Hey there,

Hope you are doing well.

This is Part 4 of “The Digital Factory” series.

In case you’ve missed first three parts, check them out below:

In this Part 4 - The Digital Factory (4.0) - Industry Debates, we’ll be covering some famous industry debates that we all should be familiar with (Cyber leaders, CISOs/CTOs, practitioners and most importantly newbies):

Am excited, are you Ready?

If so, let’s dig in.

Happy Holidays and Seasons greetings.

Hope you had or having good holidays with family and friends.

Yours truly.

— Yousuf.

Together with:

Tech moves fast, but you're still playing catch-up?

That's exactly why 100K+ engineers working at Google, Meta, and Apple read The Code twice a week.

Here's what you get:

All delivered twice a week in just 2 short emails.

Join 100K+ engineers

But before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care or liked and keep me motivated to publish more. Thanks!

The burning questions every industrial cybersecurity professional comes across and debates - IT and OT Convergence!

Some definitions first:

Convergence Definition - refers to the act or condition of coming together or moving toward a common point. It can apply to various contexts, including:

General Meaning Coming Together: The merging of two or more things, ideas, or interests into a similar state or point.

Technological Convergence: The integration of different technologies, such as combining data processing and telecommunications into a single system.

Integration Definition - refers to the process of combining two or more elements to create a unified whole. This concept can be applied in various contexts, including social, mathematical, and business environments.

Business Integration Definition: The process of combining different systems, applications, or technologies to work together seamlessly.

Now what we have is:

Some experts despise the term IT/OT convergence.

Some experts call it - IT & OT can never converge! (naysayers on convergence)

Some experts call it - IT & OT is converging!

Some experts call it - IT & OT have converged already!

Some experts are calling it - IT & OT integration (naysayers on convergence)

For many and for most, I call it - its confusing ;-p

I am not an expert 😉 - so no pun intended.

But what I believe is; all this mean different things for people from different backgrounds and perspectives.

For marketing → its just a buzz word - just say IT/OT convergence - SEO ranking etc.

For OT folks (in some context of a - cave man) → no it can never be.

For IT folks (in most context) → convergence / integration means the same things.

If we look at it from historical perspective we find:

In around 1990s for industrial control systems - TCP/IP won the protocols war after a lot of industry resistance.

Ethernet and windows were introduced in ICS and benefits outweighed the resistance and concerns, leading to industry wide adaption.

So in that essence → IT technology penetrated into ICS systems, so convergence already started almost two decades ago.

If we look at it from ICS experts perspective we find opinions like - it could and should never converge - linguistically - meaning controls required for physical process.

If we look at it from industry standards perspective we find set of standards like - ISA 95 / IEC/ISA 62264-x that is specifically trying to address the need for integration between business processes (i.e. IT) to manufacturing processes (i.e. OT).

In the early 90s, there was significant interest in integrating business and manufacturing systems.

The goal was to use real-time manufacturing data to improve business decision-making.

However, integrating these systems proved challenging due to their fundamental differences, including varying terminologies, cultures, and timeframes, such as the millisecond response times required by control systems.

IT focuses on data—storage, integrity, business systems. IT prioritizes security and rapid updates.

— while OT demands uptime and stability. OT deals with real-time control, uptime, and physical processes. Their priorities and protocols couldn’t be more different.

These conflicting priorities create organizational friction that technology alone can't solve.

All we’ve been seeing now is more and more adaption of IT type technology solutions into ICS / OT environment (e.g. virtualization, cloud adaption, MQTT, IIOT, PKI / certificates etc.).

Bottom Line: Convergence is happening rapidly, but success requires addressing the people problem first, not just the technology integration.

It’s driven by digital transformation, remote operations, and efficiency demands.

McKinsey calls IT/OT convergence a key enabler of scaling digital factory operations.

Legacy companies worry and for good reasons — and with good reason — but many see this as a push toward modernization, not a retreat.

The Verdict: YES - But It's Messier Than Expected

The convergence is definitely happening, but it's not the smooth integration many predicted.

Why It's Still Struggling:
The biggest barrier isn't technical—it's cultural.

Ask your team: Are we mindfully converging IT and OT — with security baked in —or stumbling toward it by chance?

Here’s an interesting set of conversations on IT/OT Convergence at S4 conference:

Long Conversation: OT and IT - Convergence, Integration, and Separation?

So what position you’ll take?

“Digital transformation isn’t a project / an app. It’s a strategy—and often, a trap.”

When Digital Transformation becomes “just a project,” momentum falters.

Most failures are rooted in poor alignment and approach — not the tech.

The $2.3 Trillion Failure Epidemic - The Shocking Statistics

Digital transformation often gets boiled down to flashy tools—IoT dashboards, cloud, AI.

But real transformation is organizational. Clear strategy, culture change, leadership buy-in—those are the hard parts.

Why it Fails (The Truth):

The Success Formula:

Email your executive team:

Digital transformation is a strategy - not a project.

“Let’s shift from Digital Transformation as a tech project to a business-holistic initiative.” Propose forming a cross-functional committee.

Here’s a 20 mins Masterclass on IT/OT Digital Transformation and Cybersecurity Strategy.

So what position you’ll take?

Over the years, there’s been a great amount of debates and discussions around this topic.

Is The Purdue Model Dead? - Joel Langill and Brad Hegrat join Dale Peterson to answer this question at an S4 event back in 2019.

Brad Hegrat declared it “essentially dead—convergence killed it.”

Opponents like Joel Langill defended its value, saying it still helps us see architectural layers—and why they exist.

Mr. Langill acknowledged that while “the architecture, from a network perspective, is probably dead,” the model was among the first to show “how these pieces are supposed to be layered and interoperate,” and “if we lose sight of that, we’re going to lose sight of why we created hierarchy in the first place.”

Langill contended that while the model was never conceived as a security reference architecture, it nonetheless incorporates some risk ideas that help security practitioners understand how information flows organizationally and thereby helps identify and address potential attack vectors.

The "Dead" Camp Says:

The "Alive" Camp Argues:

But what you might not be aware of that, back in 2023 Gartner changed its more than a decades old position on the Purdue as the reference Model and called it Death of Purdue Model.

Paul DeBeasi published a paper on 31st July 2023 – Reference Architecture for Integrating OT and Modern IT.

Where he declared that Purdue is obsolete (a significant change in Gartner’s decades old position) and this represents the next step in the evolution from the hierarchical Purdue Model toward a distributed, interconnected model.

Note that this was beside the fact that Purdue was never published as a reference architecture to be used for security.

Security was not mentioned in any where of the said publication.

The Majority Verdict: ALIVE - But on Life Support Requiring Major Surgery

Despite Gartner's earlier pronouncements, the Purdue Model isn't dead — it's evolving rapidly.

The Reality: It's not about killing the Purdue Model—it's about layering Zero Trust principles on top of its segmentation framework. The model provides structure; modern security adds intelligence.

Stop debating death. Start planning evolution.

“'The Death of the Purdue Model'—or is it just evolving into something better?”

Today, many cybersecurity leaders echo a balanced view: the model’s pure hierarchical structure may not fit modern, flat, cloud-integrated networks—but its segmentation principles still matter. SANS calls it a useful conceptual tool. See SANS position - here.

Claroty agrees: it's a solid foundation for newcomers or flat networks—but needs adaptation in modern architectures here → Beyond the Purdue Model: ICS Security in Modern, Complex Network Architectures.

Zscalar also points some views → What Is the Purdue Model for ICS Security?

Challenge your planners: Are we clinging to an outdated hierarchy — or reimagining the Purdue Model to fit our digital reality?

Here are few must watch videos that breaks it down:

Review of the Purdue Network Model | SANS ICS Security Brief - by Dean

Which view you are inclined to and why? post in comments below.

📘Many solution architects / System Integrators and other stakeholders that design and implement OT/ICS solutions

Gartner's Stance: EDA is Fundamental for Digital Business

Gartner has been bullish on Event-Driven Architecture since 2018:

The Expert Reality Check:

For IT/OT: EDA becomes critical as operational events (machine failures, production changes) need real-time propagation across enterprise systems.

“Event-driven? More than a buzzword — it’s how real-time IT and OT talk.”

Event-driven architectures enable seamless, responsive communication across IT and OT layers.

Experts advocate them for real-time insights, predictive maintenance, and responsive automation — but they add new cybersecurity demands.

Think sensors triggering operations automatically, dashboards updating live, analytics acting instantly. That’s the power—but also a complex attack surface.

Call to action:
Plan an “event-driven proof of concept.”

Map real events—say a sensor threshold—and track the full event chain end-to-end. Highlight security gaps.

Let’s show stakeholders both promise and risk in action.

Based on Gartner’s 2023 paper Reference Architecture for Integrating OT and Modern IT (31st July 2023 by Paul DeBeasi) here are some:

Key Findings:

and Recommendations:

So what position you’ll take?

There are many debates on social you may have encounter around which of these two leading protocols for broker services is a better choice when it comes to digitally transformation your manufacturing environment to an industry 4.0 or above.

There are die hard fans for both out there. That’ll convince you to choose one over other.

MQTT - its open architecture, light weight, supports report by exception updates, and push/pull or publish or subscribe model and requires less poking holes in the firewall policies.

OPC UA - on the other hand, is protocol, but its not light weight, does not support report by exception updates, is client/server architecture, requires specific firewall policies.

For a slightly more specific comparison checkout - OPC UA vs. MQTT (a comparison of the most important features) by i-flow.

“Stop fighting the MQTT vs OPC UA war. It’s a trap.

Real architecture demands both. OPC UA for machines and MQTT for IIOT/ cloud.

You need both to build a scalable IIOT/Unified Namespace architecture.

In summary, we should know that they both have their specific advantageous places in digital transformation to an event based / UNS / IIOT / 4.0 architecture for specific implementation.

So what position you’ll take?

Together with:

The AI economy is booming, and smart entrepreneurs are already profiting. Subscribe to Mindstream and get instant access to 200+ proven strategies to monetize AI tools like ChatGPT, Midjourney, and more. From content creation to automation services, discover actionable ways to build your AI-powered income. No coding required, just practical strategies that work.

Subscribe to Get Your Free Guide

Here are some topics in OT, that are often discussed, debated and you find contradictory opinions between professionals / experts.

Let me know by hitting reply if you’d like me to cover some of these in future Digital factory editions.

The goal and or idea behind this edition is to not to convince you to make a specific opinion but rather to understand arguments from both camps, consult with experts, explore and understand the concepts behind and draw your own conclusions.

The fact that these debates exits and for a good reason.

More and or more IT CISO’s in industrial environments are also given the task to do something about OT Security or these environments appoints dedicated OT CISOs or OT security leads.

- both needs to be on top of these differing opinions and reasoning.

Overall in 2025, CISOs / CXOs have taken on a more strategic role in OT cybersecurity decision-making.

I’d love to know what opinion / positions you’d take based on:

If you’d like to learn more on this head to:

IT-OT CySEAT Training & join the wait-list soon, before its too late.

In case you’ve missed - here are some of my recent most viewed social posts.

Whenever you are ready - I can help you with:

A - IT & OT Cybersecurity Advisory / Consulting services - for securing your business and or its digital transformation journey.

B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program through our subscription based service.

C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.

Visit the newsletter website for Links to above services and or reach out at info[at]securingthings[dot]com or DM me via LinkedIn.

D - Securing Things Newsletter - Sponsor this newsletter to showcase your brand globally, or subscribe to simply Get Smarter at Securing Things.

Reach out at newsletter[at]securingthings[dot]com or DM me via LinkedIn.