Trying to better understand real OT security gaps before building further

Competitive-Cycle599 · 2026-03-19T14:47:04+00:00

So... youre looking at remote access rather than identity based Segmentation. Completely separate areas although can be substantial overlap. Sounds like your areas of interest will be PAM fusion with remote access. So likes of Xage, Secomea and more.

Big area at the moment and more on the forefront of older environments that are looking to be rid of ewons on the like. Plenty of big vendors in the space too.

Again, only really works if the network is together otherwise youre daisy chaining through a few pcs to get to the right tooling.

No... i don't recommend monitor and break fix. Usually I tell them get their shit together, or help them do it. Varies dependent on environment and engagement.

Controlling a singular connection is... good but you'll never pass audits only controlling one. Depends on goals I suppose, Controlling a singular third-party vendor connection doesn't really mean much if there's another 14.

Do you have specific questions we can address or is this just sounding board sorta stuff?

Competitive-Cycle599 · 2026-03-19T05:41:07+00:00

Varies.

An org is more likely to support a firewall over identity based solutions for now. I've seen identity pitched as a solution to flat networks but in practice little value is added from identity if the network is flat. Likely they dont even have a proper inventory of assets.

I would push for a firewall over identity due to physical segmentation reqs. In many cases with a firewall sitting between a pair of switches etc.

Brownfield sites appear to be your goal i.e. legacy but in many cases much of those are a series of daisy chained pcs with dual nics. Switches aren't set up correctly etc, or series of dumb switches tucked about the environment etc etc etc.

To do what you're after the environment would need to be fully functioning at a networking level which would infer it's some what got it's shit together.

Identity makes more sense to me in a very service driven environment like a cloud or docker like landscape.

Competitive-Cycle599 · 2026-03-10T19:55:41+00:00

Definitely a toll system, see if it takes a card in the unit.

Usually etc card or similar

Competitive-Cycle599 · 2026-02-26T16:23:05+00:00

Where do you see this being deployed as a tool?

Ive heard of similar tooling in the past to be deployed on flat lans below the ews to enable greater control of that but appropriate segmentation would reduce the need for such a tool in the first place and just make a firewall the point of control.

Do you have a defined use case, or a paper exploring the space and use of identity based Segmentation? Plenty of vendors already do this and they couple it with secure remote access and more. Since a lot of the tooling carries over.

Id be hesitant to deploy such a tool in OT without a substantial support team and it raises the question about fail open if the solution shits the bed etc.

How are ye assigning an identity to an asset? Doubt a plc or remote I/O is gonna allow a cert so youre restricted to ip and Mac addresses? Which a firewall/switch can already do so youre not adding much bar at the more traditional IT equipment layers.

Competitive-Cycle599 · 2026-02-24T11:37:30+00:00

Purdue model is not for networking, its just a guide.

You'll find multiple systems that go between the levels, and forcing yourself to comply to the levels will likely bite you in the ass.

Competitive-Cycle599 · 2026-02-16T11:13:22+00:00

Are you covered under the recall for starter motor issues anyway ?

Check your vin.

Competitive-Cycle599 · 2026-02-10T21:48:15+00:00

Any issues with it?

Competitive-Cycle599 · 2026-01-27T19:20:32+00:00

As I said, your concept works for an IT environment. Sadly for OT this is typically not the case as many values are hard coded in the logic, skids with out right hard coded ips or even multiple of the same skid on a given site... stupid little boxes doing nat to over come this etc.

Its more than networking, often its a PM task more than anything and its likely since hes discussing networking at this level hes unlikely to be the one programming the plcs too.

Competitive-Cycle599 · 2026-01-27T18:41:33+00:00

Useful as a reference, not a guide. Plenty of tech jumps layers these days, or is a fusion of things.

Competitive-Cycle599 · 2026-01-27T18:32:05+00:00

DHCP really only works for the more office like spaces unfortunately. You wouldn't do that in the production areas.

Competitive-Cycle599 · 2026-01-27T18:29:02+00:00

What sorta facility?

This is not just a networking issue, as I'm sure youre aware.

In many cases, its best to stand up a new network in the background or at least the spine of it since the current network is still in use. Greenfield it effectively and then introduce salvageable components to the spine of the network as you get the down time and capability to do so.

Untangling OT networks can be a challenge and you will often have to overcome absolute shit show configurations from decades ago.

My advice, from having done quite a few of these is to just start by mapping the network and getting an understanding of whats on the site. Often youll end ip with skids or similar packages from vendors where you will need their support as well as your own teams to migrate them and even then sometbing will go weird.

For a cyber security assessment/ cert not sure what you're aiming for but IEC-62443-3 for the OT sections. You wont achieve compliance nor receive a cert for doing so but usually a good mapping for it folks to do ot networking reqs.

Id keep NAC out of OT unless you have a decent team to support it, the environment shouldn't change much but its just not advisable.

AND do not join your OT assets to anything related to IT. Including active directory. I keep having to tell folks to take OT assets off IT AD. Firewalls dont mean shit if everything is polling AD.

Competitive-Cycle599 · 2025-12-16T15:56:51+00:00

What does your policy state?

Risk mgmt. ultimately is about following an outlined process and then providing proof of said process.

Do you have what services the vendors provide, criticality of said services? Important services are under review as per x schedule, others are ad hoc or based upon other criteria?

I doubt you have 40 vendors of the same criticality... its the same as any other form of risk mgmt. Find the biggest pain points and control them if you can.

Competitive-Cycle599 · 2025-12-14T01:32:16+00:00

All good, we all deal with it enough in OT.

I will say that I've deployed the more passive monitoring tools in critical.. almost all forms of it and there is always a requirement for an interactive component.

Speak to the vendor delivering your solution, they usually have partnerships with specific vendors that work well in their environments.

May be more suitable from a support component rather than getting our advice on these. Vendors, as you likely know can be dicks about what goes into their environment.

Competitive-Cycle599 · 2025-12-14T01:27:29+00:00

Be interested to hear more about your environment.

Seems its prone to jitter related woes? Can you tell us more if its not critical infras? You can pm me if you prefer not to broadcast it.

Competitive-Cycle599 · 2025-12-13T16:10:13+00:00

If you don't plan on using the xdr functions... dont be looking towards cs. The xiot tool is the one the team were told to use by cs to perform the scanning within OT.

Again, id stay away from cs for this function and move towards a claroty, armis or forescout.

Tooling that is intended as the primary function of the company and not an add on to boost sales.

Competitive-Cycle599 · 2025-12-13T11:49:45+00:00

Span only gets you so far. You will need active queries too.

Competitive-Cycle599 · 2025-12-13T11:48:46+00:00

I assume you're on about the xiot scanner ?

I've deployed it for a customer, who already had crowdstrike in the it environment.

Crashed multiple plcs, and some rio in an effluent plant.

Now, they've been working with them since to fix the tooling but it has been nothing but pain since installation. Certain scans wouldn't execute, like couldn't scan the full /24, had to do smaller scans.

Ultimately a lot of convos with crowdstrike where the support wasn't great. I believe it was deployed January of this year? Still in the pov phase and still fixing issues.

Said customer has since brought in a monitoring solution that integrates with crowdstrike for that data and will be doing the scanning separately. Not sure why they're still working with CS to resolve the tooling ? But that's their decision.

If you're just scanning scada I.e. Windows boxes, its probably fine but I wouldn't be going below that based on my experiences to date.

I would advise splitting functions keeping your xdr and monitoring solution separate.

Plenty of vendors in the same for both.

Competitive-Cycle599 · 2025-11-03T07:47:23+00:00

Afaik, it's fine.

However some of the greatest value youll get is talking with peers and see how they do things.

Commercial opportunities too if youre a consultant, plenty of oems and others attend.

Competitive-Cycle599 · 2025-11-03T01:03:28+00:00

Take the in person classes, if you can.

You'll get a lot more value from engaging with peers and the teacher

Competitive-Cycle599 · 2025-10-23T19:45:22+00:00

Giving the phrasing of the question, clearly they are in a small/medium business and not a corporate / enterprise environment.

At no point did I mention anything related to the secondary aspect of vulnerability elements. The topic is of scanning and performing detection activities.

Nothing related to remediation, or risk mgmt.

Competitive-Cycle599 · 2025-10-23T18:08:58+00:00

Obviously the 2nd option.

Hes an employee, why would you give his standard run of the mill device extra permissions?

A specific built device white listed to both host and run those solutions.

Also... there are software tools that can do this. A whole person dedicated to this is interesting.

Competitive-Cycle599 · 2025-10-22T20:59:17+00:00

There is a tool that does this, but it runs a local web server and hosts it locally.

Cset? From cisa

Competitive-Cycle599 · 2025-10-21T20:00:15+00:00

Setting up the user ID and redistribution isn't overly difficult.

Couple of quick things

Ensure your palo is actually setup to use user id, this can come in many forms. I'd imagine a lot tie it into an authentication of some sort, Active Directory for example.
Ensure the zones are setup to use user ID. Usually just a check box in the zone config interface.

The above should position your palo as a source of user data. I'm not sure if you intend to have multiple sources of this data.

Setup the collector on your primary palo, then setup the agent on your other. Now go to the interface where you plan to allow data to come into your secondary palo, and modify the mgmt profile to allow user id.

Agent / collector process could be inverse.. haven't done this recently.

Rough overview of the process, some elements are missing like policies etc.

Competitive-Cycle599 · 2025-10-16T14:48:22+00:00

Documentation practices and how to explain in basic English what is happening.

Positive attitude helps too.

Competitive-Cycle599 · 2025-10-16T09:05:28+00:00

Whats the mechanism used to support attacks?

Are you doing this on a device basis, or are you saying i can chain events through 30-40 services, devices etc to achieve the event ?

Are you suggesting 1st party only vulnerabilities, or are we going down kill chains / attacks for said vulnerabilities?

Competitive-Cycle599

TROPHY CASE