Operational Technology (OT) refers to the hardware and software that detects or causes changes in direct monitoring of industrial equipment. Think power grids, factory arms, and water treatment plants.
CTI for OT is fundamentally different from IT security. In IT, confidentiality is king. In OT, Availability and Safety are king. You cannot simply "patch" a generator while it is running.
The Purdue Model
To understand OT threats, you must understand the architecture:
- Level 4 (Enterprise): Standard IT network (ERP, Email).
- Level 3.5 (DMZ): The critical barrier between IT and OT.
- Level 3 (Operations): SCADA servers and HMIs (Human Machine Interfaces).
- Level 1/0 (Process): PLCs (Programmable Logic Controllers), sensors, and actuators.
Unique Indicators in OT
Standard IOCs like bad IPs still apply, but OT CTI requires looking deeper:
- Protocol Anomalies: Attackers often abuse valid industrial protocols (Modbus, DNP3, BACnet). Look for "Stop CPU" commands sent during production hours.
- HMI Screenshots: Adversaries capturing screenshots of the control panels to learn how the plant operates (Reconnaissance).
- Lateral Movement: Movement from the IT network (Level 4) to the OT network (Level 3) is the most critical TTP to detect.
Specific Threat Groups
- XENOTIME (Trisis/Triton): Known for targeting Safety Instrumented Systems (SIS).
- SANDWORM: Known for the Ukraine power grid attacks (Industroyer).
Strategy: Effective OT Intelligence requires mapping threats specifically to the MITRE ATT&CK for ICS matrix, which is distinct from the enterprise matrix.