Managed Detection and Response and Continuous Monitoring for OT/ICS
The 2017 Triton, also known as Trisis, attack on a Saudi petrochemical plant targeted the Triconex safety instrumented systems that exist solely to shut a process down safely before it becomes dangerous. The intrusion was only discovered because the malware inadvertently triggered a plant trip, an accidental safety shutdown. Had it not, the attackers could have disabled the last line of defence against a catastrophic event undetected. The lesson for every energy operator is stark: control networks generate signals of compromise, but only if something is watching, analysing and able to respond around the clock.
The 2017 Triton attack on a petrochemical safety system was discovered only because it accidentally tripped the plant, not because anyone was monitoring the OT network.
Why OT Needs Its Own Detection and Response
IT security monitoring is not built for control environments. It does not understand industrial protocols, it expects to deploy agents on every endpoint, and its detections are tuned for office workloads, not breakers and turbines. OT detection and response has to work differently: passive where possible to avoid disrupting fragile devices, fluent in protocols such as Modbus, DNP3 and IEC 61850, and aware that the consequence of a missed alert is physical, not just data loss. This is why OT monitoring is a distinct discipline.
What MDR Provides That Tooling Alone Cannot
Buying a detection platform produces alerts. Managed Detection and Response provides the people and process that turn alerts into outcomes: skilled analysts who triage around the clock, investigate what tooling flags, and respond inside the window that matters. For energy operators whose teams are stretched across OT support and corporate IT, MDR fills the gap between an alert firing at 3am and someone competent acting on it. The Triton attackers operated for an extended period precisely because no one was watching the safety network.
- 24/7 triage and investigation by analysts, not just automated alerts
- Threat hunting across OT and IT for the behaviours tooling misses
- Defined response actions and escalation aligned to operational safety
- Regular reporting to support CAF and regulatory evidence needs
Monitoring Across the OT/IT Boundary
Most OT intrusions begin in IT, through a phishing email or a compromised vendor, and then attempt to cross into the control network. Effective monitoring therefore spans both sides of the boundary, watching for the lateral movement and reconnaissance that precede an OT impact. Detecting an intruder while they are still in the corporate network, before they reach a SCADA system or a safety controller, is far cheaper and safer than detecting them at the moment a breaker opens.
Responding Without Making Things Worse
Response in OT is not the same as in IT. You cannot simply isolate a controller mid-process or reimage a historian without considering the physical consequences. OT response playbooks must account for safety, weighing containment against the operational risk of the action itself. Mature MDR for energy builds these playbooks in advance, with the operator, so that when an incident happens the response is decisive and safe rather than improvised under pressure.
How Kyanite Blue and Sophos Deliver This
Kyanite Blue delivers managed detection and response for OT and ICS using Sophos MDR, backed by a 24/7 analyst team and Sophos deep-learning detection that can monitor traffic across the OT/IT boundary. We baseline normal behaviour in your control environment, hunt for the lateral movement that precedes an OT impact, and follow OT-aware response playbooks built with your operations team so that containment never compromises safety. The outcome is that an intrusion like Triton would be caught by analysts watching the network, not by an accidental plant trip.
Frequently Asked Questions
What is MDR for OT environments?
Managed Detection and Response for OT combines monitoring tooling tuned for industrial protocols with a 24/7 team of analysts who triage, investigate and respond to threats in control networks. It exists because detection tooling alone produces alerts that a stretched operations team cannot act on around the clock.
Why can we not just use our IT monitoring for OT?
IT monitoring does not understand industrial protocols, expects agents on every device, and is tuned for office systems. OT monitoring must be largely passive to avoid disrupting fragile equipment, fluent in protocols like Modbus and IEC 61850, and aware that a missed alert can have physical consequences.
How would monitoring have changed the Triton attack?
Triton was found only because it accidentally tripped the plant. Continuous monitoring of the OT network and the OT/IT boundary, watched by analysts, would have detected the attackers reconnaissance and lateral movement long before they reached the safety controllers, allowing a controlled response.
How do you respond to an OT incident without disrupting operations?
OT response follows playbooks built in advance with your operations team that weigh containment against operational safety. Rather than blindly isolating a controller mid-process, response actions are chosen so they contain the threat without creating a physical risk of their own.
Get 24/7 OT monitoring from Kyanite Blue
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.