Every industrial organization we work with wrestles with the same structural question: should we run a single security operations center monitoring both IT and OT, or should we maintain separate teams? There's no one right answer, but the choice has major consequences for incident response speed, threat hunting capability, and your compliance posture.
An integrated SOC can correlate attacks that span IT and OT—a phishing email to an engineer that leads to lateral movement toward control networks, for instance. A federated model with separate IT and OT teams prevents that correlation unless the teams actively communicate. But an integrated SOC requires OT expertise that many organizations lack, and mixing IT and OT tools can introduce unintended risks.
The Integrated Model: When It Works
A single SOC makes sense if you have sufficient OT expertise on staff, if your IT and OT networks have managed boundaries where they interact, and if you have the infrastructure to monitor both domains with appropriate isolation. The benefits are clear: a single team with unified visibility sees the full attack surface, can correlate incidents, and avoids blind spots where IT and OT teams aren't communicating.
However, integrated SOCs must maintain strict tool and personnel separation. Your OT-monitoring tools should be isolated from your IT-monitoring tools. Your OT analysts should not have credentials to IT systems and vice versa. An integrated SOC doesn't mean mixing SIEM platforms or blending your IT and OT networks. It means one coordinated team with segregated monitoring infrastructure. This is harder to build than it sounds, and many organizations fail because they try to shortcut the segregation.
The Federated Model: When It Works
Separate IT and OT SOCs make sense if your organization has strong OT expertise, if IT and OT report to separate business units, or if regulatory requirements (NERC CIP, for instance) demand operational independence. The OT SOC can be highly specialized, can focus on industrial protocols and behaviors, and can avoid the risk of IT tools or processes accidentally affecting control systems.
The challenge with federated models is correlation and handoff. When an intrusion spans IT and OT, the two teams must coordinate seamlessly. You need clear escalation paths, regular communication, and playbooks that address cross-domain incidents. Many organizations deploy federated models and then struggle with gaps: phishing emails go to the IT SOC, but the lateral movement indicators that would interest the OT SOC get lost.
Decision Factors
- OT expertise available: Can you hire or develop multiple OT-competent analysts? If not, a small federated OT team paired with strong consulting support may be better than an integrated SOC that lacks depth.
- Regulatory separation requirements: Some regulations (NERC CIP 005, for instance) imply or require operational independence. Understand your obligations before centralizing.
- Incident history: If your organization has seen cross-domain attacks or supply chain compromises that affected both IT and OT, integration has clear value. If your attacks are primarily isolated to one domain, federation may be sufficient.
- Maturity and resources: An integrated model requires more sophisticated monitoring, playbook coordination, and personnel training. A federated model is simpler to build but requires discipline to make the handoff work.
A Hybrid Approach
Many mature organizations run a hybrid model: a central security team handles cross-domain correlation and strategic threat hunting, while separate IT and OT operations teams manage day-to-day monitoring of their respective domains. This leverages expertise, maintains separation where needed, and enables the correlation that integrated monitoring provides. It's more complex to coordinate but often the best fit for large industrial organizations.
Your SOC model should reflect your organization's structure, expertise, and regulatory obligations. We help industrial companies evaluate these models, design their monitoring infrastructure, and build playbooks that work within their chosen structure. Let's discuss what model fits your organization.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.