SOC for IT & OT - Why networked cyber security is indispensable in industry

Two technologies, two cultures. One threat situation.

Industrial companies today operate in two parallel technological realities: the classic IT world and the industrial OT (operational technology) world. Both pursue different goals, are based on different systems and each bring their own challenges. When it comes to cyber security, however, they have long since become inseparable. While IT systems work with regular security updates, centralised user management and established protective measures, many OT environments are still characterised by decades-old machines and proprietary control systems. These so-called legacy systems have often been running stably for many years, but were never developed for a connection to the internet or for modern security standards.

The big difference: in IT, security measures can be implemented relatively quickly. A client can be disconnected from the network, patched or protected by an endpoint security system. In OT, on the other hand, there are machines that have to produce continuously. Every planned or unplanned downtime costs money. Not to mention safety-critical processes where a malfunction could jeopardise people or the environment. This is why even basic protective measures in OT environments can often only be implemented to a limited extent.

The challenge: security without interfering with operations

Another problem is the lack of transparency. Many companies do not know exactly which systems are actually in their OT network - especially if machines have been added, replaced or customised over the years. Up-to-date asset management is also the exception rather than the rule. If a security incident occurs, there is no basis for a quick and targeted response.

At the same time, the risks are increasing. Cyberattacks on production environments are no longer a rarity. Whether through targeted attacks or accidental hits - for example via phishing campaigns, infected USB sticks or compromised maintenance access from third-party providers. Many systems cannot be patched, segmented or comprehensively monitored. Traditional IT solutions are ineffective here or entail additional risks.

This is why cyber security in the industry needs to be rethought. The solution does not lie in protecting individual systems, but in a holistic approach that considers IT and OT together.

SOC as a bridge between IT and OT

A Security Operations Centre (SOC) that can process both IT and OT data offers precisely this comprehensive view. The first step is to create visibility. Special sensors are used to analyse network traffic without changing existing machine controls. This creates a digital image of the OT landscape. Communication patterns, devices, weak points and potential attack surfaces become visible. The sensors work passively at network level. Ongoing operations remain unaffected.

The information obtained flows into the SOC, which is ideally connected to the IT infrastructure. Suspicious activities can be recognised there - both within OT and at transitions to IT, for example via the supply chain or interfaces to ERP systems. An integrated platform makes it possible to evaluate alarms in context, analyse attack vectors and initiate suitable measures. The aim is not to react automatically. That would be too risky, especially in OT. Instead, the focus is on targeted and well-founded alerting of the right people in the company.

Detection, analysis, context. No more flying blind.

A major advantage of modern SOCs lies in their ability to not only process raw data, but also utilise contextual information. This includes data from existing OT security systems or interfaces to suppliers. This also makes it easier to recognise supply chain attacks - i.e. threats that enter the company via third parties. The prerequisite is that the relevant systems deliver logs or provide interfaces that can be used to record data.

In contrast to IT, there is no universal detection rule library for OT environments. The systems and production processes used are too different. The rules for attack detection must be customised to the respective environment - often in close cooperation with the customer. Standards can still be used, for example for OT devices with known operating systems or for existing security solutions whose data the SOC can already process.

Humans remain crucial, even with AI support

With the increasing use of artificial intelligence and automated analytics, SOCs are becoming more efficient. AI can help to correlate alarms, create playbooks or suggest detection rules. But it does not replace human expertise. Especially in OT, where every action can have a major impact, a deep understanding of the context is essential. AI helps to make faster and more informed decisions. However, the final assessment should always be made by experienced analysts.

Conclusion: No protection without integration

Industrial production has long been digitalised. Its security must not lag behind. An integrated SOC that considers IT and OT together creates the necessary transparency. It enables threats to be recognised at an early stage and supports targeted responses. The special requirements of OT must be taken into account: long-lasting systems, continuous availability and often a lack of standards. Modern SOCs combine these worlds with passive sensor technology, customisable detection, intelligent alerting and the understanding that cyber security is always also an organisational task.

For more information on our SOC for IT & OT, download our secure mag: