integrity, and availability controls, is essential before integrating AI governance. Managing AI-related cyber risks requires maturity in cybersecurity basics.

  7. Leverage Integrated GRC Solutions to Enhance Cyber Resilience Value

    Implementing an integrated Governance, Risk, and Compliance (GRC) approach yields long-term efficiency gains. Though initial setup requires effort – such as conducting baseline business impact and risk assessments, de-duplicating controls, and building centralized evidence repositories – these efforts reduce redundant audit activities and support rapid demonstration of compliance across multiple frameworks. Starting small, even with manual or spreadsheet-based processes, helps embed culture and understanding before scaling to technology-enabled GRC platforms.

CISO Action Checklist: How CISO’s Can Prepare

Protecting interconnected systems requires visibility, collaboration, and a strong cyber GRC foundation that unites cybersecurity, operational safety, and regulatory oversight under a single governance model. Here’s how CISOs can prepare and strengthen their OT cyber resilience:

PriorityWhat to Do
VisibilityMap OT/IIoT assets — you can’t protect what you can’t see.
SegmentationSeparate IT and OT networks to prevent lateral movement.
Risk AlignmentUse one enterprise scoring model for both IT and OT risks.
Control DeduplicationReduce redundant audits and effort across frameworks.
CollaborationLegal + procurement + physical security must align early.
Third-Party AccountabilityEnforce contractual controls and breach notification SLAs.
Build TaleUpskill teams in OT-specific cyber scenarios.
Continuous MonitoringUse dashboards and anomaly detection for situational awareness.

Streamline Cyber Risk Management and Build Cyber Resilience with MetricStream Cyber GRC

MetricStream’s AI-first Cyber GRC, built as an interconnected, intuitive, and intelligent connected GRC product set, empowers CISOs to connect cyber risk data from across the enterprise, including third and fourth-party vendors, and then use the actionable business intelligence to make data-driven decisions to build cyber resilience.

With MetricStream Cyber GRC, you can:

  • Detect and resolve IT compliance issues faster with AI-powered intelligent issue management and automated workflows
  • Quantify cyber risk in financial terms to improve reporting, communication, and investment decisions
  • Gain real-time visibility into IT compliance posture through intuitive dashboards and reports
  • Streamline controls across multiple regulations and frameworks to reduce complexity, effort, and cost

See Cyber GRC in action. Request a personalized demo today.

Want to learn more? Watch the original webinar here:

 
Pat McParland

Patricia McParland VP – Marketing

Pat McParland is VP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 

Related Resources

Blog
Blog
5 mins
Patricia McParland
Top Cyber GRC Trends for 2026: AI, IT/OT Risk, and Continuous Compliance Reshape Cyber Resilience