Every OT security leader claims they have visibility into their industrial networks. Most do not. Visibility in operational technology is not the same as having a few network taps and a SIEM. True visibility means understanding what every control system is doing, detecting anomalies in process behavior, and knowing when something deviates from normal before it becomes a safety or production problem.
The challenge is that OT networks were not designed with security monitoring in mind. Many legacy PLCs don't log their actions. Air gaps and serial connections mean you can't tap the network like you would in IT. Brownfield environments mix decades-old equipment with modern systems, each with different sensing capabilities and communication protocols. Building real visibility requires a different approach than IT security teams are accustomed to.
The Visibility Pyramid: What You Need at Each Level
Visibility doesn't happen uniformly across your operation. You need it deepest at Purdue Levels 1 and 2—where your PLCs, RTUs, and safety systems live. This is where compromise is most dangerous. You need it at Level 3, your supervisory systems and historians, because that's often where remote access is granted and where attackers establish persistence. You need it at Levels 4 and 5, your engineering networks and corporate IT, because that's where intrusions often originate before they pivot to control systems.
But the sensors and techniques differ at each layer. At Level 1, you may need industrial protocol analyzers that understand Modbus or Profibus, not just Ethernet packets. At Level 3, you need monitoring of historian access patterns and lookups, not just network IDS signatures. At Levels 4–5, IT security tools help, but you must tune them to understand OT-relevant behaviors—lateral movement toward control networks, connections to engineering tools, unusual access to process documentation.
Where Most Organizations Fall Short
- No process-context monitoring: Most security tools monitor network and host metrics. They don't understand whether the data your PLCs are exchanging is consistent with normal process behavior. You can have perfect network visibility and still miss a process anomaly that indicates compromise.
- Air gaps break the chain: If your Level 1 systems are isolated by design—no Ethernet, serial connections only—then you cannot deploy conventional network monitoring without potentially disrupting operations. You need specialized sensors that live inside the control network or methods to safely capture data without inline taps.
- Legacy systems don't log: A PLC commissioned in 2006 may have no audit trail. You cannot monitor what you cannot see. At some point you must accept that certain assets are dark and focus visibility where it's possible.
- Visibility creates blind alleys: Too many sensors and logs create noise. If you're collecting terabytes of data but your team can't interpret it or correlate it, you don't have visibility—you have data that prevents you from seeing signals. Focus on signals that matter to your process and business.
Building Visibility Incrementally
Start by mapping your control systems: what they do, which are critical, how they connect. Instrument the most critical systems first with whatever monitoring methods are available and safe. Deploy network monitoring at the boundaries between Purdue levels and at the edge of your plant network. Establish baseline behavior for normal operations. Gradually add sensors and refine detection over time. Real visibility builds in layers, not as a big-bang deployment.
Visibility is the foundation of incident response and threat hunting. We help industrial organizations assess what they can monitor, plan a phased approach to instrumentation, and deploy sensors and analytics that matter. Let's talk about what true visibility looks like for your operation.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.