Every time an OT network gets connected to an IT network for operational convenience — cloud dashboards, remote access, data analytics integration — the attack surface of the OT network expands. This has been happening for twenty years. The convergence is accelerating now because distributed energy systems are designed from the outset to be cloud-connected, and the teams building those connections are often IT and software teams who do not have OT security backgrounds.
The failure mode is predictable. An IT team builds a cloud integration for a microgrid management platform. They use standard IT security practices: TLS, API keys, role-based access control. These are reasonable controls in an IT context. In an OT context, they miss the critical question: what happens when the cloud integration is compromised? In an IT system, a compromised API key means a data breach. In an OT system, it means an attacker has a path to physical assets.
The Purdue Model — the classic OT network segmentation framework — was designed to prevent exactly this failure. Air-gapped operational networks, with narrow, monitored interfaces to business networks, and no direct Internet exposure for control-layer assets. The model worked when OT networks were genuinely isolated. It does not work when operators are running remote access VPNs directly into their control networks for convenience.
The practical problem is that the Purdue Model imposes operational costs that modern distributed energy operations cannot absorb. An operator managing assets across 30 sites cannot physically dispatch to each site for every operational decision. Remote access is a real operational requirement. The question is not whether to allow remote connectivity — it is how to do it without collapsing the security boundary.
The answer is a purpose-built connectivity layer that provides the operational visibility and remote access operators need while maintaining strict segmentation between the control path and the data path. Read access to telemetry should not grant write access to control commands. Cloud analytics should not have a direct network path to inverter control interfaces. Every connection should be authenticated, every command should be authorized, every action should be audited.
This is the architecture GridWatch implements. The platform provides full operational visibility and event-driven control, but with explicit trust boundaries at every layer. The cloud cannot talk directly to the edge; it publishes authorized events that the edge adapter validates before dispatching to local devices. The operational convenience is preserved. The security boundary is maintained.
The security debt from OT/IT convergence is real and growing. The operators who will manage it successfully are the ones who treat connectivity as an architecture problem, not a configuration problem.