Why Traditional Threat Intelligence Falls Short For Operational Technology

The Russian-Ukrainian war set the importance of operational technology (OT) and industrial control systems (ICS) security front and center. Examples include the FrostyGoop malware attacks that disrupted heating services to more than 600 apartment buildings in Lviv during sub-zero temperatures, as well as the Fuxnet malware campaign that disabled thousands of sensors in Russia's municipal gas, water, and sewage networks, destroying gateway devices and crippling communication systems. 

Such OT attacks were once obscure. Of course, notable attacks such as Stuxnet that targeted Iranian centrifuges existed, but remained largely outliers. Today, they're becoming a standard tool in threat-actor and nation-state arsenals, and asset operators must develop focused threat intelligence to help ensure the resilience of their infrastructure.

The Shortcomings of Traditional Threat Intelligence

Standard threat intelligence feeds, while invaluable for defending corporate networks, are often insufficient for OT. Tools that monitor for traditional malware signatures, botnets, or phishing techniques simply don't account for the arcane and often decades-old communications protocols such as Modbus, DNP3 (Distributed Network Protocol v3, frequently used by utilities), and proprietary vendor software that dominate OT environments.

"The big difference is that in [traditional] threat intelligence, it is centered around protecting one's data and protecting networks from threats. The thing you have to realize with OT is that the stakes are physical. A compromised OT network can cause safety issues. It can cause downtime in production, and could even bring down critical infrastructure," says Andrew Clopton, senior security engineer, operational technology at GuidePoint Security.

Legacy OT assets cannot be regularly scanned or patched—what's routine for IT is sometimes dangerous or impossible in OT. Many systems only receive updates during rare, tightly scheduled outages, and even then, changes can risk breaking compatibility or interrupting continuous processes. Applying generic IT threat intelligence that isn't contextually relevant to these mission-critical assets can lead to missed threats—or, worse, cause outages themselves.

Moreover, recent years have seen a dramatic rise in OT-specific malware: sophisticated tools such as Triton, Industroyer, and a new wave of custom malware directly target industrial protocols and devices. These threats are engineered to manipulate or sabotage physical processes, and their techniques often fly below the radar of IT-centric security tools.

Modern OT Threat Intelligence: What's Needed

Clopton said that essential differences between practical threat intelligence for OT environments exist compared to traditional IT environments. OT oriented threat intelligence must also be focused on the operational and safety context of threats. "It's about stopping process disruption, equipment damage, and loss of a safe state," Clopton said.

Yet, similarities do remain. "When it comes to threat intelligence, you're using a lot of the same tools to gather and manage threat intelligence for both environments, but you must apply it smartly, because you have to protect the most critical parts of your environment," Clopton said.

That means OT threat intelligence must provide situational awareness: vulnerability alerts that identify not only whether a critical bug exists, but which assets, and in what part of the process, are exposed—and what the operational consequences would be if exploited. This context enables security teams to prioritize risk mitigation according to real-world impact rather than theoretical severity.

To be effective, organizations need clear visibility and an understanding of their assets, the security controls in place, and actionable threat intelligence into who may be targeting those assets and why. Frameworks such as MITRE ATT&CK for ICS provide security teams with the mappings of specific adversary tactics, techniques, and procedures (TTPs) targeting industrial devices. When coupled with the context of their existing assets and security posture, MITRE ATT&CK for ICS enables defenders to see which devices are likely targets, how threat actors might move within their OT environment, and what mitigation strategies are necessary and feasible.

Here's how to put OT threat intelligence to practical use:

• Baseline assets: Start by conducting a comprehensive asset discovery and inventory of all OT devices, systems, and network boundaries to understand your environment before applying threat intelligence.

• Map to MITRE ATT&CK for ICS: Use the ICS-specific framework to categorize threats according to industrial control system tactics, techniques, and procedures rather than generic IT frameworks.

• Contextual analysis: Apply threat intelligence with operational context and understand how threats specifically impact industrial processes, safety systems, and physical operations rather than just digital assets.

• Risk-based prioritization: Focus on threats that could disrupt critical processes, cause safety incidents, or impact production operations rather than generic cyber threats.

• Operational integration: Involve plant engineers and operators in threat assessment workshops since they understand system vulnerabilities and attack pathways better than IT teams alone.

• Continuous monitoring: Implement real-time monitoring that accounts for OT protocols (Modbus, DNP3, EtherNet/IP) and industrial communication patterns.

• Threat hunting: Conduct proactive hunting using OT-specific indicators and behavioral baselines rather than traditional IT-focused hunt methodologies.

The Integration Imperative: Bridging IT and OT Security Teams

Due to the deepening convergence of IT and OT environments, the biggest hurdle to success often isn't processes or tool deployment: it's organizational. That's because, traditionally, IT and OT teams have worked in silos, with different tools, expertise, and goals. With all of this fragmentation, critical intelligence easily falls through the cracks.

Nigel Gibbons, director and senior adviser, global cloud security services at NCC Group, noted that in OT environments, direct device monitoring can be difficult, and he stressed the importance of leveraging cloud-based threat intelligence and customizing monitoring for OT, as well as the need for indirect monitoring approaches when direct device monitoring isn't feasible. 

"In OT environments, because network segmentation is the key order of the day, you segment and you monitor those networks, and where you can't directly monitor the OT devices, there are ways of monitoring the environment to get proper feedback about what's happening, what the threat tolerances are of those devices, if there's an attack underway or anything suspicious that may be worth investigating," said Gibbons.

Many of these trends are why organizations are now developing unified security operations centers (SOCs) that blend both IT and OT visibility. Their teams include both digital security experts and OT engineers, enabling them to assess threats in terms of both cyber and operational risk. In these converged SOCs, threat intelligence isn't just collected—it's translated into concrete risk reduction for both environments.

Integration extends beyond technology. Security teams must create joint playbooks that reflect both incident response best practices and the operational constraints of industrial environments. Regular cross-training and "tabletop" exercises help foster understanding: IT professionals learn about operational dependencies and physical consequences, while OT engineers gain exposure to modern threat indicators and response workflows.

Communication and trust are essential. Sharing intelligence between teams requires a common language, not only for technical terms but also for risk and impact. Having shared metrics—such as mean time to recovery for operational incidents, as well as traditional IT detection metrics—can help align incentives. Here's how to Integrate IT and OT Threat Intelligence:

• Find convergence points: Integrate when IT and OT networks are connected, during digital transformation initiatives, or when implementing Industrial IoT devices.

• Unify SOC development: Create converged security operations centers that blend IT and OT visibility for comprehensive threat detection and response.

• Cross-training programs: Establish joint training where IT teams learn industrial processes and OT teams understand cyber threats and security frameworks.

• Shared threat models: Develop unified threat models that account for attack paths moving from IT to OT networks and vice versa.

• Common communication protocols: Use standardized threat intelligence formats (STIX/TAXII) that both IT and OT teams can consume and share.

• Incident response coordination: Create joint playbooks that address incidents affecting both environments, with clear escalation procedures and communication channels

• Risk assessment alignment: Conduct integrated risk assessments that consider both cyber and operational/safety risks in a unified framework

• Regular joint exercises: Perform tabletop exercises and simulations that test both IT and OT response capabilities simultaneously

As critical infrastructure becomes increasingly digitized and interconnected, robust, operationally relevant threat intelligence is becoming non-negotiable. "It comes down to examining your environment and then using targeted threat intel to identify threat actors that are actively exploiting other organizations in your industry. You have to be on top of that. That has to be one of the most proactive things you can do to stay on top of a threat environment that's constantly changing," concluded Clopton.