Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Intelligence in OT: staying ahead of the attack
This article is part of the series "Evolving OT Cyber Security: from diagnostics to risk anticipation", where we explore how organisations can move from assessment to action in the field of industrial cyber security.
In previous instalments we examined the importance of conducting a comprehensive assessment of the OT cyber security landscape as a necessary step to define a strategy aligned with the risks specific to each industrial environment. In this new article, we focus on cyber intelligence applied to OT and how to anticipate threats, addressing the transition from a reactive to a preventive and strategic approach to protecting critical infrastructure.
______
The recent acceleration of industrial digitalisation and the convergence of IT and OT environments have transformed the way industrial infrastructure is managed. However, these changes have also significantly expanded the attack surface, exposing industrial systems, designed primarily for availability to a greater number of threats. That’s why anticipating an industrial cyberattack has become a strategic imperative. Applying cyber intelligence to OT environments enables the shift from a traditionally reactive model to a more preventive approach.
Why anticipation is critical in industrial environments
It is well known that cyberattacks targeting industrial control systems can not only disrupt production but also cause physical harm to people, economic loss and reputational damage.
Anticipating cyberattacks in these environments is also driven by a regulatory imperative, with standards such as ISA/IEC 62443 and NIST SP 800-82.
The former establishes a comprehensive framework for protecting industrial automation and control systems (IACS), defining various technical and organisational requirements across the full lifecycle—from secure design to incident management. Complying with IEC 62443 not only helps reduce the risk of an attack, but also ensures resilience against persistent threats.
NIST SP 800-82 complements this framework with a strong focus on the operational risks of ICS, SCADA and PLC systems: high availability, minimal tolerance for downtime, and physical safety.
To achieve this level of anticipation, the following must be considered:
- Early detection of TTPs (tactics, techniques and procedures) before they materialise.
- Predictive analysis to identify targeted attacks against specific sectors.
- Integration of intelligence into platforms such as SIEM, SOAR and TIP to automate responses to security incidents.
Adopting these practices, together with recommendations from industry standards, enables organisations to achieve early identification of vulnerabilities and implement preventive measures across critical processes.
Photo by Vardan Papikyan on Unsplash.
Cyber intelligence beyond monitoring
Traditionally, we’ve been accustomed to a SOC that detects an alert and responds accordingly. But to stay ahead, a dedicated cyber intelligence unit must go further—anticipating such alerts before the attack unfolds. This requires:
- Data collection (from sources such as OSINT and the dark web) to identify mentions, data leaks and potential threats.
- Threat modelling using frameworks like MITRE ATT&CK and the Kill Chain.
- Utilisation of threat feeds to improve proactive detection in SIEM and XDR.
- Risk scoring to prioritise threats based on technical and financial impact.
It’s important to note that this kind of anticipation is not achieved solely through processes and procedures; it also requires the use of purpose-built tools for OT environments, under what’s known as Deception Technology:
- Aristeo, a network of decoy probes developed by Telefónica Tech, or the Deception as a Service (DaaS) offering, use decoys based on real industrial hardware or virtualised components. Exposed to the internet, these decoys simulate industrial devices such as PLCs, SCADAs and HMIs to attract and capture threats.
The information collected is then processed and shared in standard formats with TIPs (Threat Intelligence Platforms), SIEMs, SOARs and SOCs—as well as security solutions like firewalls—to automate responses and block malicious interactions. - IoC feeds and TIP orchestration: The use of Indicators of Compromise (IoC) helps block malicious domains, IP addresses and hashes. Integrating this into TIPs enables data correlation from multiple sources, enriching incident response and reducing Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
The key to anticipating threats lies in the intelligent automation of response. When IoCs generated by Aristeo or the Deception as a Service platform are integrated into a TIP, every security alert triggers a coordinated action: from updating firewall blacklists to activating playbooks in SOAR platforms.
This orchestration drastically reduces exposure time to attacks, preventing threat actors from exploiting windows of opportunity—and turning every intrusion attempt into a source of insight. In this way, anticipation becomes a tangible practice that reinforces resilience in OT environments.
Photo by Scott Graham on Unsplash.
Proactive strategies to stay ahead of the attack
As outlined above, the combination of Deception Technology delivers unique advantages such as proactive detection (decoys intercept attacks before they reach real assets), disruption of the Kill Chain (diverting attackers to false environments), intelligence gathering (insight into TTPs for fine-tuning defences), and automated response (e.g. integration with SIEM/SOAR to isolate devices and block malicious flows).
However, beyond using these technologies and services, anticipation also requires a comprehensive approach. The following proactive recommendations should be considered:
- IT/OT network segmentation to limit lateral movement through firewalls and secure zones (iDMZs).
- Continuous monitoring and traffic analysis to detect real-time anomalies and identify early indicators of attack.
- Staff training to raise awareness of social engineering and promote secure industrial operations.
- Ongoing risk and vulnerability assessments to detect misconfigurations or anomalies using standards such as IEC 62443 and NIST SP 800-82.
Staying ahead of attacks in industrial environments should no longer be optional, it is the most effective way to ensure operational continuity and the physical safety of personnel. Combining platforms such as Aristeo and the Deception as a Service solution with internal and external IoC feeds and TIPs enables a shift to a proactive and preventive approach.
Today, cyberattacks on industrial environments are inevitable, which is why the best defence is always to stay one step ahead.
Photo by Possessed Photography / Unsplash.
