Contact Us

Operational Technology (OT) Security

Consultancy & Managed Services

Operational Technology (OT) Security

We secure industrial networks and safety-critical systems (ICS/SCADA, PLCs, DCS, IIoT). Our approach blends the Purdue model, IEC 62443, and NIS2 with practical engineering and 24×7 monitoring.

What we do

OT Risk & Architecture

  • Site surveys, asset discovery (passive + safe active on maintenance windows).
  • Purdue zoning/conduits, data-diode and DMZ design.
  • Reference architectures for plants, substations, water, pharma, oil & gas.

Controls Implementation

  • Network segmentation, L2/L3 ACLs, firewall/IPS policies, allow-listing.
  • Installation of Cisco FirePower and Security Configuration
  • Secure remote access (PAM jump hosts, VPN with MFA, session recording).
  • Hardening of PLC/HMI/Historians, backup & golden-image management.

Detection & Response

  • OT NDR (e.g., Claroty/Nozomi/Dragos) with SPAN/TAP visibility.
  • SIEM content for ICS protocols (Modbus, DNP3, S7, OPC UA).
  • IR playbooks for safety-first triage, containment and recovery.

Managed OT Security (MDR for ICS)

What we run for you

  • OT NDR sensors & management server (on-prem/DMZ).
  • SIEM/SOAR content: detections, playbooks, case workflow.
  • Backup verification & config drift alerts for PLC/HMI.
  • 24×7 monitoring, on-call incident handlers, vendor coordination.

Service Levels & Deliverables

Item Details
Onboarding
Site survey, span design, asset baseline, runbook sign-off (2–6 weeks per site).
Alerts
P1 15-min triage; P2 1-hr; vendor engagement if PLC logic touched.
Reporting
Weekly KPIs, monthly risk updates, quarterly tabletop exercise.

Low-Level OT Security Solutions

Asset Inventory & Baseline

  • Passive discovery from core switch SPAN/TAP; parse ICS protocols to enumerate PLCs (make/model/fw), HMIs, historians, engineering workstations.
  • Supplement with safe active scans during outage windows (vendor-approved scripts, limited ARP/ICMP, no broadcast storms).
  • Normalize to CMDB with fields: tag, zone, conduit, vendor, firmware, criticality, maintenance_window.

Purdue Zoning & Conduits

  • Define L0/L1 (sensors/actuators), L2 (cell/area), L3 (site operations), L3.5 (OT DMZ), L4 (IT), L5 (external).
  • Implement conduits via firewalled VLANs; default-deny at L2↔L3; allow only protocol+port+endpoint tuples.
  • Data-diode or one-way replication from L3→L4 historians when possible.

Network Controls

  • Access switches: 802.1X (multi-auth for panels), MAC-pinning for legacy, BPDU guard, storm control.
  • Layer-3: ACLs per VLAN; QoS priority for deterministic control traffic; NTP/PTP secured sources.
  • Firewalls: explicit rules per conduit; app-ID/IPS tuned to ICS signatures; schedule-based rules for vendor access.

Identity & Access in OT

  • Break-glass local accounts rotated via PAM; engineer access via jump host with MFA + session capture.
  • Vendor access: ephemeral accounts, time-bound, limited to L3.5 tools; approve via change tickets.
  • HMI/PLC: strong passwords where supported; RBAC on HMIs; disable unused services (FTP/Telnet).

Endpoint & PLC/Device Hardening

  • Golden images for engineering workstations; application allow-listing; USB control + media scanning (sheep-dip station).
  • PLC firmware pinned & checksummed; disable programming mode except during maintenance; block broadcast write opcodes.
  • Backups: config & logic offloaded to secured repository with immutability (WORM) and quarterly restore tests.

Monitoring & Telemetry

  • OT NDR platform via SPAN/TAP on core/distribution; parse Modbus/DNP3/S7/IEC-104/PROFINET/OPC UA.
  • Syslog/OPC UA audit logs to SIEM; time sync via secured NTP hierarchy.
  • Detect: unauthorized program uploads, set-point changes, PLC mode changes, unexpected write coils/registers.

Incident Response (Safety-First)

  • Runbooks per zone: isolate conduit at firewall; fall back to manual/SAFE state; engage vendor when PLC safety trips.
  • Forensics staging in L3.5; capture pcap, configs, images; never hard-power critical controllers without process approval.

Patch & Vulnerability Management

  • Vendor BOM & patch matrices; test in digital twin/QA cell; deploy in maintenance windows only.
  • Mitigate when patching is impossible: ACLs, IPS virtual patching, account rotations, disable services.

Secure Remote Access

  • OT jump server in L3.5 with PAM; TLS VPN with MFA; session proxy/recording; no direct L4→L2 routable paths.
  • One-time access tokens with auto-expiry; all sessions ticket-bound.

Governance, Compliance & Change

  • IEC 62443-2-1 policies; change control with plant manager approval; MoC records mapped to conduits/assets.
  • NIS/NIS2 risk register tying threats→controls→evidence; quarterly exercises.

Standards & Compliance Mapping

IEC 62443-2-1 Policies
IEC 62443-3-3 System Security
IEC 62443-4-2 Component
NIS/NIS2
ISO 27001 (OT extensions)

Evidence we produce

Zone & conduit diagrams, rulebooks (allow-lists), hardening baselines per vendor/asset.

IR playbooks, exercise reports, configuration backup attestations.

Risk register linking threats → controls → residual risk.

FAQs

By default, no. We use passive monitoring. Safe active checks are restricted to vendor-approved commands in maintenance windows.

Through an OT jump host in the DMZ with PAM, MFA, time-bound accounts, and session recording. No direct vendor access to L2/L1.

Get a Quote

Contact us today to discuss how we can help you unlock the full potential of technology and achieve your business goals.

Contact Us
Work2Gether
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.