Even as information technology (IT) and operational technology (OT) networks move to a greater converged state, it remains imperative to acknowledge that cyber security processes and controls should be managed as distinct approaches for IT and OT. While things like patching for vulnerabilities immediately as a fix is released is common best practice for IT, this does not always apply for OT networks due to a variety of OT-specific constraints such as legally enforced maintenance windows, low-risk appetite for downtime in critical systems such as energy transmission or water distribution, or the total inability to patch due to the age of assets that were acquired on a 20 to 30 year lifecycle.
![[correlate]](/data/avatars/m/79/79653.jpg?1556985072){kind=avatar}
www.dragos.com
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
