Q&A Follow-Up: (CS)²AI Fellow Fireside Chat: Building OT Capacity for IR and Pentesting

By Chris Sistrunk, Technical Leader of Mandiant, Google Cloud Security, & (CS)²AI Fellow

September 29, 2025

We hosted a (CS)²AI Fellow Fireside Chat on September 10, 2025 that focused on Building OT Capacity for IR and Pentesting with (CS)²AI Fellows Chris Sistrunk, Technical Leader of Mandiant (Google Cloud Security) and Danielle Jablanski, Cybersecurity Consulting Program Lead of STV.

Here is a bit about the event:

Operational Technology (OT) environments face unique challenges when it comes to incident response (IR) and penetration testing. As cyber threats continue to evolve, organizations must strengthen their capacity to prepare, detect, and respond effectively to incidents—while also proactively testing defenses to uncover vulnerabilities before adversaries do.

Leading experts explored strategies, best practices, and lessons learned for building OT-specific capabilities in both IR and pentesting. Participants gained actionable insights into:

• Tailoring IR processes for OT systems

• Overcoming common pitfalls in OT pentesting

• Strengthening team skills and capacity to meet today’s threat landscape

• Leveraging industry tools and frameworks to build resilience

This session equipped practitioners, defenders, and decision-makers with the knowledge needed to enhance security postures across critical infrastructure.

Do you want to have access to more content like this? Register for our next (CS)²AI Online™ seminar or symposium here, or consider becoming a member of (CS)²AI to access our entire library of recorded sessions.

The Q&A portion below represents selected overflow questions and commentary from the event, and has been answered in detail by Chris Sistrunk.

******************************

On topic questions:

QUESTION No.1: When does hardening systems really become crucial in OT/ICS?

ANSWER: Hardening OT systems should be a continuous process, from installation, to maintenance windows, and throughout the lifecycle of the components, especially if there are any architecture or software/update changes. Hardening should include software, hardware, network components, and physical security/access. For software hardening best practices, follow OT vendor best practices as well as Center for Internet Security (CIS) hardening benchmarks (which are free). Don't forget about simple solutions such as USB and Ethernet port blockers, with a procedure around managing the blockers.

QUESTION No.2: In your opinion, would integrating threat intelligence with specific industry-based business context help prioritize vulnerabilities based on their impact specific to critical infrastructure and ICS/OT operations?

ANSWER: If your OT security program is rather mature with the basics covered very well, then you may be ready to incorporate threat intelligence. If you have the ability to ingest threat intelligence and act upon it (threat hunting, TTP specific use-cases and playbooks) then industry-specific threat intelligence will be a good tool in your OT security program.

QUESTION No.3: How valuable do you find E/W network traffic based analysis, i.e. DarkTrace, et al?

ANSWER: Monitoring East/West traffic is important for detecting lateral movement, especially for your OT crown jewel assets. Network security monitoring is important to consider if you don't have good enough OT endpoint visibility coverage and should include all North/South, Ingress/Egress points for your OT network as well.

QUESTION No.4: How is the Purdue Model applied to segment and secure OT networks during incident response?

ANSWER: The Purdue Model is a good discussion starting point for network classification, but I recommend following ISA/IEC 62443 or NIST SP800-82 Rev 3 for security segmentation best practices (IT/OT DMZ, OT zone specific firewalls, etc.). Segmentation should be designed BEFORE incident response and not DURING. If your IT and OT networks are not segmented during an incident response, you will likely have to manually segment the OT network to protect it and then during IR remediation, design an IT/OT DMZ based on the standard guidance above along with your OT Vendor/OEM secure architecture designs.

QUESTION No.5: What are the key differences in incident response planning between IT and OT environments?

ANSWER: You still follow the standard DFIR process (NIST SP 800-61r3 and NIST SP 800-86), but keep safety first and OT/ICS operations & constraints in mind (covered in NIST SP 800-82r3, section 6.4). I recommend you review my Blackhat 2016 talk on this exact subject (on YouTube) and my slides (https://www.slideshare.net/slideshow/blackhat-usa-2016-whats-the-dfirence-for-ics/64706579) to see the key differences. Also, please review the DFIR Framework for Embedded OT devices here (https://cloud.google.com/blog/topics/threat-intelligence/mandiant-dfir-framework-ot/?e=4875480).

QUESTION No.6: What networking tools would you use to answer all of the questions?

ANSWER: There is no perfect network tool to rule them all, and likely you will have to find the tools that your network folks and OT/engineering folks regularly use (especially OT Vendor/OEM tools such as Rockwell FactoryTalk AssetCentre, etc.) to start with. What gaps do those tools have? There are many free and professional/enterprise tools for monitoring OT networks out there (too many to list here). Several free network security monitoring tools that have both IT and OT capabilities are: Wireshark, NetworkMiner, Zeek, Suricata, and Snort. For a bigger list check this OT crowdsourced GitHub: https://github.com/ITI/ICS-Security-Tools/tree/master/tools/analysis.

QUESTION No.7: Is 'Wireshark' is a popular tool for OT (environments)?

ANSWER: Wireshark has over 20 OT protocol parsers, so it is a fantastic free tool for analyzing network traffic, troubleshooting network issues, and forensics for both IT and OT networks.

QUESTION No.8: When it comes to assessing vulnerabilities or exploitable risks in ICS/OT operational environments (along with the critical nature of OT assets), what are operationally safe (best practice) methods for identifying vulnerabilities, enabling patching, and other mitigation efforts pertaining to the ICS/OT Industry?

ANSWER: This can be a complex answer based upon your OT architecture and its dependencies and external connections. It starts with an asset inventory, especially of the systems that are most IT like (Windows, Linux, network devices) and the devices that are most exposed (to the Internet, to corporate networks, or to publicly accessible areas). All of these systems should be patched and hardened on a regular basis (whether you have to do this yourself or through your OT vendor). NIST SP800-82r3 has a framework for assessing and mitigating these types of risks, so each site or plant or OT network will likely have differences, but I would focus on the IT like "intermediary systems" first (we talk about this as the Theory of 99 in this blog: (https://cloud.google.com/blog/topics/threat-intelligence/Mandiant-approach-to-operational-technology-security?e=48754805).

QUESTION No.9: Can you comment on local log storage in ICS DMZ and log exports to cloud storage and analytics solutions from IR and overall RCA standpoint?

ANSWER: Log storage is important part of your network security monitoring and root cause analysis strategy. Local log storage is important to analyze for all of your asset types (Windows Logs, Linux Syslog, Firewall Logs, and OT Device Logs (engineering and security). For NSM, a common rule of thumb is to have at least 120 days of netflow data and a 3-day window for full content data for critical network segments. If your OT device only has 255 rows in its error log, it will be good to know this so that those logs can be collected first before they roll over. Exporting logs to a SIEM in the cloud or on premise is a well-known best practice, but this could be a challenge for remote OT sites with low bandwidth or no external connections). NIST SP800-82r3 does cover logging strategies.

QUESTION No.10: All of these recommendations make sense but how do you scale these recommendations when you have hundreds or thousands of PLCs, HMIs, etc.? Do you have some recommendations to streamline and automate it?

ANSWER: If you have a large OT asset inventory, then you may need tools that can manage enterprise scale. OT Vendors/OEMs often have approved tools that already do this (Rockwell Factory Talk AssetCentre, etc.) or you can also look into ICS/OT network security monitoring vendors such as Nozomi Networks, Claroty, Dragos, etc.

QUESTION No.11: Is patching legacy (MS) systems, something that could be automated, including anti-V?

ANSWER: Patching Microsoft systems and Antivirus/Endpoint Agents can easily be automated with a whole host of different tools, however it's best to follow what your OT Vendor/OEM recommends. If you have an End of Support or End of Life system, then they cannot be patched you will have to design other mitigations to keep these devices from being exposed.

QUESTION No.12: Are their any OT scenarios in which it might be practical to implement upgrades through incremental, parallel systems/solutions?

ANSWER: Yes, for major upgrades it is common to implement the new OT system along side the old OT system and then perform the switch over to the new system, once site acceptance testing and commissioning is complete. Constraints are available space, field wiring and I/O cabinets, etc. OT Vendors often have solutions for these situations.

QUESTION No.13: With the expansion of AI use, what are examples that you've seen so far of actors using AI or potential uses of AI tools used by an environment to carry out LotL or attacks on the environment?

ANSWER: I personally have not seen any use of AI tools used by attackers in OT environments. However in general, attackers are leveraging AI for creating more believable spear phishing emails, voice phishing/vishing, and video/deep fakes. The FBI put out some details about this in December 2024 (https://www.ic3.gov/PSA/2024/PSA241203) and Google Threat Intelligence Group published a blog this year about cybercriminals weaponizing websites using AI (https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites?e=48754805).

QUESTION No.14: Ukraine in 2014, I believe it was blackenergy/killdisk on the UPS systems after recon on their system. How can we mitigate insider threat when neglect really opens the doors?

ANSWER: Defense in depth is key for defending against targeted attacks including insider threats. Proper segmentation, tested backups, multi-factor authentication, and a well defined but not overcomplicated Incident Response Plan is critical to defending OT. For a compilation of lessons learned and protective actions you can do for targeted attacks, please review this Mandiant whitepaper: https://services.google.com/fh/files/misc/proactive-preparation-and-hardening-to-protect-wp-en.pdf.

QUESTION No.15: Crypto mining is also a power hungry beast that has the capacity to harvest even supercomputer capability, and energy, this is happening everywhere. Will policy ever catch up? I mean energy and economics... scary.

ANSWER: In the United States and around the world, large data centers, including those used by crypto miners, are being studied by the electric industry. There have been multiple studies in North America such as the NERC Large Load Task Force (https://www.nerc.com/comm/RSTC/Pages/LLTF.aspx) and others. NERC just put out an alert about this topic last week (https://www.nerc.com/pa/rrm/bpsa/Alerts%20DL/NERC%20Alert%20Level%202%20%20Large%20Loads.pdf).

QUESTION No.16: Based on the "Theory of 99" do you see the threat landscape shift towards more OT based attacks increase by way of supply chain, nation state, AI, Wifi enabled devices and Cloud adoption?

ANSWER: Theory of 99 referenced here: https://cloud.google.com/blog/topics/threat-intelligence/Mandiant-approach-to-operational-technology-security?e=48754805. I don't see an increase of targeted OT attacks, but more of targeted IT attacks that indirectly or directly impact OT / production. Which is why I said ransomware is still the No.1 attack that impacts OT (even though it may not be a cyber-physical attack impacting embedded devices, as those attacks are rare).

QUESTION No.17: If we already know that controllers and legacy system are vulnerable then why we need to go with penetration testing in OT?

ANSWER: The goal of penetration in OT environments is to find and fix weaknesses in the IT (Windows, Linux, VMs, Network devices) that are at the perimeter of OT systems.  Attackers will target those intermediary systems first. So a penetration test is a real way to see if your cybersecurity mitigations, segmentations, and hardening are sufficient for the most common attacks targeting vulnerable remote services, weak firewall rules, weak server and workstation configurations etc.

On career questions:

QUESTION No.1: Hi Chris, I really enjoyed your work on the Mandiant DFIR Framework for OT. I’m very interested in this space and would love the opportunity to contribute, is there a way I could get involved with your team?

ANSWER: We do not currently have any job openings on our Mandiant OT team, but we do often have Mandiant IR consulting roles open. Also Google DFIR team has roles open as well. We are also opening up Summer 2026 Internship applications now, so if you are a student, please submit! For any Mandiant or Google role, check out these helpful links:

https://www.google.com/about/careers/applications/how-we-hire/

https://www.google.com/about/careers/applications/stories/google-internship-faqs/

QUESTION No.2: I see a number of people open to jobs ... What is the ICS/OT security job outlook and where does one go to find these?

ANSWER: The best way to land an ICS/OT security job is to get involved with the ICS/OT community (online and in person). You can do this in multiple ways through ICS OT Security groups on LinkedIn, going to OT conferences (many have online options), and meeting other ICS OT folks. You can also build a small OT lab or try online OT capture the flag contests. There is a lot of OT training out there, for free and paid. Mike Holcomb has a lot of free training content on LinkedIn and YouTube (https://www.youtube.com/playlist?list=PLOSJSv0hbPZAlINIh1HcB0L8AZcSPc80g). There are many OT certifications out there, and the jobs you may want to apply for may list one or more OT cybersecurity certifications. A full list of security training including OT training is listed here: https://pauljerimy.com/security-certification-roadmap/ (see the column for ICS/IoT).