Build a SOC capable of defending your OT network.

Choose the right SOC model for your OT needs

Cybersecurity monitoring has traditionally focused on internet-facing enterprise networks, with very little consideration of control systems environments. Today, the rise in control systems focused malware, such as Havex, BlackEnergy, CRASHOVERRIDE, and TRISIS, has forced companies to expand their cybersecurity visibility to include their control systems networks.

What are your SOC options?

When considering your OT monitoring needs, it is important to adopt the right operational security model. Improving your SOC with the right people, processes, and technology serves the business, reduces risk, increases safety, and ensures properly maintained processes. Three common operational build models include: integrated IT/OT SOC, dedicated OT SOC, or a hybrid model. Each model has certain advantages and challenges, and the decision is ultimately determined by your needs, capabilities, and expectations.

Compare operational build models:







  • Combined IT/OT SOC (shared physical space)
  • Shared dashboards for both IT and OT technologies
  • Cross-trained analysts
  • Processes tailored for both IT and OT incident response
  • Finding cybersecurity analysts with OT or control systems environment knowledge
  • Creating detailed processes for both IT and OT incident response
  • Information overload with combined IT and OT logging aggregation
  1. Hire OT talent and invest time and resources to train-up analysts’ cyber investigation skill set.
  2. Consider compliance restrictions and control system environments requirements when creating runbooks.
  3. Clearly document data sources, traffic flow, and fine-tune security appliances for reduced false-positive rates.


  • Dedicated OT SOC physically and operationally separate from IT enterprise SOC
  • Separate dashboards, analysts, skill sets, tools, processes, etc.
  • Disparity in situational environment knowledge across IT and OT
  • Culture integration and delays in response times when an incident crosses the IT Infrastructure over to the OT environment
  1. Create and host brown bag learning sessions to address the gap in IT/OT domain knowledge.
  2. Design an analyst shadowing program.
  3. Include the other SOC in daily incident overviews, growth strategy sessions, and joint tabletop exercises.


  • Combines certain monitoring and response functions based on client constraints
  • Analysts shadowing in the other SOC
  • Not a comprehensive approach to ensure holistic detection capabilities
  • Culture integration
  1. Note that if your organization can’t fully commit to the integrated or dedicated model, this combined approach might be the best option.