Threat Hunting in the OT

OT security expert Oliver Jaeckel-Bender defines threat hunting from an OT perspective. He differentiates the discipline from the IT and talks about the minimum and maximum requirements for cybersecurity in OT networks.

Duration:

26 min

Guest in this episode:

Oliver Jaeckel-Bender

Product Owner Cybersecurity for Digitalization of Production and Technology BASF

FAQ

Facts on the topic

How does OT Threat Hunting differ from the traditional IT approach?

In the IT sector, Threat Hunting typically involves searching for "Indicators of Compromise" (IoCs) like malicious files or specific log entries after a breach may have occurred. In the OT world, this approach often starts too late. Here, Threat Hunting primarily means Anomaly Detection: Since industrial networks are deterministic and predictable, any deviation from the baseline communication pattern is a red flag. It’s less about analyzing the deep "payload" of every packet and more about monitoring meta-information—specifically, who is communicating with whom, why, and how.

Why is visibility the fundamental prerequisite for OT security?

You cannot protect what you cannot see or understand. Many OT networks contain "blind spots" where operators are unaware of how specific components interact. Real security begins with a complete understanding of how the system functions. While this sounds daunting, it becomes manageable by focusing on network metadata. Once you have full visibility into these communication flows, an effective defense strategy becomes possible.

How does network segmentation support Threat Hunting efforts?

Segmentation—dividing the network into smaller, isolated zones—drastically reduces complexity. It acts as a primary barrier against "lateral movement," preventing an attacker from moving from one system to the next. In the context of Threat Hunting, a well-segmented network allows security teams to pinpoint anomalies much more precisely. Instead of monitoring a massive, flat network, you can identify and isolate suspicious activity within a clearly defined zone.

Why does excessive complexity jeopardize cybersecurity in production?

A major challenge in modern OT security is the imbalance between security and manageability. When security solutions become too complex, they risk being bypassed by staff in the field, or they may trigger false alarms that paralyze production. Effective cybersecurity must remain manageable for the operators on the ground. The goal is "Simple Security": clear structures like clean segmentation and automated anomaly detection often provide better protection than high-end IT tools that aren't designed for the realities of the plant floor.