Securing the industrial enterprise - an engineering blueprint.
A practitioner's reference for executives, architects, and operations leaders accountable for the cybersecurity of operational technology. IEC 62443. NIST SP 800-82 Rev. 3. NIST CSF 2.0. The Purdue Reference Model. Delivered as engineering, not slideware.
- Audience
- CISOs, OT-CISOs, Plant & Engineering
- Length
- 10 sections · ~25 min read
- Anchored to
- IEC 62443 · 800-82r3 · CSF 2.0
- Status
- v1.0 · January 2026
What this guide covers - and how to read it.
The structure mirrors the four phases of the BlackHawk OT program - Discovery, Standardization, Implementation, Operation - bracketed by context at the front and managed-services + engagement detail at the back. Each section is self-contained: read in sequence, or jump to a phase for reference mid-engagement.
The companion Solutions Brief is the two-page executive read. The companion OT Cybersecurity Practice page is the public-facing summary. This Technical Guide is the practitioner's reference - circulate it to architects, engineers, and program managers who will be accountable for delivery.
Why operational technology must be addressed separately.
The myth of the air-gapped plant is dead. Convergence is not a future state - it is an existing condition discovered, often to the surprise of leadership, through historian replication, ERP/MES integration, OEM remote support, contractor laptops, and cellular modems on PLCs.
- Confidentiality
Protect data first. - Integrity
No tampering at rest or in transit. - Availability
Downtime is recoverable.
- Safety
A logic controller can vent toxic chemicals. - Availability
90 sec downtime spoils a seven-figure batch. - Integrity
Tampered logic is more dangerous than tampered data. - Confidentiality
Often the least relevant dimension.
“Patches cannot be applied during business hours. Endpoint agents cannot be deployed onto a 12-year-old engineering workstation. Active vulnerability scanning will brick a PLC running Modbus TCP. OT must be secured around its constraints - not in spite of them.”
The threat landscape.
Four pressure points have moved OT security from advisable to urgent: ransomware operators who target OT-adjacent IT for leverage, nation-state actors pre-positioning for disruption, unmanaged third-party remote access, and regulators plus underwriters who have moved from voluntary guidance to enforceable directive.
Ransomware operators
Modern crews explicitly target OT-adjacent IT because production downtime is the most reliable leverage for payment. IT compromise drives OT shutdown.
Nation-state pre-positioning
VOLTZITE, ELECTRUM, KAMACITE, CHERNOVITE, PIPEDREAM - actors shifted from collection to pre-positioning for disruption. Only OT-aware monitoring sees them.
Insider & third-party access
Unmanaged remote-access pathways are the single most common OT entry point. Integrator/OEM/contractor with persistent shared credentials.
Regulators & underwriters
TSA, EPA, NERC CIP, NIS2, SEC. Cyber insurance carriers refusing renewals without documented OT segmentation, MFA, monitoring.
Phase 1 - Discovery & Assessment.
Discover. Document. Baseline.
3.1Workstreams
| Workstream | What is delivered | Method |
|---|---|---|
| Passive asset discovery | Inventory of every OT-resident or OT-touching device - make, model, firmware, protocol set, communication peers. | passive · SPAN/TAP |
| Engineering walkdowns | Physical confirmation at representative sites. Cable traces, switch closets, modems, undocumented kiosks, OEM installs. | on-site |
| Data-flow mapping | Every cross-Purdue communication overlaid on the architecture: protocol, direction, ports, business justification. | passive + interview |
| Remote-access enumeration | Every named, shared, and forgotten pathway used by an integrator, OEM, or contractor. Frequently exceeds the client's expectation by 3-8x. | interview + scan |
| Risk & maturity baseline | Maturity scored against NIST CSF 2.0 (Govern, Identify, Protect, Detect, Respond, Recover) and IEC 62443 control families. Crown-jewel modeling and MITRE ATT&CK for ICS overlay. | workshop |
3.2Deliverables
- Asset inventory. Every device, by Purdue level, with confidence rating.
- Current-state architecture diagram. Connectivity, segmentation, conduits, ownership boundaries - including the undocumented ones.
- Risk & maturity assessment. CSF 2.0 scored at Function and Category. IEC 62443 control alignment.
- Threat-model overlay. Crown-jewel impact narratives mapped to MITRE ATT&CK for ICS techniques.
- Prioritized roadmap. Findings ranked by likelihood × consequence, with a defensible cost band and sequencing.
- Board-ready executive read-out. A 12-18 slide narrative for the audit committee - not a recycled assessment deck.
3.3How we work - passive before active, always
Discovery activity in Phase 1 is overwhelmingly passive. SPAN/TAP captures and configuration review are preferred. Active scanning is conducted only against IT-Level systems (Level 3.5 and above) and only with named engineering sign-off. We do not, ever, run an active scan against a Level 1 or 2 device without an explicit safety case and written approval. The first deliverable of every Phase 1 is the Rules of Engagement document - co-signed between BlackHawk and the client - that codifies these boundaries.
In one recent industrial assessment, a SPAN capture on the operations core uplink at week three returned 41 communicating endpoints; the CMDB listed 27. By week six, after adding aggregation points at two additional sites, the inventory was 73. Phase 1 routinely finds 30-60% more than CMDB on this dimension alone - and that is the most quotable but least surprising of the discoveries.
Phase 2 - Standardization & Governance.
Codify. Align. Make repeatable.
4.1Deliverables
| Deliverable | What it codifies |
|---|---|
| OT security policy | The OT-specific overlay on the corporate ISMS. Scope, ownership, exception process. Mapped to IEC 62443, NIST 800-82r3, NIST CSF 2.0. |
| IT/OT RACI | Named accountability for every function across the IT/OT boundary - patching, identity, monitoring, incident response, change management, vendor remote access. |
| Target Purdue reference architecture | Site-archetype reference diagrams. iDMZ design. Zone-and-conduit catalog with assigned security levels (SL-T 1-4). |
| Configuration baselines | Hardened baselines for engineering workstations, HMI hosts, historians, industrial firewalls, OT-aware switches. Versioned. Backwards-tracked against approved change. |
| Approved-products list | Detection, segmentation, secure-remote-access, identity, EDR. Including rationale for each selection and rejection criteria for substitutes. |
| Incident response plan & playbooks | OT-specific IR procedures for the five highest-likelihood scenarios. Roles, comms tree, escalation paths, regulator-notification obligations. |
| Change management | The OT change-control process - distinct from the IT one. Outage-window alignment. Engineering review gates. |
4.2The IT/OT RACI is the document that matters most
Of the Phase 2 deliverables, the IT/OT RACI is the one we have come to consider the most consequential. Programs fail far more often on ownership ambiguity than on technical gaps. Who pages whom when an OT alert fires at 02:00? Who approves a firmware update at a substation? Who is accountable for the integrity of the OEM remote-access pathway? These questions are rarely answered cleanly before Phase 2 - and Phase 4 operations cannot run without them answered in writing.
BlackHawk's Phase 2 deliverables draw on a reference library refined across two decades of OT engagements. Clients do not pay us to invent a security policy from scratch - they pay us to adapt a battle-tested one to their environment in twelve weeks rather than twelve months.
Phase 3 - Secure Architecture & Implementation.
Engineer the controls. Sequence around production.
5.1The eight Phase 3 workstreams
| Workstream | What is built | IEC 62443 SL-T |
|---|---|---|
| Segmentation | Industrial firewalls at every Level 5<->4, Level 4<->3.5 (iDMZ), and intra-Level-3 functional zone. Inspection at conduit. Per-zone allow lists, default-deny posture. | SL 2-3 |
| Industrial DMZ build-out | Hardened jump hosts. Brokered historian replication. Patch staging. Anti-malware update staging. Reverse-proxy services. | SL 3 |
| Secure remote access | Cyolo · Dispel · Xona · Claroty xDome SRA - selection per environment. MFA-fronted, just-in-time, session-recorded. Removes named integrator and OEM VPN accounts. | SL 3-4 |
| Identity & PAM | Identity vaulting and credential rotation extended into OT to the degree the equipment supports it. PAM for OEM service accounts, jump hosts, historian replication, PLC project-file credentials. | SL 3 |
| Endpoint hardening | Application allowlisting (advisory before enforcement) on engineering workstations and HMIs. OT-tolerant EDR where vendor-supported. | SL 2-3 |
| Resilience & backups | PLC project files, HMI configurations, historian databases on media unreachable by ransomware. Restoration exercised on a representative process before sign-off. | SL 2 |
| OT detection sensors | Passive sensors deployed at iDMZ uplinks and Level-2 aggregation. Behavioral baseline run for 30-60 days before detection content is enabled in production. | SL 2 |
| Out-of-band management | The security infrastructure does not depend on the production network it protects. Dedicated management plane, separately routed. | SL 3 |
5.2Reference iDMZ design - what every cross-domain flow looks like
The single highest-value architectural rule across thousands of OT site-deployments: every cross-Purdue session terminates in the iDMZ. No engineer's laptop ever has simultaneous, direct Layer-3 connectivity to both Level 4 and Level 3. This rule alone closes the dominant lateral-movement path in OT.
5.3Vendor-agnostic tooling matrix
BlackHawk Data is vendor-agnostic. We carry current engineering certification across every leading OT platform listed below. The selection in any individual engagement is made for the client's environment - never for ours. Selection criteria are documented in the Phase 1 report and validated against the approved-products list maintained in Phase 2.
- Claroty xDome / CTD
- Dragos Platform
- Nozomi Guardian
- Armis Centrix
- Cisco Cyber Vision
- Fortinet OT FortiGate / FortiSwitch
- Palo Alto NGFW / IoT Security
- Cisco IND / ISE / Catalyst IE
- Tenable OT Security
- Cyolo PRO
- Dispel Enclave
- Xona Platform
- Claroty xDome SRA
- CyberArk PAM / Endpoint
- Delinea Secret Server
- BeyondTrust Privilege Mgmt
- Microsoft Sentinel / Defender
- Splunk ES / SOAR
- CrowdStrike Falcon
- SentinelOne Singularity
- Rubrik OT
- Veeam + immutable repo
- Native PLC vendor config-mgmt suites
5.4Sequencing - production-first, pilot before mass deployment
Phase 3 is sequenced by site, not by control. The standard sequence: (1) deploy detection passively first; (2) stand up iDMZ and segmentation at one pilot site through one outage window; (3) introduce secure remote access, retiring named VPN accounts site by site; (4) identity and PAM rolled out site by site in alignment with the OEM service-account audit; (5) endpoint hardening last - and in advisory mode first. Every workstream runs site-by-site, not estate-wide.
5.5Exit criteria for Phase 3
- >=95% of OT-resident assets reconciled to inventory and continuously monitored.
- 100% of remote-access sessions brokered, MFA-fronted, and recorded. Named integrator and OEM VPN accounts retired.
- Zero direct cross-Purdue Layer-3 sessions: every cross-domain flow terminates in the iDMZ.
- Offline, exercised backups for PLC projects, HMI configurations, and historian databases on a representative process.
- Detection content live at iDMZ uplinks and Level-2 aggregation, with 30-60 day behavioral baseline complete.
- Out-of-band management plane in place: the security infrastructure does not depend on the production network it protects.
- Five highest-likelihood OT IR scenarios documented, walked through, lessons fed back to runbooks.
Phase 3 is generally not the right vehicle for in-place PLC firmware upgrades. Those decisions remain with engineering and process-safety. Where compensating controls are required - network access controls in front of vulnerable controllers, intrusion-detection signatures, monitored configuration baselines - Phase 3 designs and installs them.
Phase 4 - Operational Security Monitoring.
Operate. Detect. Improve continuously.
6.1The 24x7 OT SOC
BlackHawk's OT SOC is staffed by analysts with industrial-control backgrounds in addition to security certifications. Detection content is mapped to MITRE ATT&CK for ICS rather than to IT-only frameworks. Runbooks are written for OT - they will not, ever, ask the on-call engineer to reboot a safety-instrumented system. Incident escalation runs through both the IT incident commander and an OT-specific path so that engineering is always informed of, and consulted on, actions taken inside the operational network.
6.2Service-level expectations
| Service tier | Critical-alert ack | Analyst response | Executive notification |
|---|---|---|---|
| Essentials | 30 min (business hours) | 60 min | 2 hours |
| Advanced | 15 min (24x7) | 30 min | 1 hour |
| Enterprise | 10 min (24x7) | 20 min · named POD | 30 min |
6.3Continuous workstreams within Phase 4
Threat hunting
Monthly hunts driven by sector-specific tradecraft observations. Hypothesis-led, with documented hunt-and-find or hunt-and-not-find rationale either way.
Vulnerability & advisory management
Continuous vendor advisory ingestion. Patch advisory with engineered change-window recommendations. Compensating-control management for vulnerabilities that cannot be patched.
Asset reconciliation
Continuous reconciliation of the OT asset inventory against the operating reality. New device introduction triggers a change-management hook.
Detection-content lifecycle
Detection rules tuned monthly against false-positive rate. New analytic content added quarterly as threat intelligence and client environment evolve.
IR exercising
Functional exercises beyond the annual tabletop. Lessons-learned items reviewed within the quarterly business review, not stored in a drawer.
Governance & reporting
Monthly operational report. Quarterly business review framed in NIST CSF 2.0 language for audit committees. Annual board-level brief.
The discovery analyst becomes the standardization architect becomes the implementation lead becomes the SOC incident commander. The Virtual OT-CISO who first meets your CISO is the same person who presents to your board two years later. Long-tenured BlackHawk clients tell us this continuity is the single most consistent piece of feedback they offer.
Managed services portfolio.
Three coverage tiers, modular by design. Most clients do not consume every BlackHawk service from day one. Coverage typically begins with assessment and advisory, broadens through detection and response during Phase 3, and reaches full operational coverage by the end of Phase 4 onboarding.
Essentials
- SOC: business hours
- Visibility: quarterly inventory
- IR retainer: on-call (T+4)
- OT-CISO: quarterly review
- Tabletop: annual
Advanced
- SOC: 24x7x365
- Visibility: monthly + feed
- IR retainer: named team (T+1)
- OT-CISO: monthly engagement
- Tabletop: annual + 2 functional
- SLA: 15-min ack / 30-min resp
Enterprise
- SOC: 24x7 dedicated POD
- Visibility: real-time
- IR retainer: embedded on-site
- OT-CISO: fractional or embedded
- Tabletop: continuous calendar
Twenty years of OT networking. First certified Fortinet OT partner in the U.S.
Our OT practice is not a rebadged IT security team. Our assessors, engineers, and SOC analysts hold backgrounds in process control, electrical engineering, industrial networking, and plant operations - in addition to security certifications. We hire from the floor as well as the SOC.
A specialized OT team, anchored by a U.S. industry first.
BlackHawk Data was the first certified Fortinet OT partner in the United States - a designation we hold alongside engineering certification across the leading detection, segmentation, secure-remote-access, and identity platforms used in industrial environments.
Engagement model & commercials.
BlackHawk's commercial posture is phase-aware. Fixed-fee for the diagnostic phases. Engineered, capped, or T&M for implementation. Subscription for managed operations. Sales does not lead with tier and price; the tier that fits is the tier discovery and Phase 1 reveal.
Land with insight; expand with outcome. The Phase 1 diagnostic carries its own fixed fee and stands alone - clients can take its findings and walk. Most do not.
Glossary & references.
A concise reference for the standards, acronyms, and terms used throughout this guide. For deeper reading, see IEC 62443-3-3, NIST SP 800-82r3, MITRE ATT&CK for ICS, and the CISA Cross-Sector CPGs.
- iDMZ
- Industrial Demilitarized Zone. The Level 3.5 broker layer between site IT (Level 4) and site operations (Level 3) where all cross-Purdue sessions terminate.
- IEC 62443
- The ISA/IEC family of standards for industrial automation and control systems security. Primary technical reference for zone & conduit design and security level targets (SL-T 1-4).
- MITRE ATT&CK for ICS
- A knowledge base of adversary tactics, techniques, and procedures observed against industrial control systems. Used by BlackHawk for threat modeling and detection content.
- NIST CSF 2.0
- The NIST Cybersecurity Framework version 2.0. Six functions: Govern, Identify, Protect, Detect, Respond, Recover. Used by BlackHawk for executive maturity scoring.
- NIST SP 800-82r3
- NIST Special Publication 800-82 Revision 3. The operational reference for ICS-specific control selection and compensating controls.
- PBOM
- Plan / Build / Operate / Manage. BlackHawk Data's proprietary lifecycle methodology applied to every managed engagement.
- PLC
- Programmable Logic Controller. The industrial computer that runs control logic for a physical process. Cannot, generally, run endpoint agents or accept active scans.
- Purdue Reference Model
- An architectural framework derived from the ISA-95 enterprise reference architecture. Defines six levels (0-5) of industrial computing.
- SL-T 1-4
- Security Level Target. IEC 62443 numeric rating for the level of security a zone or conduit must provide. SL-T 1 is casual or coincidental violations; SL-T 4 is state-actor capability.
- S-A-I-C
- Safety, Availability, Integrity, Confidentiality. The priority inversion that distinguishes OT from IT (IT runs C-I-A).
Schedule a working session with BlackHawk OT practice leadership.
Within ten business days you receive a fixed-fee Phase 1 diagnostic proposal and a written point of view on the highest-priority risks specific to your environment.