Every industrial enterprise now operates across a boundary its governance was never built to hold: the points where enterprise IT, operational technology, and persistent vendor connections meet the systems that drive physical equipment.
Every digital instruction that reaches a physical actuator crosses it; every reading that leaves the plant passes through it.
Why is IT/OT convergence so hard to accomplish? A short, diagnostic paper on the structural reasons IT/OT convergence has resisted resolution for two decades. Download the paper →
This site addresses the structural governance problem that IT/OT convergence creates. The diagnosis leads to a governance mandate, the mandate to an architectural specification, the specification to measurable outcomes, and the outcomes to engagement tracks that carry the work into the enterprise.
Why the governance problem exists – and why no existing framework resolves it.
The governance framework the Operator must install – derived from the diagnosis.
The TGB – the architecture that makes governance operational at the boundary.
What a governed condition produces for each of the three actors.
Four tracks that translate the work into practice.
Two disciplines with fundamentally different purposes, different governance logics, and different relationships to physical consequence have been forced to share infrastructure, data, and decision space. The connectivity is real. The consequences are physical. The governance, overwhelmingly, is absent.
The Operator carries consequence-ownership. Corporate IT carries enterprise digital governance. The Vendor ecosystem carries product-boundary governance. Each logic works within its own domain. None encompasses the boundary where all three meet. That boundary is the governance void – and the TGB is the architectural mechanism through which it is structurally resolved.
Structural Diagnosis diagnoses the void. Governance Mandate derives the mandate. Governed Boundary specifies the architecture. Together, they are what governance architected into existence looks like.
Four cases. Each card shows which of the TGB's three functions – traffic mediation, governance translation, semantic translation – were absent when the failure occurred. The three functions operate as a stack, and the cases trace the stack upward: from traffic mediation alone, to traffic plus governance, to the full collapse where all three are absent.
IT pivot forces OT shutdown – absent demarcation
Ransomware entered via a legacy VPN account without multi-factor authentication and encrypted Colonial's IT environment. The OT pipeline network itself was not encrypted, yet 5,500 miles of pipeline were taken offline as a precaution. The shutdown was a direct consequence of absent IT/OT demarcation and governance. The TSA issued the first mandatory OT cybersecurity directives ever imposed on the U.S. pipeline sector in response.
IT to OT lateral spread via Active Directory
LockerGoga ransomware entered via a spear-phishing attachment and propagated through Windows Active Directory to reach 160 sites and 20,000+ systems. OT plants were switched to manual operation to contain the threat before it could reach industrial control systems. Hydro refused to pay and rebuilt from clean backups, incurring months of reduced output in the process.
Safety system targeted after 90-day IT dwell
Attackers entered the corporate IT network at least 90 days before deploying TRITON against Schneider Electric Triconex Safety Instrumented Systems – the first malware ever engineered specifically to disable industrial safety backstops. An accidental safe-state shutdown revealed the intrusion. Had the safety systems been successfully disabled and process equipment manipulated, the potential consequence was toxic gas release and explosion.
Flat network cascade – undifferentiated IT/OT architecture
NotPetya entered via a single MeDoc-infected machine in Odessa. Flat enterprise IT networks with no segmentation allowed it to reach all nine business units within hours. Port operations globally – including the loading systems used to balance container ships – were halted, stranding vessels for weeks. Maersk reinstalled 45,000 PCs and 4,000 servers. The defining case study of what undifferentiated IT/OT network architecture costs at scale.
The same NotPetya wiper struck Merck, Mondelēz, and Saint-Gobain in June 2017 – a single enterprise blast radius across four otherwise unrelated industries, with combined acknowledged losses above $1.5 billion. Each case maps to the three functions the governed boundary would have exercised: traffic mediation, governance translation, and semantic translation.
This three-book series diagnoses the structural condition in depth, derives the governance mandate it demands, and specifies – in architectural detail – the architecture that makes governance operational at the place where it has to act.
The Introduction to the Series sets out the central argument, the three governance mandates, the TGB as the architectural mechanism, and the structure of the three-book series. Concise, complete, and designed to stand alone.
Industrial organisations have spent two decades connecting operational technology to enterprise networks. The connectivity is real, the consequences are physical, and the governance – overwhelmingly – is absent.
From there, the Introduction traces the central argument, names the three actors and their governance logics, sets out the three mandates – fidelity of representation, safety of action, integrity of their interaction – and introduces the TGB as the architectural mechanism through which the void is structurally resolved. Request the full document below.
The Structural Diagnosis, The Governance Mandate, and The Governed Boundary are in final editing before publication. Register to be notified when each volume becomes available.