Integrating OT/IT Cyber Incident Response Capabilities

Threats Targeting OT Will Test Your Response Capabilities—and Resilience

people chatting icon

OT-related cyber incident response efforts often need to be coordinated with the physical safety and plant operation teams. 

gear to check icon

Legacy OT was designed to maximize production response and uptime—not to enable security practices like active probing or terminating active processes based on cyber threat heuristic analysis. 

rep and gear question icon

OT staff are often unfamiliar with cyber tools—and IT staff are often unfamiliar with OT systems. This can contribute to risks that disrupt business and jeopardize safety. 

intertwined arrows icon

Threat detection and response metrics for security vary. IT focuses more on remediating cyber threats, while OT is more focused on mitigation controls to maximize production uptime. 

CISOs need cyber protections spanning enterprise and manufacturing environments

To enhance threat detection and response capabilities across IT and OT, organizations can create a cyber fusion center (CFC). This comprehensive approach integrates core cybersecurity capabilities into a single entity.  

A CFC can provide the following integrated capabilities:

Four Steps for Integrating OT Into an IT SOC

A four-step approach to building an OT threat detection and response program involves creating a strategy, expanding visibility in the networks (including gaining an understanding of what normal looks like in your environment), enabling continuous detection and response functions, and facilitating effective response operations. 

1. Establish a Strategy

  • Form a shared governance body with representation from both enterprise IT and manufacturing. 
  • Plan the journey to integrate individual CFC capabilities (cyber threat intelligence, threat defense operations, detect and response, attack surface reduction, and metrics and reporting) into an existing SOC, all the while taking into consideration OT priorities for safety and uptime. A well-thought-out strategy contains an initial list of targeted use cases, a rollout plan containing a proof-of-concept phase, skill sets needed to perform the work, staff required to enable the work, and a basic timeline. 

2. Enable Visibility

  • Implement OT passive monitoring: Deploy monitoring tools to capture and analyze network traffic from OT environments. These tools should be capable of handling proprietary protocols and systems used in OT. 
  • Implement a network-segmentation strategy: Segregate OT networks from IT network to minimize online exposure and to compartmentalize the network traffic analyzed by the OT passive-monitoring sensor. 

3. Enable Action

  • Integrate OT alerts into the security information and event management (SIEM) and security orchestration, automation, and response (SOAR): Configure the SIEM to ingest and correlate logs and alerts from OT devices. This integration allows for centralized monitoring and correlation of security events across IT and OT environments. The SOAR playbook automates repetitive tasks. 
  • Develop OT threat-detection use cases: Create use cases and detection rules that focus on identifying OT-specific threats and anomalies. These use cases should focus on behaviors, protocols, and communication patterns of systems in OT environments. 

4. Facilitate Response

  • Strengthen ties with site stakeholders: Build a strong partnership with site staff and ensure each site’s single point of contact for information security (SPOC) understands the OT threat detection and response program and their role in the event of an OT cyber incident. 
  • Train staff for their role in incident response: Provide introductory training showing how SOC analysts and site staff will work together to remediate an incident to put site staff at ease in their roles. 
  • Enable a dedicated role or function in the CFC to maintain familiarity with manufacturing site operational context and associated cyber alerts. 

Learn how to stay ahead in this rapidly evolving landscape by attending our peer-sharing OT workshop