How Red Teams Validate Your OT Threat Intelligence

Detection eventually occurred only after CISA separately notified the organization of the initial access vulnerability used -- not from internal defensive monitoring. The problem wasn't the tools. It was what the tools weren't watching.

Here's the operational reality for most industrial organizations: 67% consume threat intelligence in some form. Only 21% have deployed intelligence integration capabilities, according to the SANS State of ICS/OT Security 2025 report. Most organizations aren't failing because they lack intelligence. They're failing because they've never verified whether that intelligence reaches the systems designed to act on it.

That verification is exactly what an OT red team provides. The Red Team doesn't test against a hypothetical adversary. It applies the documented techniques of groups already targeting your sector and tests whether your detection, response, and defensive architecture actually addresses those techniques. Not whether you subscribed to a threat feed, but whether what's in it is shaping how you defend.

OT threat intelligence is structurally different from enterprise security intelligence because OT threats carry physical consequences -- production downtime, safety system failures, critical infrastructure disruption -- that IT threat frameworks were not built to model. Standard threat intelligence is centered on data protection and network defense. OT intelligence has to account for what happens when a process stops, when a safety system fails to trigger, or when an operator receives false data about a physical system they're trying to control.

That gap shows up in the technical details. IT security tools can't decode the industrial protocols that OT environments run on: Modbus, DNP3, Profinet, IEC 104, OPC UA. Malicious commands sent to a programmable logic controller are indistinguishable from legitimate operations to a monitoring system that can't parse the underlying protocol. IT threat intelligence frameworks don't model PLCs, RTUs, safety instrumented systems, or engineering workstations at all.

Dragos now tracks 26 active OT/ICS threat groups, 11 of which were active during 2025. These aren't groups repurposing enterprise malware. CRASHOVERRIDE used legitimate industrial protocols as its attack vector to cut power to approximately one-fifth of Kyiv. TRITON targeted safety systems specifically designed to prevent catastrophic physical accidents at a petrochemical facility. PIPEDREAM was assessed to cover 83% of known ICS attack tactics. FrostyGoop, discovered in 2024, used Modbus communications to cause heating outages for more than 600 apartment buildings in Ukraine. Each represents significant adversary research and development investment. And generic enterprise threat intelligence covers none of them.

Rather than building engagements around theoretical scenarios, OT red teams map their technique selection directly to MITRE ATT&CK for ICS -- a knowledge base derived from real-world ICS incidents including Stuxnet, CRASHOVERRIDE and TRITON. The framework covers 12 tactics and 83 techniques specific to industrial environments, including two not found in enterprise security frameworks: "Inhibit Response Function" (preventing safety systems from responding to failures) and "Impair Process Control" (manipulating or disabling physical processes).

This matters because adversary behavior changes at the IT-OT boundary. Enterprise ATT&CK explains how Stuxnet arrived. ICS ATT&CK explains what it did next. Effective detection of end-to-end OT attack chains requires instrumentation at multiple layers. According to the SANS State of ICS/OT Security 2025 report, only 13% of organizations have full visibility across the ICS Cyber Kill Chain. Just 10% report full visibility at the supervisory control level where SCADA and HMI systems operate. When visibility doesn't exist, intelligence can't be operationalized. The Red Team finds both.

When the Red Team applies real OT threat actor techniques, consistent findings emerge. According to Dragos's 2026 OT Cybersecurity Year in Review, based on professional services engagements: only 46% of assessed organizations had adequate OT network monitoring deployed. In 88% of tabletop exercises, degraded detection capabilities were revealed. In 56% of penetration tests, living-off-the-land tools were used without triggering a single alert.

The TRITON attack illustrates what intelligence-disconnected detection looks like in practice. The malware was active for months before discovery. Early signs appeared in June 2017 but were attributed to mechanical failure. The actual intrusion wasn't confirmed until August 2017. Attackers moved from IT networks to OT engineering workstations via remote desktop sessions -- a technique well-documented in threat intelligence at the time. No detection occurred because that IT-to-OT movement wasn't being monitored.

The Red Team assessment produces the most operationally relevant intelligence an OT program can have: actual adversary techniques that worked against your specific environment. Every technique that succeeded undetected maps directly to a detection rule that needs to be written. Every attack path corresponds to an IR playbook scenario that doesn't exist yet. Every blind spot the team operated in identifies where monitoring needs to be extended.

According to the SANS State of ICS/OT Security 2025 report, organizations that integrate ICS-specific threat intelligence into operations are 52% more likely to improve network segmentation and monitoring based on threat data. They're 3.7 times more likely to achieve full visibility across the ICS Cyber Kill Chain. The measurable outcome of closing the intelligence-to-detection gap is concrete: organizations with comprehensive OT visibility contained ransomware incidents in an average of five days, against a 42-day industry average.

The Red Team is how you verify where your intelligence actually stops, and where it needs to start reaching.

Adversarial validation doesn't operate in isolation. Closing the intelligence-to-detection gap takes three layers working together, and the Red Team is the one that proves whether the other two are functioning.

The OT vCISO is the strategic layer. The companion Leadership Layer series, Article 4, covers how the vCISO ensures the threat intelligence picture is built on OT-specific sources, not imported IT feeds, and how that picture connects to investment priorities and board risk conversations. The Red Team validates whether that strategic intelligence picture is accurate by applying the actual TTPs the vCISO's program claims to defend against.

The Cyber Fusion Center is the operational layer. The CFC series Article 4, "From Feed to Action," covers how the fusion center methodology routes OT threat intelligence into detection rules, IR playbooks and operational workflows. The Red Team tests whether that routing actually works: do the detection rules reflect real OT actor TTPs? Do the playbooks address the techniques those actors actually use?

The Shadow Current series traces how specific attack techniques move through IT-OT environments -- the same paths the Red Team walks in controlled engagements. The Red Team assessment is the Shadow Current applied to your specific environment.

With a clear picture of what the program claims to do and what it actually does, the Red Team turns to the architecture underneath it. Three foundational capabilities determine whether OT security is structurally possible, and all three are consistent findings in adversarial assessments. Visibility is first.