OT Cybersecurity · Engineering-led, outcome-driven

The plant floor is on the internet. We've already engineered for it.

Industrial control systems were built for isolation. They live in convergence. BlackHawk's OT Cybersecurity Practice secures the networks, identities, and operations that run critical infrastructure - through a four-phase program anchored in IEC 62443, NIST SP 800-82 Rev. 3, NIST CSF 2.0, and the Purdue Reference Model.

Schedule a working session See the 4-phase program

The program at a glance

01
Discovery & Assessment
Establish ground truth: assets, architecture, exposure, and risk.
02
Standardization & Governance
Codify policies, reference architecture, and the IT/OT operating model.
03
Secure Architecture & Implementation
Engineer segmentation, identity, remote access, and resilience.
04
Operational Security Monitoring
24x7x365 OT SOC. Run a continuously assured environment.

20 yrs

Of OT networking expertise in-house

1st

Certified Fortinet OT partner in the U.S.

24x7x365

OT-native SOC analysts on shift

30-60%

More OT assets discovered vs. existing CMDB

The threat landscape

Operational Technology is the soft underbelly of the modern enterprise.

For three decades, industrial control systems ran on the assumption that physical isolation and protocol obscurity were sufficient defense. That assumption is no longer defensible. The blast radius is no longer just data - it is production output, public safety, and environmental compliance.

Ransomware operators

Modern crews - Royal, Akira, Play, RansomHub, ALPHV variants - explicitly target OT-adjacent IT because production downtime is the most reliable leverage for payment. The 2021 pipeline shutdown did not require touching the SCADA system; operators shut OT down preemptively to protect safety.

The pattern

IT compromise drives OT shutdown. Segmentation alone is not enough - IT must be trustworthy.

Nation-state pre-positioning

VOLTZITE, ELECTRUM, KAMACITE, CHERNOVITE, and the cluster behind PIPEDREAM have demonstrated capability against Modbus, OPC UA, CODESYS, and S7. Geopolitical posture has shifted these actors from collection to pre-positioning for disruption. Water, energy, transportation, and manufacturing are the named targets.

The pattern

Quiet, long-dwell intrusions intended for future disruption. Only OT-aware monitoring sees them.

Insider & third-party access

The most consistent root cause we observe in OT incidents is not a sophisticated zero-day. It is an integrator, OEM, or contractor with persistent unmonitored remote access - often via a single shared credential or a TeamViewer install nobody can recall authorizing.

The pattern

Unmanaged remote-access pathways are the single most common OT entry point. Solvable in Phase 3.

Regulators & underwriters

TSA Security Directives. EPA assessment requirements. NERC CIP. NIS2. SEC disclosure rules. Cyber insurance carriers refusing renewals on industrial operators without documented OT segmentation, MFA, and monitoring. Voluntary guidance has become enforceable directive.

The pattern

The roadmap that answers regulators is the same roadmap that satisfies underwriters.

The cost of standing still

3-8 undocumented remote-access pathways per site · 30-60% assets hidden from CMDB · Level-2 exposure to corporate IT

Why OT is structurally different

IT inverts the OT triad. Securing one with the other's playbook is how programs fail.

Information technology is built around C-I-A - confidentiality first. Operational technology inverts that ordering. A control system that loses availability for ninety seconds can spoil a production batch worth seven figures. Confidentiality is often the least relevant dimension.

Information Technology

C-I-A

Confidentiality
Protect data first; everything else follows.
Integrity
Data must not be tampered with in transit or at rest.
Availability
Systems should be reachable; downtime is recoverable.

Operational Technology

S-A-I-C

Safety
A logic controller can vent toxic chemicals or mis-route a train.
Availability
90 seconds of downtime spoils a production batch worth seven figures.
Integrity
Tampered process logic is more dangerous than tampered data.
Confidentiality
Often the least relevant dimension in OT.

“Patches cannot be applied during business hours. Endpoint agents cannot be deployed onto a 12-year-old engineering workstation. Active vulnerability scanning will brick a PLC running Modbus TCP. OT must be secured around its constraints - not in spite of them.”

The BlackHawk OT program

Four sequenced phases. Engineered for production schedules - not consulting calendars.

Every meaningful OT program begins with answering four deceptively simple questions: what do we own, where does it live, what talks to what, and what's our exposure? Few industrial operators can answer all four with confidence. The phases below close that gap.

PHASE 01

Discover

Discovery & Assessment

Passive asset & protocol discovery
Engineering walkdowns at representative sites
Data-flow & Purdue-model overlay
Risk & maturity baseline (NIST CSF 2.0 / IEC 62443)
Crown-jewel & MITRE ATT&CK for ICS modeling

8-14 weeks · mostly passive · single quarter to ground truth

PHASE 02

Standardize

Standardization & Governance

OT-specific security policy & IT/OT RACI
Target-state Purdue reference architecture
iDMZ design, zone & conduit catalog
Approved-products list, configuration baselines
OT incident response plan & playbooks

10-16 weeks · parallelizable with Phase 1 closeout

PHASE 03

Engineer

Secure Architecture & Implementation

Industrial firewalls at every Purdue boundary
iDMZ build-out, broker-based historian replication
Secure remote access - Cyolo / xDome / Dispel / Xona
MFA, session brokering, PAM for OEM accounts
OT-tolerant EDR, offline backups, sensor deployment

6-18 months · sequenced around production schedules

PHASE 04

Operate

Operational Security Monitoring

24x7 OT SOC - analysts with ICS backgrounds
MITRE ATT&CK for ICS detection content
Behavioral baselining & threat hunting
Continuous vulnerability & compensating-control management
Monthly ops · quarterly QBR · annual board review

Ongoing managed service · run alongside the client for years

Continuity is a design choice. The discovery analyst becomes the standardization architect becomes the implementation lead becomes the SOC incident commander. The Virtual OT-CISO who first meets your CISO is the same person who presents to your board two years later.

Five guiding principles

What we will - and will not - do.

We treat the OT program as an engineering discipline, not a compliance exercise. These five principles govern every design decision and every operational call. The first “no” is sometimes the most valuable thing a partner can offer.

Safety and uptime are non-negotiable

Every control is evaluated against process safety and production availability before its security benefit is weighed. Passive before active. Advisory before blocking.

Visibility before action

You cannot defend what you cannot see. Passive discovery typically yields a 30-60% increase in known asset count in six weeks. Until visibility is established, prioritization is guesswork.

Segmentation is the highest-leverage control

If we could only deploy one control, it would be properly engineered network segmentation. Detection without segmentation is monitoring a fire as it spreads.

Identity is the new perimeter - including machines

Every human and machine identity is vaulted, rotated, monitored, and revoked. Including OEM service accounts, jump hosts, historian replication, and PLC project-file credentials.

The program must outlive the project

A consulting engagement that produces a binder and disappears is worse than no engagement at all. We transition into a managed operating state with named owners and QBRs.

What we will not do. Run active vulnerability scans against Level 1 or 2 OT devices without explicit engineering sign-off. Deploy endpoint agents onto safety-instrumented systems. Bridge segmentation we have engineered for client convenience.

Field engineer inspecting an open electrical substation cabinet at a critical-infrastructure site.

The field reality

Every substation, every conveyor line, every PLC cabinet — someone's plugged a laptop into it this week.

Integrators, OEM service techs, contractors with persistent unmonitored remote access. This is where most OT incidents actually start — not in a sophisticated zero-day, but at a cabinet exactly like this one. BlackHawk's OT program closes that pathway in Phase 3.

3-8

Unmanaged remote-access
pathways per site

30-60%

Additional OT assets discovered
vs. existing CMDB

The standards we operationalize

Not a proprietary methodology. A delivery model your auditors already understand.

BlackHawk's OT program operationalizes the leading public frameworks so clients can speak in the language regulators, insurers, and board committees already use. We anchor design decisions to standards and measure delivery by their controls - not by our slideware.

IEC 62443

ISA/IEC

Primary technical reference for zone & conduit design, security levels (SL-T 1-4), and asset-owner / system-integrator / product-supplier responsibilities. Used to score the target architecture in Phase 3.

NIST SP 800-82 Rev. 3

NIST

Operational reference for ICS-specific control selection, risk-assessment methodology, and compensating controls where IT-standard controls are infeasible.

NIST CSF 2.0

NIST

Executive-level reporting and maturity scoring across Govern, Identify, Protect, Detect, Respond, Recover. Used in the Phase 1 baseline and the quarterly business review.

Purdue Reference Model

ISA-95

Architectural framing for segmentation (Levels 0-5) and for assigning ownership boundaries between operations, engineering, and IT.

CISA Cross-Sector CPGs

CISA

Minimum baseline of cyber-performance goals - used as the floor for residual-risk acceptance decisions, particularly in mid-market and critical-infrastructure clients.

Sector-specific overlays

NERC CIP · TSA · AWIA · FDA 21 CFR Part 11

Mapped into the program control catalog rather than run as a parallel workstream - so your regulatory profile is satisfied by one engineering effort, not several.

Sectors served

Transportation & Aviation

Utilities & Energy

Healthcare

Education

Government

Manufacturing & Multi-Site

Engineering depth

Detection: Claroty · Dragos · Nozomi · Armis · Networking & segmentation: Fortinet OT · Cisco IND/Cyber Vision · Palo Alto · Tenable OT · Secure remote access: Cyolo · Dispel · Xona · Claroty xDome SRA

Phase 3 in detail

What "done" looks like at the end of secure-architecture implementation.

Phase 3 is the longest and most capital-intensive phase. We sequence it around production schedules and planned outages, not the consulting calendar. By the time it closes, the client is no longer in a defensive crouch - they are in an operating posture.

Engineered Purdue boundaries

Industrial firewalls at every Level 5-4, Level 4-3.5 (iDMZ), and intra-Level-3 functional zone.

Brokered remote access only

No human or vendor accesses OT without MFA and recorded, just-in-time session brokering.

Hardened workstations

Application allowlisting, OT-tolerant EDR, role-based access. Advisory before enforcement.

Offline, tested backups

PLC projects, HMI configs, historian DBs on media unreachable by ransomware. Recovery exercised.

PAM & vaulted identities

Credential vaulting and rotation extended into OT to the degree the equipment supports.

OT detection sensors tuned

SPAN/TAP at iDMZ uplinks and Level 2 aggregation, with 30-60 day behavioral baseline.

Out-of-band management

Security infrastructure does not depend on the production network it protects.

Exercised IR playbooks

Five highest-likelihood OT scenarios documented, walked through, and lessons fed back to runbooks.

Managed service portfolio

Three coverage tiers. Modular by design. Expand as the program matures.

Most clients do not consume every BlackHawk service from day one. Coverage typically begins with assessment and advisory, broadens through detection and response during Phase 3, and reaches full operational coverage by the end of Phase 4 onboarding.

Essentials

Baseline assurance

Operators with internal OT engineering capability who need a structured visibility and advisory layer.

OT SOC monitoring: Business hours coverage with on-call escalation.
Asset & vuln visibility: Quarterly inventory refresh; monthly advisory report.
IR retainer: On-call team, T+4-hour response. Annual tabletop.
OT-CISO advisory: Quarterly governance review.

Engagement model

Per-site fixed fee

Per-asset adjustment at QBR

Scope Essentials

Most chosen

Advanced

Continuous operations

Operators with multi-site OT footprint, active regulatory exposure, and the need for 24x7 detection.

OT SOC monitoring: 24x7x365 with named Tier 1-3 analysts. ICS-specific runbooks.
Asset & vuln visibility: Monthly + continuous feed. Patch advisory with change windows.
IR retainer & tabletops: Named team, T+1-hour. Annual + 2 functional exercises.
OT-CISO advisory: Monthly engagement. Quarterly business review.
Service-level: 15-min critical ack30-min analyst response1-hour exec notification

Engagement model

Per-site · per-coverage tier

Multi-year · annual maturity-based review

Scope Advanced

Enterprise

Embedded partner

Large industrial enterprises with critical-infrastructure exposure and continuous regulator and board scrutiny.

OT SOC monitoring: 24x7 with dedicated POD. Continuous sector-specific threat hunting.
Asset & vuln visibility: Real-time inventory; remediation engineering bundled.
IR retainer & tabletops: Embedded on-site capability. Continuous exercise calendar.
OT-CISO advisory: Fractional or fully embedded. Board briefings on demand.

Engagement model

Outcome-based

Multi-year · audit-ready posture continuously

Talk to an Enterprise architect

Integration with your existing capability. BlackHawk is not exclusive. We routinely operate alongside the client's IT SOC, IR firm, and internal security team. Shared ticketing, shared incident-commander structure during cross-domain incidents, shared executive reporting - the boundary is documented in writing.

Why BlackHawk Data

Twenty years of OT networking expertise. The first certified Fortinet OT partner in the U.S.

Our OT practice is not a rebadged IT security team. Our assessors, engineers, and SOC analysts hold backgrounds in process control, electrical engineering, industrial networking, and plant operations - in addition to security certifications. We hire from the floor as well as the SOC.

Years of OT networking

A specialized OT team, anchored by a U.S. industry first.

BlackHawk Data was the first certified Fortinet OT partner in the United States - a designation we hold alongside engineering certification across the leading detection, segmentation, secure-remote-access, and identity platforms used in industrial environments. Vendor selection is made for the client's environment, not for ours.

First U.S. certified Fortinet OT partner

Claroty

Dragos

Nozomi

Armis

Cisco IND / Cyber Vision

Palo Alto OT

Tenable OT

Cyolo · Dispel · Xona

OT-native staffing

Process-control, electrical engineering, industrial networking, and plant-operations backgrounds - alongside security certifications. We hire from the floor as well as the SOC.

What this means for you

The analyst paging you at 3 a.m. has run a real PLC. They will not ask you to reboot a safety-instrumented system.

Vendor-agnostic, deep partner depth

Current engineering certification across every leading OT platform - detection, segmentation, secure remote access, identity, SIEM, and EDR. We select for your environment, not for ours.

What this means for you

Phase 1 selects the right detection platform during the engagement - not before you sign.

Continuity from assessment to operation

The discovery analyst becomes the implementation lead becomes the SOC incident commander. The Virtual OT-CISO who first meets your CISO is the same person who presents to your board two years later.

What this means for you

No re-introductions, no re-discovery, no lost context. Long-tenured clients tell us this is the single most consistent piece of feedback they give.

Operational discipline as an MSSP

BlackHawk's roots are in operating production infrastructure across hundreds of sites. The OT service inherits the same discipline: documented runbooks, named on-call rotations, audited service quality.

What this means for you

You are not the first thing we have operated 24x7. The muscle is already there.

How most clients begin

Schedule a working session with BlackHawk OT practice leadership.

One conversation with your CISO, head of operations or engineering, and program sponsor. We test fit, scope a focused Phase 1 diagnostic, and - within ten business days - return a fixed-fee proposal and a written point of view on the highest-priority risks specific to your environment.

Schedule the working session Read the Solutions Brief Read the Technical Guide

STEP 01

Working session, 60-90 minutes

CISO, head of operations or engineering, program sponsor. We test fit and scope a Phase 1 pilot. No commitment.

STEP 02

Point of view in 10 business days

A written POV on the highest-priority risks in your environment, plus a fixed-fee Phase 1 diagnostic proposal.

STEP 03

Phase 1 diagnostic, single quarter

Mostly passive. 30-60% more known assets. A prioritized roadmap and board-ready executive read-out.

Working session: 60-90 min · no commitment
POV turnaround: 10 business days
Phase 1 duration: 8-14 weeks · single quarter
NOC / SOC: 24x7x365