Intelligence That Actually Fits

The honest baseline tells you where your program stands. The second question is harder: what are you actually standing against? That finding isn't a compliment. It's a diagnosis of what the others are missing.

Most industrial organizations consume threat intelligence designed for enterprise IT environments: feeds tracking ransomware groups targeting business systems, phishing campaigns, CVE disclosures for commercial software, credential theft techniques and data breach vectors. That intelligence is accurate, well-sourced and useful. For IT environments.

OT environments face categorically different threats. An attacker targeting a manufacturing plant, power utility or water treatment facility isn't primarily interested in your data. They want your processes. The objectives are disruption, pre-positioning for future disruption, physical damage or coercion through the threat of operational shutdown. The attack techniques target industrial protocols -- Modbus, DNP3, OPC-UA, S7Comm -- that don't exist in IT environments. The malware families are purpose-built for specific control systems, sometimes specific firmware versions, requiring months or years of industrial engineering research to develop.

In 2024, researchers tracking the ICS advisory landscape documented more than 600 OT/ICS-relevant security advisories, an entirely separate track from the National Vulnerability Database that governs IT vulnerabilities. Organizations monitoring only NVD miss it entirely. Two parallel systems. Two separate threat landscapes. Most organizations are only watching one.

The clearest illustration of why generic intelligence fails OT environments is TRITON/TRISIS, discovered in 2017 at a Saudi Arabian petrochemical facility. TRITON was the first malware designed to attack Safety Instrumented Systems (SIS), the automated last line of defense that triggers emergency shutdowns to prevent industrial accidents. The U.S. government later attributed it to a Russian government-controlled research institution. The attacker had been present on the corporate IT network since at least 2014 before reaching the OT environment.

Standard IT threat intelligence might have flagged the threat actor. What it couldn't provide was the operationally critical detail: this actor had reverse-engineered the proprietary TriStation protocol, developed custom tooling to interact directly with Triconex safety controllers and was positioned to disable automated shutdowns during a dangerous process failure. In a worst case, that means explosions and loss of life. A software bug in the malware caused the safety system to fail safe before the attack completed, and that shutdown triggered the discovery.

The point isn't to frighten. It's to be precise about what "knowing about a threat" means in OT environments. Knowing a nation-state actor exists tells you very little. Knowing which protocols they target, what kill chain capabilities they've developed and which sector they're pre-positioning in tells you what decisions to make.

More recently, FrostyGoop cut heat to more than 600 apartment buildings in Lviv, Ukraine during January 2024's sub-zero temperatures. It was the first malware to use Modbus TCP as its primary attack vector -- one of the world's most widely deployed industrial protocols, present in manufacturing, energy and water treatment environments globally. No IT threat feed covers what unauthorized Modbus command sequences look like on an OT network.

OT threat intelligence is structured differently from generic IT feeds, because the problem is different.

CISA's ICS advisory program runs parallel to the NVD, covering vulnerabilities in OT, ICS and industrial IoT devices with vendor-specific mitigation context. Sector ISACs -- including the Electricity ISAC (E-ISAC), WaterISAC and the OTICS-ISAC -- provide sector-tailored intelligence sharing, including peer-to-peer incident data that never reaches public databases and early warning on active targeting campaigns.

MITRE ATT&CK for ICS covers 12 tactics and 83 techniques focused on adversary behavior within industrial environments: how attackers interact with PLCs, HMIs and safety controllers. It includes categories with no IT equivalent: "Inhibit Response Function" (disabling safety systems), "Impair Process Control" (manipulating control logic) and "Impact" categories that describe physical consequences rather than data loss. Detecting these techniques requires network protocol analysis, not endpoint indicators. Different skills, different tools, different expertise.

Dragos tracks 26 OT-specific threat groups with ICS Kill Chain stage analysis, profiling which actors have moved beyond reconnaissance to develop the capability to directly manipulate industrial processes. Four active groups had reached Stage 2 capability as of Dragos's 8th Annual Report. None of this appears in generic IT threat feeds.

When the strategic picture is built on IT-centric intelligence, three failures follow.

Investment priorities get misaligned. Organizations without OT-specific intelligence consistently fund IT-appropriate tools -- endpoint detection, email security, network firewalls -- before or instead of OT-appropriate investments like asset visibility, passive network monitoring and OT-native detection. The SANS 2024 data is essentially a mirror of this: organizations lacking ICS-specific threat intelligence are less mature across every OT security dimension.

Incident response gets built for the wrong events. Only 57% of industrial organizations have an OT-specific incident response plan, according to the 2025 SANS survey. Applying IT-centric response in OT environments -- aggressive containment, automated shutdowns, indiscriminate isolation -- can damage equipment, halt production and create unsafe conditions. An IR plan built around the wrong threat picture doesn't just fail; it can worsen the situation.

Board communications don't reflect actual OT risk. Palo Alto Networks' 2024 State of OT Security survey found that C-level executives are 33% less likely than operational staff to believe their organization has experienced an industrial shutdown. The threat picture reaching leadership is IT-framed, so OT risk gets translated into terms boards already process as "IT problems," and the investment case never lands.

The problem with OT threat intelligence isn't that it doesn't exist. It's that most organizations lack the executive-level OT expertise to interpret what it means for their specific environment and investment decisions.

The OT vCISO provides that interpretation. Working from Dragos threat group profiles, sector ISAC intelligence and MITRE ATT&CK for ICS, the vCISO maps which tracked threat groups most likely target the organization's sector and geography, identifies their demonstrated kill chain capabilities and connects that to current visibility and detection gaps. The output isn't a threat briefing. It's a prioritized investment argument: here's what capable adversaries targeting environments like yours can do, here's where the current program misses them and here's what changes that.

As established in Article 3, the honest baseline tells us where the program stands. OT-specific threat intelligence tells us what it's standing against. That connection flows forward: the threat picture built here directly informs the IR governance work in Article 9, and it's the foundation for how the vCISO translates OT risk to the board in Article 11. The companion CFC series covers how this intelligence is operationalized into ongoing monitoring and detection. The Red Team series covers the validation side: why generic IT pen testing can't verify OT resilience, and how adversarial testing uses the actual TTPs this intelligence picture identifies.

With an honest baseline and an accurate threat picture, the OT vCISO has what strategy requires: a clear view of where you stand and what you're facing. The next question is what the program needs to build. That starts with visibility, the foundational capability that every other element depends on.