Let’s be honest – many of us are being asked to defend operational technology (OT) environments without the dedicated tools, budget, or specialized staff typically needed for the job. Yet the threats are real and growing. Dragos’ 2025 OT Cybersecurity Year in Review makes that clear: adversaries are no longer just nation-state actors targeting electric grids. Hacktivists, ransomware crews, and opportunistic attackers are increasingly leveraging basic techniques to disrupt industrial operations, often with a chilling level of success.
At Edgewater, we frequently encounter security leaders at organizations ranging from large to small who share this same struggle. While it’s easy to offer a textbook solution, supported by expensive technologies and hard-to-find talent that can cover every radical edge case, we found our clients benefit most from practical solutions that reliably address the bulk of most likely scenarios – without the extra spend. Whether it’s building automation systems, industrial manufacturing environments, or bespoke research labs, at Edgewater we have helped our clients optimize their IT cybersecurity programs to address common real-world OT threats like those highlighted by Dragos. Now, we would like to share some of our insights with the community to help those who are fighting the good fight without the necessary resources.
So, what do you do when you’re responsible for OT security… but only have IT security tools, IT processes, and an already-stretched IT security team?
You adapt.
In this article series, our team of seasoned and resourceful cyber experts will break down how scrappy security leaders can pragmatically defend OT environments using existing IT cybersecurity resources. This is not a pitch for a magic solution… It’s a survival guide for leaders doing the best they can with what they have – and a roadmap for how to incrementally build better OT visibility and resilience using proven IT practices.
The Problem: OT as a Soft Target
OT networks have long flown under the radar, but that’s quickly changing. As the Dragos report highlights, adversaries are increasingly targeting OT not for its technical complexity, but for its vulnerability and disruptive potential:
– Many OT assets are still exposed to the internet through insecure remote access.
– Default credentials, unpatched systems, and poorly segmented networks are common.
– Even unsophisticated attackers can now cause real-world impacts with minimal effort.
It’s not that defenders don’t care, it’s that most were never given the tools, staff, or mandates to protect OT properly.
The Strategy: Leverage What You Have, Layer Defenses, and Hunt Aggressively
You don’t need an OT SOC to start protecting OT. You need a mindset shift and a plan.
Here’s the high-level strategy this series will explore:
– Understand your exposure. Start by mapping what’s accessible from your business network and the internet.
– Use IT tools for OT visibility. Endpoint detection, SIEMs, and NetFlow monitoring can offer surprising insight into OT activity – even if imperfect.
– Extend detection engineering. Write detections that cover suspicious behaviors in the OT/DMZ layers using IT telemetry.
– Harden access paths. Lock down remote access to OT, audit VPNs, and eliminate legacy connections. This alone can stop many opportunistic attacks.
– Train your SOC to triage OT alerts. They may not be OT experts, but they know how to respond to suspicious behaviors. Equip them with context and playbooks.
– Hunt with intent. Hypothesize adversary actions using real-world case studies, like KAMACITE’s PowerShell TTPs or VOLTZITE’s VPN exploitation, and look for them in your logs.
Coming Up in This Series
Over the next several posts, we will dive deeper into actionable approaches for defending OT using existing IT capabilities:
– Cyber Threat Intelligence for OT (Part 2): Prioritizing threats with limited resources
– Attack Surface Reduction for OT (Part 3): Limiting attack vectors and opportunities
– Detection Engineering for OT (Part 4): Writing detections with real code examples
– SOC Monitoring & IR for OT (Part 5): Playbooks to triage OT threats with IT tools
– OT Threat Hunting (Part 6): Hypothesis-driven approaches based on real campaigns
Each article will focus on practical recommendations, grounded in the threats highlighted by Dragos and applicable to real-world, resource-constrained environments.
Final Thought
You don’t need to be perfect. You need to be proactive.
The Dragos report reminds us that many OT attacks are successful not because they’re sophisticated, but because defenders didn’t see them coming – or didn’t know they could. By adapting your IT cybersecurity capabilities, you can raise the bar, reduce exposure, and buy your organization time and resilience.
Follow along for more. Let’s build better OT defense, one step at a time.