Cyber

This article has been authored by Sumit Janmejai, Sr. Manager OT Security, Kroll

In today’s industrial environments, the single biggest barrier to securing operations is not technology, not budget, not even talent–it’s visibility. You cannot protect what you cannot see.

In Operational Technology (OT), visibility has two dimensions:

• Asset Visibility: Knowing what devices exist, their vendor and make, firmware or patch level, configuration state and known vulnerabilities. This is the baseline for asset inventory, vulnerability management and configuration control.
• Communication Visibility: Understanding how those assets connect to each other, which protocols they use, how often they communicate and the dependencies between them. This is what makes segmentation and segregation possible–arguably the most important control in OT security.

Without this combined view, organizations are left guessing where their crown jewels sit, how traffic flows across the environment and where vulnerabilities or attack paths may hide.

Our recent field work reinforces this across energy, manufacturing and utilities, limited visibility into assets and networks was consistently cited as the number one deterrent to effective OT security. This is not just a technical gap–it’s a business risk. Blind spots create unmitigated vulnerabilities, regulatory pressure and exposure to threats that can disrupt safety and reliability.

 

Real-World Case Example: Lessons From the Energy Sector

Earlier this year, Kroll led a risk assessment for a renewable energy operator managing more than 30 solar farms in North America. The findings mirror challenges we frequently observe across industrial sectors.

The organization had made some sound design choices:

• Each farm’s network was isolated from the others, reducing the risk of a single compromise cascading across multiple farms. These farms were unmanned and standalone, with no direct corporate IT connection into the OT network–limiting enterprise-to-OT attack paths.
• Remote employees and vendor staff used a privileged access solution rather than a traditional VPN, with benefits including:
  1. Certificate–based authentication instead of passwords
  2. Authentication logging and session recording for accountability
  3. Just–enough access–connectivity bound to specific target systems, not broad networks

However, despite these strengths, the assessment uncovered serious weaknesses:

• Visibility Gaps: There was no centralised inventory or telemetry. Operators couldn’t easily identify all devices, their patch levels or configurations. Communication patterns between critical assets like Real-Time Automation Controllers (RTACs), inverters and MET stations were undocumented, making segmentation/tiered zoning difficult.

• Weak Monitoring: Without deep packet inspection, protocol-aware analysis or behavioural baselining, the SOC was effectively blind to lateral movement, rogue commands or misconfigurations.
• Under-Leveraged Controls: Strong technologies for access control existed, but they weren’t integrated into incident response or monitoring workflows, limiting their effectiveness.

 

Another important finding came when an industrial intrusion detection system (IDS) was deployed. Within hours it flagged repeated connection attempts from known malicious IP addresses scanning for open services. In this case, the OT environment had SSH exposed to the internet. Bots were actively attempting to establish connections.

Fortunately, SSH was configured to use certificate-based authentication rather than passwords, so the brute–force attempts failed. But the exposure still represented unnecessary risk. Restricting SSH to trusted, whitelisted IP addresses would have eliminated this attack surface altogether.

This observation underlined a critical point–adversaries are always probing for entry points and exploiting weak gates. Even when strong authentication is in place, unnecessary exposure expands the attack surface and creates opportunities for compromise.

The outcome was clear–the operator was running critical renewable energy assets with some sound design foundations but without the visibility and monitoring needed to assure resilience. In practice, this meant that while remote access was well controlled, the day-to-day state of assets and their interconnections–and their exposure to the outside world–remained opaque.

 

Industry Trends and Perceptions

Last month Kroll drew responses from security and operations leaders across multiple sectors, giving us a cross–industry view of how visibility–or the lack of it–continues to shape OT security maturity. We learnt that:

• Limited visibility remains the top challenge across sectors.
• Vulnerability management is fragmented–patching often left to vendors or handled inconsistently.
• Monitoring is underdeveloped–SOC teams strong in IT often lack the tools or baselines for OT.
• Segregation and segmentation are recognised as vital, but without communication visibility, they are difficult to implement.

 

The Four Building Blocks of OT Cyber Resilience

True OT resilience rests on four interconnected building blocks:

Asset Visibility and Network Mapping

Resilience begins with knowing what you have–and how it behaves. Without it, segmentation and vulnerability management become guesswork. In the solar farm case, the absence of this clarity meant operators couldn’t confidently design controls or prioritize risks.

Vulnerability Identification and Prioritization

Not every vulnerability matters equally in OT and honestly, not much could be done about many of the discovered vulnerabilities. The key is prioritization:

• Combine exploitability, asset criticality and operational impact to decide what gets fixed first.
• Informal patching, as seen in the energy case, left high-risk exposures mixed with low-impact technical debt. Structured vulnerability management ensures limited resources are focused where they have the greatest effect.

Continuous Monitoring and Threat Detection

Point-in-time assessments are no match for today’s dynamic OT networks.

• Deep packet inspection, protocol–aware analysis and behavioural baselining provide the early-warning system to spot lateral movement or rogue commands.
• Integration with SOC workflows ensures anomalies are acted on in time. In our case study, secure entry points existed, but without monitoring inside the network, assurance was incomplete.

Governance and Integration of Controls

Technology alone cannot deliver resilience. Strong foundations like certificate-based authentication and session recording become far more effective when embedded in broader governance.

• Policies must guide asset onboarding, patching and monitoring.
• Access controls must be tied into incident response.
• Change management must be systematic, not ad hoc.

Together, these four building blocks create a layered defence. Weakness in one undermines the others.

 

From Visibility to Resilience: A Path Forward

The path forward is clear: visibility must evolve from a static inventory into a continuous capability that drives resilience, which essentially means:

• Hybrid Asset Discovery: Combine passive monitoring with OT-safe polling and selective endpoint insights for the most complete and accurate picture.
• Risk-Based Vulnerability Management: Focus scarce resources on vulnerabilities that are exploitable and critical to operations.
• Continuous Monitoring: Build the early-warning system through protocol-aware inspection and behavioural baselining.
• Integrated Governance: Ensure policies and workflows connect controls, so investments reinforce one another.

Resilient OT security is not built on isolated technologies. It’s built on the ability to see clearly across the environment – what assets exist, how they connect and how they change over time. When visibility becomes a baseline expectation, resilience follows.

Read More on How Kroll Can Help You With OT Cyber Resilience