Risk assessment
Risky business – Why risk assessment in IT/OT setups matters more than ever
Market insights
October 29, 2025
6 min read
Risk assessment is the foundation for protecting both digital and physical operations. And now more than ever, being aware of where your risks lie is crucial for business.
Digital transformation has accelerated the convergence of IT and OT systems, blurring the boundaries between them. While this integration drives efficiency, it also exposes critical infrastructure to new and more complex risks. In this blog post, we explore why segmentation between IT and OT remains vital in critical sectors, how the two domains differ in their approach to risk, and what a robust assessment process could look like.
Laying the groundwork: Understanding risks across IT and OT domains
Conducting a risk assessment enables businesses to identify, analyze, and evaluate potential threats that could disrupt operations. In IT, the focus is often on data confidentiality, integrity, and availability, also known as the CIA triad. Risk in IT is typically measured by potential data loss, system compromise, or reputational damage.
In OT, the focus shifts. Here, the SRP triad (safety, reliability, productivity) reflects that human safety and process stability are the primary assets to safeguard. Risk is evaluated in terms of physical harm, operational outages, production loss, and compliance failures.
“Fundamentally, a risk assessment is meant to answer three questions: What could go wrong? How likely is it to happen? And what would the impact be?" explains Brian Dørffler Heilskov, Commercial Director of OT Solutions at Opoura.
Understanding risks across both domains is crucial as IT and OT increasingly overlap. But in critical infrastructure, where downtime or safety failures can have far-reaching impacts, keeping IT and OT segmented is necessary.
With the rise of digital transformation, OT systems have become increasingly interconnected with corporate IT networks. And while this integration improves efficiency, data flow, and decision-making, it also introduces new vulnerabilities. Cyber threats, including ransomware attacks, now target OT environments directly.
To mitigate these risks, critical infrastructure operators prioritize network segmentation. By creating defined boundaries between IT and OT systems, organizations can limit lateral movement during an attack and maintain control over operational processes even if the IT environment is compromised.
Real-world incidents emphasize this point. In 2023, the Littleton Electric Light & Water Department (LELWD) in Massachusetts experienced a 300-day undetected breach. Attackers exploited weak visibility and insufficient separation between IT and OT systems. The incident showed that even smaller utilities with limited resources can become targets, and that segmentation failures can have long-term operational consequences.
Operational convergence: building around safety
When safety is compromised, the entire foundation collapses. Productivity, trust, compliance, and even human life or environmental integrity can all be at risk. That’s why safety must anchor every risk decision. It defines the non-negotiables that guide responsible operations.
Safety determines:
- What can never be risked
- What must be preserved at all times
- What other objectives must adapt to
“Safety sets the boundaries; risk appetite sets the speed, and operational flexibility determines the route,” says Brian Dørffler Heilskov, Commercial Director of OT Solutions at Opoura.
Once safety and risk appetite are clearly defined, IT and OT teams can align around a shared framework.
In critical infrastructure, especially true convergence does not mean merging systems; it means defining a way to collaborate effectively while maintaining segmentation. IT and OT can exchange insights, coordinate incident response, and build unified risk management strategies, but their environments should remain distinct.
The table below shows what a converged approach could look like:
In IT, safety often remains an implicit concern. In OT, however, it’s explicit, driving every design, process, and decision. Recognizing and respecting that distinction is essential before any risk assessment can begin. Once safety boundaries are established, the risk assessment process can take shape.
Designing a robust risk assessment process
A strong risk assessment process provides structure and consistency, ensuring IT and OT risks are addressed in ways that support business continuity, safety, and compliance. Key steps typically include:
1
Identifying assets and vulnerabilities across IT and OT environments
2
Assessing the likelihood and impact of threats
3
Analyzing both cyber and physical attack vectors
4
Prioritizing risks to focus on the most critical areas
5
Deploying mitigation measures such as segmentation, monitoring, and incident response plans
6
Reviewing and updating assessments regularly
“The processes of mapping out, mitigating, and remediating vulnerabilities are rarely as straightforward as we tend to think. Our systems are interconnected, threats evolve quickly, and blind spots often sit at the intersection of IT and OT. But once it’s done, organizations can make informed decisions that strengthen security, ensure reliability, and protect both people, assets and processes,” concludes Brian Dørffler Heilskov, Commercial Director of OT Solutions at Opoura.
Rather than being a one-time exercise, risk assessment should be an iterative process that continuously adapts to new technologies, emerging threats, and evolving operational realities. This is the most effective way for companies to ensure safe, strengthened, and stable operations.
Aligning IT and OT risk strategies for strengthened operations
In conclusion, IT and OT risk assessments differ fundamentally in focus, threats, and potential impact. IT focuses on protecting data, networks, and applications against malware, phishing, and data breaches. OT safeguards operations, machines, and humans, against sabotage, equipment failures, and environmental hazards.
While mapping IT and OT risks separately helps uncover unique vulnerabilities, assessing them together ensures comprehensive protection. By segmenting networks, maintaining strong governance, and aligning strategies, businesses can strengthen both digital and physical resilience, securing operations in an increasingly connected world.
