Q&A Follow-Up: (CS)²AI Fellow Fireside Chat: Building OT Capacity for IR and Pentesting

By Danielle Jablanski, Cybersecurity Consulting Program Lead at STV, & a (CS)²AI Fellow

October 20, 2025

We hosted a (CS)²AI Fellow Fireside Chat on September 10, 2025 that focused on Building OT Capacity for IR and Pentesting with (CS)²AI Fellows Chris Sistrunk, Technical Leader of Mandiant (Google Cloud Security) and Danielle Jablanski, Cybersecurity Consulting Program Lead of STV.

Here is a bit about the event:

Operational Technology (OT) environments face unique challenges when it comes to incident response (IR) and penetration testing. As cyber threats continue to evolve, organizations must strengthen their capacity to prepare, detect, and respond effectively to incidents—while also proactively testing defenses to uncover vulnerabilities before adversaries do.

Leading experts explored strategies, best practices, and lessons learned for building OT-specific capabilities in both IR and pentesting. Participants gained actionable insights into:

• Tailoring IR processes for OT systems

• Overcoming common pitfalls in OT pentesting

• Strengthening team skills and capacity to meet today’s threat landscape

• Leveraging industry tools and frameworks to build resilience

This session equipped practitioners, defenders, and decision-makers with the knowledge needed to enhance security postures across critical infrastructure.

Do you want to have access to more content like this? Register for our next (CS)²AI Online™ seminar or symposium here, or consider becoming a member of (CS)²AI to access our entire library of recorded sessions.

The Q&A portion below represents selected overflow questions and commentary from the event, and has been answered in detail by Danielle Jablanski.

******************************

On topic questions:

QUESTION No.1: When does hardening systems really become crucial in OT/ICS?

ANSWER: Ask whether cybersecurity was a consideration during site acceptance testing. Hardening should be a consideration in any commissioning and rollout, as well as with configuration changes and any network management considerations. There are resources from OEMs to assist in hardening and configuration baselines for their systems as well as this resource for PLCs https://plc-security.com/. Another good way to focus in is when to assign producers and consumers as well as physical port locks for the most critical systems.

QUESTION No.2: In your opinion, would integrating threat intelligence with specific industry-based business context help prioritize vulnerabilities based on their impact specific to critical infrastructure and ICS/OT operations?

ANSWER: In my opinion, it is more important to have a robust crown jewel analysis and interdependence mapping done and discussed with key personnel and management, and to consider scenarios that impact OT and the potential cascading effects based on this understanding before incorporating analysis of threat actor TTPs as means when your organization might not fully understand the effects of these attack patterns internally; see: https://nexusconnect.io/articles/throw-likelihood-to-the-wind-ot-cybersecurity-is-categorical-not-mathematical.

QUESTION No.3: How valuable do you find E/W network traffic based analysis, i.e. DarkTrace, et al?

ANSWER: I second Chris, and would add that some solutions for visibility of E/W do real-time diagnostics while others can keep a pulse and pull information and analysis as needed. Investing in visibility needs to include conversations around tuning and remediation efforts - if you are not doing anything about alerts don't invest in the tools yet: https://industrialcyber.co/features/implementing-intrusion-detection-in-industrial-systems-requires-visibility-resilience-and-regulatory-compliance/.

QUESTION No.4: How is the Purdue Model applied to segment and secure OT networks during incident response?

ANSWER: PERA is useful for delineating your logical network mapping from your standard OSI model understanding, but it is not meant to be a hierarchy and is becoming increasingly limited when introducing additional edge devices and cloud applications, etc. - the zones and conduits model from 62443 is more adaptable to grouping systems based on different categories beyond network connectivity and segmenting based on function, for example.

QUESTION No.5: What are the key differences in incident response planning between IT and OT environments?

ANSWER: The key differences are in containment and remediation. For containment, you might not have the logging and tools for threat hunting to identify the extent of the breach and exploitation, and you may not be able to isolate systems and recover in a way that ensures the attacker(s) are out of systems and cannot regain entry to continue their exploits - this integrity problem is a main driver of compensating controls where patching, etc. may not be routine - more info: https://www.rsaconference.com/library/virtual-seminar/hds7-ot-ics.

QUESTION No.6: What networking tools would you use to answer all of the questions?

ANSWER: I don't publicly endorse tools but ping me privately and I am happy to unpack needs assessments and use cases! https://www.linkedin.com/in/daniellejjablanski/

QUESTION No.7: Is 'Wireshark' is a popular tool for OT (environments)?

ANSWER: YEP! Here's a free PCAP analysis exercise: https://ampyxcyber.com/ics-pcap-analysis-challenge.

QUESTION No.8: When it comes to assessing vulnerabilities or exploitable risks in ICS/OT operational environments (along with the critical nature of OT assets), what are operationally safe (best practice) methods for identifying vulnerabilities, enabling patching, and other mitigation efforts pertaining to the ICS/OT Industry?

ANSWER: When writing OT advisories at CISA, we typically say remove internet connectivity, ensure network segmentation, and address remote access before patching, but I believe automated tools that do priority ranking for risk management are the best route to identifying vulnerabilities and reducing overall risk, though remediation efforts may not always result in patches.

QUESTION No.9: Can you comment on local log storage in ICS DMZ and log exports to cloud storage and analytics solutions from IR and overall RCA standpoint?

ANSWER: I agree with Chris, and another resource is https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection.

QUESTION No.10: All of these recommendations make sense but how do you scale these recommendations when you have hundreds or thousands of PLCs, HMIs, etc.? Do you have some recommendations to streamline and automate it?

ANSWER: Automation is the only answer for massive networks and distributed operations. Here's a recent publication on the basics though, https://www.cisa.gov/resources-tools/resources/foundations-ot-cybersecurity-asset-inventory-guidance-owners-and-operators.

QUESTION No.11: Is patching legacy (MS) systems, something that could be automated, including anti-V?

ANSWER: Some systems may not be compatible with updated versions of Windows and even some versions from OEMs are just now being rolled out for Windows 10 so auto updates may actually lead to incompatibility issues and knocking down systems.

QUESTION No.12: Are there any OT scenarios in which it might be practical to implement upgrades through incremental, parallel systems/solutions?

ANSWER: There are also fun ways to do things like re-IPing of systems with NAT that can be incremental as well so operations are not disrupted!

QUESTION No.13: With the expansion of AI use, what are examples that you've seen so far of actors using AI or potential uses of AI tools used by an environment to carry out LotL or attacks on the environment?

ANSWER: I agree with Chris, there are too many contingencies in OT currently to provide the type of repetitive learning and execution required, though this is an increasing concern for IT systems where routine exploits can easily be repeated and as Mandiant has proven, these intermediary systems can provide the access required to exploit OT. There are specific AI attack pattern mitigation strategies for OT here: https://www.dhs.gov/sites/default/files/2024-04/24_0426_dhs_ai-ci-safety-security-guidelines-508c.pdf.

QUESTION No.14: Crypto mining is also a power hungry beast that has the capacity to harvest even supercomputer capability, and energy, this is happening everywhere. Will policy ever catch up? I mean energy and economics... scary.

ANSWER: And we can't forget all the water it takes to cool them... big questions that are difficult to unpack but Andrew Bochman is someone to follow on this: https://www.linkedin.com/pulse/towards-grand-unified-theory-grid-risk-andrew-bochman-n2qkc/.

QUESTION No.15: Based on the "Theory of 99" do you see the threat landscape shift towards more OT based attacks increase by way of supply chain, nation state, AI, Wifi enabled devices and Cloud adoption?

ANSWER: I see a trend of threat actors doing more research on native functionality for OT/ICS so that if undetected access is possible they do not need exploits to operate critical systems, similar to the LotL techniques from IT.

QUESTION No.16: If we already know that controllers and legacy system are vulnerable then why we need to go with penetration testing in OT?

ANSWER: Attack pattern analysis bridges the gap between TTPs and potential access & exploitation in a given environment. Doing these practices, it allows organizations to highlight and address risks to mitigate in the pursuit of continuous improvement, where efforts to avoid major downtime and improve for the mean time recovery for specific incidents can be sustainable and resilient.