Skip to navigation Skip to main content Skip to footer

From IT to OT: Leveraging NDR for seamless monitoring

01 May 2025

By Floris Dankaart

Blog Posts IT Consulting Operational Technology

IT vs. OT: The basics

When we talk about cyber security, our minds often jump to IT—the realm of computers, servers, and networks that handle data and communications.

However, there's another critical domain that's just as important, especially in industries like manufacturing, energy, and utilities: OT, or Operational Technology.

 

Similar but different – The nuances of IT and OT

IT is all about managing and processing information. Think emails, databases, and software applications. OT, on the other hand, focuses on controlling and monitoring physical processes. This includes machinery and industrial control systems as well as the aggregating control centres and the software running on it (what we typically call the “IT in OT”).

  • Environment: IT systems typically operate in controlled environments such as offices and data centres, which are relatively homogeneous. OT, on the other hand, can be found in a variety of settings, from rugged, industrial environments with harsh and unpredictable conditions to hyper-controlled clean rooms and assembly lines. This heterogeneity in OT environments highlights a marked difference in settings, with OT’s applications exhibiting greater diversity compared to IT applications.
  • Evolution: IT systems are known for their rapid evolution, with new software updates and hardware upgrades constantly being rolled out. In contrast, OT is designed for longevity and reliability, often remaining in use for decades with minimal changes.
  • IT-OT Convergence: As IT and OT become more integrated, so do their associated risks. An attack on an IT system can potentially spread to OT, and vice versa. This interconnectivity requires a holistic approach to cyber security that protects both domains. As OT become more connected to IT networks, new abilities are unlocked – but risks to OT are introduced as well.


“When we look at some of the real-world OT/Industrial incidents, a lot of them start over in the IT side of the house.”

Josh Kolleda | NCC Group Transport Director

Current trends and threats in the IT/OT landscape

Significant cyber security threats in OT

Despite their differences, OT and IT face many of the same cyber security threats. Here are a few key challenges they share:

 

Complex threat landscape: 

Supply chain attacks pose significant risks, targeting both IT and OT systems directly. Malware can wreak havoc on either environment and OT-specific malware is becoming more common. While an IT breach might compromise data, an OT breach could disrupt critical infrastructure, leading to physical damage or safety risks.

 

Threat actors targeting OT: 

APTs (Advanced Persistent Threats) are sophisticated, long-term infiltrators often backed by state actors, aiming to steal sensitive data or control critical systems, leveraging custom-built malware that specifically infects OT environments.

OT environments tend to rely on outdated remote access policies as opposed to segmented access control, making third-party supply chains a huge blind spot, trusted third-party relations have been exploited by APTs in the past.

Financially motivated criminal groups increasingly target OT, specifically engineering workstations, with an increase of more than 87% in ransomware activity against industrial organisations reported in 2024. Last year also saw a 60% rise in ransomware groups affecting OT/ICS. Overall, these attacks lead to partial or full disruption of OT operations to pressure victims to pay ransom.

 

Vulnerabilities:

Both IT and OT domains face vulnerabilities, but the nature and scale of these vulnerabilities differ significantly. In IT, parts of the infrastructure may go unpatched or outdated due to insufficient vulnerability management. 

However, in OT environments, systems habitually run on unpatched, outdated, or even out-of-support operating systems, often within flat networks. This necessitates a drastic change in the approach to vulnerability management, as traditional methods alone are insufficient. The increased pressure on network design and segmentation, as well as detection and response capabilities, underscores the unique challenges faced in OT environments.

 

“Keeping IT segregated from OT, is a crucial protective measure to prevent the spread of attacks from IT into OT”

Ali Dyer | CISO Associated British Foods

 

Evolution of Threats

 

Leveraging the supply chain: 

It is very common for an OT landscape to incorporate hardware from multiple suppliers, who conduct remote management and maintenance. Even if an OT network is otherwise inaccessible, such access remains a valid entry point and therefore can be leveraged by an attacker.

Successfully infecting a supplier yields potentially huge outcomes in terms of access to further victims, making it an attractive attack path for skilled attack groups.


Migration to Cloud:

Cloud-based control centres offer benefits of enhanced scalability, remote access, and centralised management, as well as overall optimisations and further IT integrations.

While gains on infrastructure flexibility might eliminate the need for costly on-premises hardware and reduce maintenance overhead, that comes at the cost of sacrificing the ability to run OT in island-mode (i.e., standalone systems unconnected to the internet).


Rise of IoT:

The increasing number of connected devices in both IT and OT environments presents more potential entry points for attackers.

For instance, a state-affiliated group, CyberAv3ngers, developed custom malware, IOCONTROL, specifically targeting IoT, ICS, and other OT devices, including SCADA systems and PLCs. This malware is based on a generic IoT/OT malware framework that targets embedded Linux-based devices.

 

The growing adoption of IoT devices underscores the need for organisations to prioritise the security of these devices to protect against unauthorised access and malicious activities. The vulnerabilities introduced by the increasing number of connected devices highlight the importance of robust security measures to mitigate risks.

Best practices for enhancing cyber security posture

Key strategies

Document a strategy: Businesses should have a conscious, documented strategy to safeguard both OT and IT. Key questions to ask oneself in drafting the strategy are:

1. What have I got?
2. What is its criticality?
3. How do I retain control?

Implement critical controls: For OT, NCC Group takes the Five Critical Controls set out by SANS as a guide, which are:

1. Develop a comprehensive ICS Incident Response Plan.
2. Construct a defensible architecture.
3. Achieve continuous monitoring of ICS networks.
4. Implement secure methods for remote access to ICS networks.
5. Provide ongoing security awareness and training.

 

Common mistakes

  • Unclear asset visibility: Not having a clear view of all assets and their vulnerabilities.
  • Overlooking basics: Neglecting steps like strong passwords and a patch management strategy, accounting for the intricacies of OT environments where direct patching might not always be possible.
  • Unprepared incident response: Failing to plan for and respond to security incidents effectively.
  • Relaxed vendor security: Not assessing the security posture of vendors and partners.

Technological advancements in OT cyber security

NDR sensors: Network Detection and Response (NDR) sensors monitor IT and OT environments alike, offering tailored response capabilities fitting the environment.

AI and Machine Learning: Enhancing both the capabilities and the cost of an attack from a threat actor perspective, as well as guiding anomaly-based detection logic.

Zero Trust architecture: Ensuring that no entity is trusted by default, regardless of whether it is inside or outside the network.

Affordable data storage: Making full PCAP (Packet Capture) storage a realistic option. This is especially important in an era where APTs employ pre-positioning, meaning they dwell in environments until it is time to strike.

Leveraging Network Detection and Response (NDR) for OT

On our recent OT webinar series, we asked attendees the following question: Have you successfully deployed real-time monitoring in your OT environments?

Yes: 24%
No: 43%
In progress: 33%

 

How does NDR work?

Most attacks involve some form of communication, typically starting in IT and propagating towards OT, making network monitoring crucial. NDR for OT extends network detection capabilities to OT environments, using deep traffic analysis to detect threats across IT, OT, and DMZ (Demilitarized Zone) networks. 

The solution is fully agentless and passive, allowing critical networks to continue functioning undisturbed. Sensors exist as physical devices as well as virtualised for cloud platforms.

 

What are the benefits of NDR?

  • Provides visibility into both IT and OT networks, ensuring comprehensive threat detection.
  • Full PCAP storage and flight recorder capabilities enable detailed forensic analysis and threat hunting, as well as better root-cause analysis in day-to-day Security Operations Centre (SOC) operations.
  • Helps meet requirements set out in regulations and compliance frameworks (e.g., NIST, NIS2, IEC 62443) by providing a clear overview of OT assets and a means to control risk through 24/7 monitoring.
  • The passive nature of the sensor ensures seamless integration into existing IT and OT infrastructures without any performance impact. NCC Group offers a consultative approach to implementation, ensuring proper deployment and time for fine-tuning.
  • Provides an overview of assets in both IT and OT spaces, helping organisations understand their risks for compliance and security purposes.
  • Offers effective control for many identified risks.

 

Future outlook

The convergence of IT and OT is being propelled by innovative technologies and strategies, creating a more integrated and efficient operational environment. How this convergence is managed will be crucial for regulatory compliance, optimising security, and ensuring that downtime becomes a thing of the past.

As we look to the ahead, preparing for cyber security challenges is paramount. Here are three key tips to future-proof your OT cyber security strategy:

1. Stay Informed: Continuously monitor emerging threats and advancements in the OT space to stay ahead of potential risks.

2. Invest in integrated solutions: Allocate resources towards comprehensive IT/OT security solutions that address the evolving threat landscape.

3. Take proactive measures: Implement proactive security measures to mitigate potential threats before they become issues.

Security that meets the demands of tomorrow

To learn more about our NDR for OT solution, contact us to discuss your requirements with one of our experts. 

Get in touch