The CFC as OT Visibility Architecture
How the OT Cyber Fusion Center removes the IT-OT visibility wall and enables cross-domain detection
Your IT security team generates alerts about your OT network. Your OT engineers receive those alerts. Both teams are looking at the same industrial environment from opposite sides of a wall neither can see through. That wall is the visibility gap.
According to the SANS 2025 State of ICS/OT Security survey, only 12.6% of industrial organizations have full visibility across the ICS Kill Chain. The rest operate with deepest gaps exactly where attackers focus: PLCs, HMIs, and remote field sites at lower OT levels.
The OT Cyber Fusion Center is a visibility architecture. Its central job is taking down that wall.
From Maturity Baseline to OT Visibility Architecture
The CFC maturity baseline, covered in the previous article, reveals where visibility gaps exist. This article covers how the CFC closes them. Knowing you have gaps is not the same as having an operational architecture to remove them.
The vCISO makes visibility a funded strategic priority. The CFC builds what that investment buys: technical architecture that makes visibility real across IT and OT domains.
Why IT-OT Telemetry Leaves Both Teams Flying Blind
The IT-OT telemetry problem is architectural. OT systems communicate through industrial protocols such as Modbus, DNP3, EtherNet/IP, PROFINET, and BACnet that standard IT security tools do not parse. To a conventional SIEM, OT traffic is undecipherable or invisible.
An attacker injecting unauthorized PLC commands over a legitimate protocol can look normal to tooling that cannot interpret protocol intent. According to the Dragos 2026 OT Cybersecurity Year in Review, 82% of organizations lack clear criteria for when operational anomalies should trigger cyber investigations.
In 30% of Dragos incident response cases, the first signal was an unexplained operational problem, not a security alert. Without OT visibility architecture, incidents appear as equipment malfunctions while attackers remain active for weeks.
How the CFC Builds OT Network Monitoring in Sequence
Layer one is ICS asset discovery. You cannot monitor what you do not know exists. OT environments accumulate unknown devices over decades, especially through maintenance activity, emergency additions, legacy retention, and unmanaged IIoT deployment.
SANS 2025 found only 23% of organizations include OT assets in vulnerability programs. Discovery must be passive. Active scanning can disrupt production systems that were never designed for probe traffic. The CFC uses SPAN ports and network taps to copy traffic without touching operations.
Layer two is passive OT network monitoring. Dragos, Claroty, and Nozomi all use passive-first approaches to decode industrial protocol telemetry. Dragos supports 600+ ICS protocols. Claroty provides Project File Analysis for ingesting backup configuration files from air-gapped assets. Nozomi uses AI-powered behavioral baselining to establish normal behavior and detect deviation.
Layer three is telemetry normalization. OT monitoring output is translated into structured events, asset ID, timestamp, event type, severity, and operational context, so SIEM tooling can correlate IT and OT activity on one timeline.
Cross-Domain Correlation Is the CFC Methodology Advantage
Unified OT visibility architecture enables detections that are structurally impossible when IT and OT monitoring remain separated. The Shadow Current series traced this same attack path dynamic from the adversary side.
Example: at 10:45 PM, a dormant vendor VPN account authenticates. At 10:52 PM, an OT engineering workstation starts a new Level 1 PLC connection. Alone, each event can look routine. Together, they describe a potential intrusion path.
SANS 2025 found organizations with full ICS Kill Chain visibility almost always operate SOC functions where IT and OT teams share detection tools. Organizations with comprehensive asset visibility are 3.7x more likely to achieve full Kill Chain visibility.
What OT Visibility Architecture Unlocks Across the Program
Incident response without visibility is guesswork. Timeline reconstruction and lateral movement containment require asset context and behavior baselines. Without them, teams build context during a live incident and remediation extends unnecessarily.
Threat intelligence becomes operational only when mapped to real assets and real network paths. Compliance also depends on this foundation. IEC 62443 and NIST SP 800-82 Rev.3 response requirements presuppose functioning monitoring and maintained inventory.
Red team assessments become meaningful only when there is architecture to validate. Visibility is not a product the CFC installs. It is an architectural condition the CFC creates, the layer that makes the security program measurable, functional, and improvable over time.
In the next article, we examine the compensating control architecture required for legacy systems that predate cybersecurity and cannot be patched or replaced on normal cycles. Learn more about the OT vCISO role in the executive brief, The Missing Leadership Layer in Industrial Cybersecurity.
Only 12.6% have full ICS Kill Chain visibility.
Most teams still monitor the same plant from opposite sides of a wall.
The CFC begins with passive discovery because active scanning can destabilize OT operations. SPAN ports and taps reveal unknown devices, unauthorized links, and legacy assets still active on the network.
Passive-first OT platforms decode protocol behavior without touching production devices. This is how events from PLCs, HMIs, and remote assets become detectable instead of opaque.
Normalization converts OT telemetry into structured fields SIEM systems can process. Once normalized, cross-domain correlations become practical and repeatable in SOC workflows.
Dormant VPN login plus new Level 1 engineering-to-PLC traffic can indicate adversary pivot. This pattern is invisible in separated monitoring models and visible in CFC architecture.
Without this foundation, response is reactive, intelligence is abstract, audits are weak, and red team outcomes are less actionable. With it, the whole security program gains measurable traction.