Ep. 139: The Vanishing Air Gap: IT vs. Operational Technology

Episode summary: In this episode of My Weird Prompts, Herman and Corn dive into the hidden world of Operational Technology (OT)—the systems that keep our lights on and water flowing. They explore the critical differences between the IT world's focus on data and the OT world's obsession with physical availability and safety. From the legendary "air gap" and the Purdue Model to the risks of connecting legacy hardware to the 2026 cloud, the brothers break down why a software update in a factory is often viewed as a threat rather than a feature. Whether you're curious about the future of industrial cybersecurity or looking to bridge the gap between "graybeard" technicians and modern IT pros, this deep dive reveals the high-stakes reality of the machines that run our world.

Show Notes

In the latest episode of *My Weird Prompts*, hosts Herman and Corn Poppleberry shift their focus from the digital world of browsers and apps to the "nervous system of the physical world": Operational Technology (OT). Prompted by a question from their housemate Daniel, an industry insider, the brothers explore the high-stakes environment where software meets physical matter. While most users are familiar with Information Technology (IT), the systems that govern power grids, water treatment plants, and manufacturing lines operate under a completely different set of rules, priorities, and risks.

### The AIC Triad: Why Availability is King One of the most significant insights Herman shares is the fundamental shift in priorities between IT and OT. In the IT world, professionals live by the "CIA" triad: Confidentiality, Integrity, and Availability. The goal is to keep data secret, ensure its accuracy, and make it accessible. However, in an industrial setting, this hierarchy is flipped into the "AIC" triad.

Herman explains that in OT, **Availability** is the absolute priority. If a cooling pump in a nuclear reactor or a city's water pressure system fails due to a software glitch, the results are catastrophic. **Integrity** follows closely, as sensors must provide accurate data to prevent physical accidents. **Confidentiality**, the cornerstone of the corporate world, often takes a backseat. As Herman points out, it matters less if someone sneaks a peek at a temperature log than if that temperature log stops reporting altogether.

### The Myth of the Air Gap A central theme of the discussion is the "air gap"—the legendary physical separation between industrial networks and the public internet. Historically, OT systems were isolated, using proprietary protocols like Modbus (dating back to 1979) or BacNet. These systems were designed for speed and simplicity, not security, because the only way to access them was to be physically present at the machine.

However, the brothers note that as we move into 2026, the air gap is becoming a "screen door." With the rise of the Industrial Internet of Things (IIoT), companies are increasingly connecting their factory floors to the cloud to leverage AI for predictive maintenance and efficiency. This connectivity introduces a "clash of cultures." IT departments are accustomed to frequent patching and updates, whereas OT managers view a firmware update as a potential threat to a system that has run perfectly for twenty years. To an OT professional, "new" often means "untested" and "dangerous."

### The Purdue Model and the HMI To explain how these systems are structured, Herman introduces the Purdue Model. This framework divides industrial networks into levels, from Level 0 (the physical motors and sensors) to Level 4 or 5 (the corporate office). Between these levels sits a DMZ (Demilitarized Zone) or a strict firewall.

Corn raises the question of whether an operator at a Human-Machine Interface (HMI)—the touchscreen used to monitor a plant—could browse the web. Herman clarifies that while modern HMIs might look like websites, they are typically hosted on local servers. In a properly secured environment, any attempt to reach the public internet would be dropped by a firewall. The danger arises when these boundaries are blurred to accommodate cloud-based data analytics.

### The Career Gap: Graybeards vs. IT Pros The discussion also touches on the unique career path within OT. Unlike standard Computer Science roles, OT requires a deep understanding of physics. Herman emphasizes that breaking code in OT doesn't just crash a program; it could cause a crane to drop a five-ton load or a motor to explode. Consequently, the field favors those with backgrounds in Electrical or Mechanical Engineering.

There is currently a significant generational gap in the industry. On one side are the "graybeards"—technicians who understand the physical machinery perfectly but may struggle with modern IP networking. On the other side are young IT professionals who understand cybersecurity but don't know the difference between a solenoid and a relay. The "superstars" of the future, Herman argues, are the individuals who can bridge this gap, speaking the language of both firewall rules and physical logic.

### The Language of the Factory: Ladder Logic A fascinating technical detail mentioned is "Ladder Logic." Developed to be intuitive for 1970s-era electricians, this visual programming language mimics electrical circuit diagrams. Despite the existence of more advanced languages like Structured Text, Ladder Logic remains the "king of the factory floor" because it allows for real-time troubleshooting. An operator can look at a screen and see exactly which virtual "switch" is failing to close, making it indispensable for maintaining the high uptime required by the AIC triad.

### Looking Ahead: AI and Zero Trust As the episode concludes, the brothers look toward the future of 2026. The integration of AI into OT networks is the next big frontier. Herman envisions AI systems that can "feel" microscopic vibrations in a turbine and shut it down before a human even notices a problem. However, this level of automation requires a shift toward "Zero Trust" architecture, where every sensor reading and command must be verified, moving away from the old model where everything inside the factory walls was inherently trusted.

The overarching takeaway from Herman and Corn's discussion is that infrastructure is often invisible until it fails. The engineers who keep the streetlights timed and the water flowing are the unsung heroes of the modern world, operating in a high-stakes environment where the "internet" is a physical, powerful, and potentially volatile force.

Listen online: https://myweirdprompts.com/episode/industrial-ot-vs-it-security