Morgan Cyber Solutions
Menu
Contact us

Home / News / The role of MDR solutions in protecting …

29.04.25 Industry Trends

The role of MDR solutions in protecting OT environments

Operational technology needs specialist security

The role of MDR solutions in protecting OT environments

Morgan Cyber. Reading time 5 mins

As digital transformation programs continue to take shape, Operational Technologies (OT) and Industrial Control Systems (ICS) are becoming increasingly interconnected with Information Technology (IT) systems.

For day-to-day operations, this convergence is a good thing. Improved efficiencies, acceleration of project timelines, and greater support for accurate data-driven decisions are all highly valued outputs. However, from a security perspective, simply copy / pasting an existing IT strategy can lead to the creation of avoidable cyber risks for organisations in their OT spaces. There will be specific requirements that need to be addressed.

This is because threat actors will continue to target the OT and Industrial Control Systems (ICS) of critical infrastructure and manufacturing because of core fundamental vulnerabilities; they often run on outdated platforms, are often not managed closely by a dedicated security team, and are not subjected to the same cyber security and data protection scrutiny as IT systems.

In this blog, we will look at the key differences between OT and IT systems, and how Managed Detection and Response can help managers, who may have responsible for both enhance their SecOps maturity.

IT and OT: Understanding the Differences

IT and OT / ICS systems have different architectures, priorities, and threat models and are often run by different teams. The approach to their security should also follow in the same vein.

1. Purpose and Functionality

  • IT systems handle data. Think email, customer records, and intellectual property / research. When securing data, we focus on it’s confidentiality, integrity, and availability. This is called the CIA triad and you can learn more about that in this excellent blog by our friends at CyberKainos.
  • OT systems control physical processes in industry, manufacturing, transportation, and utilities. Here, the top priority is availability and safety. If an assembly line or power grid goes down, the impact can be immediate and severe.

2. Lifecycle and Change Management

  • IT systems have no option other than to be flexible and constantly evolving. Developers issue patches and updates to address minor weaknesses in security or operational capabilities as part of their business-as-usual activities.
  • OT systems however often use old hardware or software, and upgrades cannot be achieved by patching. In this world, upgrades mean downtime and disruption to services or operations which may not even be possible. As a result, some systems are decades old, still relying on proprietary protocols and minimal built-in security.

3. Risk Appetite and Consequences

  • IT managers are rightly comfortable using language like ‘risk appetite’. While cyber incidents are not an infrequent occurrence, in the real world, impacts are often manageable, with triage support significant. At the extreme end of the spectrum, lost information, fines, and reputational damage, while painful for the parties involved in the short term, are recoverable from.
  • In OT, you are much less likely to hear phrases like ‘risk appetite’ or ‘acceptable risk’. Here a cyber incident that causes equipment or system control failures can be truly catastrophic; environmental damage, civil unrest, and loss of life are not unheard of.

We have deliberately used the phrase ‘cyber incident’ not ‘cyber attack’ above. This is because Morgan Cyber handle just as many IT incidents caused by user error, such as misconfiguration, failure to back up correctly, or lack of training as we do from malicious cyber attacks.

These fundamental differences are the reasons why simply lifting IT security strategies and dropping them into the OT space are less likely to be as effective than strategies that are built from the ground up.

What is Managed Detection and Response?

Managed detection and response (MDR) is a 24 / 7 / 365 cyber security service that monitors, detects and responds to threats right across an an organisation’s network, endpoints and cloud environments in real time.

It achieves this by combining cutting edge automation and machine learning with human expertise to protect organisations from cyber attacks. Its key traits include:

  • The provision of outsourced security experts who will step in on your behalf to investigate, contain, and remediate cyber attacks at any time
  • Placing a strong focus on proactive threat hunting by leveraging actionable threat intelligence to spot suspicious activity and emerging threats before they can make an impact.
  • Being flexible enough to be moulded to fit specific organisational needs, likely attack vectors, and regulatory demands, without the heavy cost of a full time cybersecurity team.

And why it is well suited to protecting OT and ICS environments

MDR services are highly effective because of the speed at which they detect dangers within a system (often within 1 minute), and how they executes decisive action. But for those managing an OT environment, there is more good news to digest when it comes to MDR…

1. MDR is a single solution that can monitor converging IT / OT, and cloud estates

MDR provides centralised visibility and threat intelligence into both OT and IT environments. This means security teams can detect threats across the entire attack surface, such as:

  • Workstations, servers, and cloud assets (for IT)
  • PLCs, SCADA systems, HMIs, and sensors (for OT)

By bridging this gap and allowing correlated threat intelligence, rapid detection of lateral movement between IT and OT can be achieved. If / when suspicious activity is detected, MDR also facilitates cross-system playbooks to manage impacts cascading from IT to OT and vice-versa (e.g. ransomware spreading from IT workstations to HMI control terminals).

2. Leverage OT-specific threat hunting intelligence

Cyber Threat Intelligence (CTI) is the collection and analysis of information about potential and ongoing cyber threats. It involves monitoring a variety of sources such as public forums, dark web marketplaces, hacker communities, and data breach repositories. The goal is to identify Indicators of Compromise (IoCs) and the Tactics, Techniques, and Procedures (TTPs) threat actors may use to target your organisation before they actually do. MDR is highly effective in this regard as it can be customised to focus on your specific industry or your specific known threats.

Both Morgan Cyber and our partners also possess considerable experience of building OT networks and knowledge of industrial control systems (ICS), SCADA systems, and protocols like Modbus, DNP3, and OPC. Find out more below about:

Our experience regarding security and operational continuity in the manufacturing space

Our IT Infrastructure Best practice Assessments

3. Scalability and flexibility

The right MDR solution should be flexible and scale with your organisation. In the future, you may be expanding to new production facilities, or moving from single to multi-cloud environments. Having a solution in place that can handle this increased workload with minimal on-site setup and cap-ex costs, and also work with legacy OT technologies would be highly advantageous.

4. Requires no changes to an OT device or its configuration.

MDR can either be deployed via a sensor to mirror network traffic, or using an agent on the OT device itself. The former has the advantage of not requiring new software, meaning no extra load need be placed on individual OT devices, which could potentially impact performance. This can be an important consideration when we recall the ‘availability’ and ‘safety’ priority of OT systems from earlier.

5. Maximising operational continuity

Threats detected in the OT environment require immediate action to avoid disruption or physical damage. MDR, unlike some other security tooling neither waits for the breach to happen before starting action nor does it rely on initial human processes at this point.

Instead, predefined response strategies and playbooks for different threats do much of the early heavy lifting. Automated responses will quickly isolate infected endpoints or suspicious traffic, limiting a threat’s reach without shutting down entire systems or networks.

When it comes to remediation, rather than shutting down whole networks, sites, or facilities, MDR applies preset and rehearsed remediation steps, like disabling only compromised user accounts or quarantining specific endpoints, allowing unaffected users or systems to continue operating as normal.

How Morgan Cyber can help you can get started with MDR

  1. Schedule a consultation: You can meet with one of our security experts completely free of charge to discuss your organisations’ unique challenges and objectives.
  2. Go through a demonstration: On your call our experts can show you our MDR platform and answer any questions you may have.
  3. Customise a plan: We will work with you to build a plan tailored to your organisation’s size, threat landscape, and budget.
  4. Start your journey: Begin transforming your SecOps, leveraging cutting-edge AI-driven solutions, automation, and with an experienced team behind you.

Contact:

Morgan Cyber Solutions

hello@morgancyber.co.uk

www.morgancyber.co.uk

By Morgan Cyber Solutions, April 2025
Share this post

Related Posts

See All
08.05.25
The cyber governance code of practice: imperative for uk commerce featured image

The cyber governance code of practice: imperative for uk commerce

Read more
02.04.25
The growth of browser in browser phishing attacks featured image

The growth of browser in browser phishing attacks

Read more
Swipe

Learn how we can transform your IT and OT environments.

Find out more about the show