Executive summary from Episode 2: Detection OT Risks, of a 4 part OT Resilience Webinar Series.
You cannot respond to what you cannot detect. And in operational technology environments, the gap between what is happening on your network and what your security team can actually see is far wider than most organisations realise. Episode 2 of the OT Resilience Blueprint 2026 series tackles one of the most consequential challenges in industrial cybersecurity: building a detection capability that is calibrated for the specific characteristics, constraints, and risk priorities of OT environments. Hosted by Dominic Carroll, Director of Portfolio Marketing at e2e assure, this session draws on the experience of Ian Henderson – formerly VP of OT Security at BP, where he spent over two decades building and leading the global OT security function from its inception.
Detection Is Not a Technology Problem. It Is a Maturity Problem.
The majority of OT environments are not being actively exploited because attackers cannot get in. They are being compromised (and in many cases, remain compromised) because the monitoring capability needed to surface adversarial activity simply does not exist below the enterprise perimeter. The Pyramid of Pain framework illustrates this clearly: organisations that rely exclusively on hash values, IP addresses, and simple signature-based detection are giving attackers the easiest possible environment in which to operate. Shifting detection to the level of tactics, techniques, and procedures (TTPs) forces attackers to fundamentally change their approach, making operations exponentially more difficult and costly. In OT, the implications are more pronounced. Threat actors targeting industrial environments, including nation state groups such as VOLTZITE and BAUXITE, are not seeking quick wins. They are establishing persistent footholds, learning environment baselines, and waiting for a strategically opportune moment to act. An organisation without TTP-level detection capability may have no indication of compromise for months.
“Regulatory and compliance directives as a boardroom topic – that is super important. And I think it is sort of helping drive up the security posture of OT systems.”
— Ian Henderson, Former VP of OT Security, BP
The OT Detection Maturity Model: Where Are You, and Where Do You Need to Be?
e2e-assure’s OT Detection Maturity Model maps detection capability across five levels, from minimal (15%) through to advanced (90%), and aligns each level to the NCSC Cyber Assessment Framework 4.0 Objective C. At the minimal end, organisations have perimeter-only detection at the enterprise zone (Purdue Level 4), relying on firewall logs and manual review. Time to detect a compromise is measured in months. This is assessed as “Not Achieved” under CAF 4.0. Moving through basic and developing levels introduces network detection and response, east-west traffic visibility, and automated escalation – reducing response time from days to hours. The maturing level introduces agentless OT-specific anomaly detection with behavioural baselining at the supervisory control layer. The advanced level “achieved” reaches into the process control zone with AI and ML-driven analytics, proactive threat hunting, and TTP-level detections, reducing time to act to seconds. The CERT Polska Static Tundra incident of 29 December 2025 illustrates what failure at the basic level looks like in practice. Over 30 wind and solar farms in Poland were compromised through default credentials on Hitachi RTU560 devices and the absence of MFA on FortiGate VPN – with zero OT device monitoring in place to surface the intrusion until operational disruption occurred.
“Not all PLCs are equally important. Not all HMIs and SCADA systems are equally important. There is a tendency for us in the OT security world to treat them as if they are.”
— Ian Henderson, Former VP of OT Security, BP
IT and OT Detection Are Fundamentally Different Disciplines
One of the most instructive themes of this session is the candid account of how even experienced security leaders can arrive at OT security with the wrong mental model. The IT security world generates enormous volumes of log data from rapidly changing, cloud-scale environments. Automation is the primary efficiency lever, and the objective is to process high-volume, high-velocity alert data as quickly as possible. OT is the inverse. Environments are stable. Change is rare. Alert volumes are low. And the response calculus is entirely different. Every containment action must be weighed against the risk of disrupting physical processes, triggering safety systems, or causing operational downtime that can cost millions of pounds per hour. This is why the default IT response playbook (automated containment, aggressive isolation) is not simply inappropriate in OT. It can be actively dangerous. Regulatory frameworks reflect this nuance. CAF 4.0 Objective C requires organisations to demonstrate structured logging source selection, alert triage processes, behavioural baselining, and threat intelligence integration. All calibrated to the specific risk context of each OT environment.
“IT people do know what they are doing — they just have different business priorities. It took me a long time to have that epiphany, but once I did, it changed how I approached the whole conversation.”
— Ian Henderson, Former VP of OT Security, BP
A Practical Framework for Improving Detection Maturity
For CISOs and heads of OT security reviewing their current position, the episode offers a structured framework for progression. The starting point is always honest self-assessment: at which Purdue level does your current monitoring capability reach, and what visibility exists below that level? For most organisations, monitoring stops at the enterprise perimeter or the DMZ. The next step is extending passive monitoring into operations and control zones without disrupting production, using network detection and response tools designed for OT protocol analysis, combined with behavioural baselining that establishes what normal communication patterns look like at each level of the Purdue model. From there, the path to advanced detection maturity runs through custom detection engineering, threat intelligence integration, and ultimately the development of threat hunting capability, a proactive discipline that does not wait for alerts to fire.
Watch the Full Episode
Episode 2 includes a live walkthrough of the CUMULO platform demonstrating OT-specific detection and alert triage, an in-depth analysis of the Static Tundra incident, and a detailed review of CAF 4.0 Principle C requirements for OT monitoring. If you are assessing your current detection maturity or building the case for investment in OT-specific monitoring capability, this session is essential viewing.
► Watch Episode 2 on demand: OT Detection Explained: How to Detect Invisible Attacks in Operational Technology