From Feed to Action

That's not a monitoring problem. It's an intelligence operationalization problem. Those organizations weren't uninformed about OT threats. Many subscribed to feeds, received advisories and accessed the same public reporting as everyone else. They just hadn't built the workflows that turn intelligence into detection coverage, response playbooks and compensating controls. The information existed. The operational connection to it didn't.

This is the gap the Cyber Fusion Center is designed to close.

Most organizations that subscribe to OT threat feeds encounter a practical problem almost immediately. Dragos puts it plainly: "OT cyber threat intelligence often leaves consumers with the same lingering question: What am I actually supposed to do with all this information?"

The answer comes down to where intelligence sits in relation to operations. Without operationalization, an analyst receives an alert, pivots to a threat intelligence platform, manually searches for related campaigns, maps activity to MITRE ATT&CK and then decides whether to escalate. Intelligence sits adjacent to operations, not inside it. When it's operationalized, the alert already includes campaign context, actor intent and recommended next steps -- the shift from gathering information to validating a decision intelligence has already shaped.

Three bottlenecks block that shift, per a Recorded Future CISO Series discussion from early 2026: intelligence delivers information instead of actionable decisions; remediation ownership is scattered so nobody has authority to act; and manual processes can't keep pace with attackers. Among security professionals broadly, 63% cite a lack of staff or skills for adequate threat intelligence -- and OT intelligence requires industrial domain expertise most teams lack.

This is the environment the CFC intelligence cycle is built for.

The CFC doesn't simply consume threat intelligence. It processes it through a defined four-step cycle that ensures every incoming signal reaches an operational output.

Intake is where intelligence enters the cycle. For OT environments, the primary sources are CISA/ICS-CERT advisories, Dragos threat group reporting and Knowledge Packs, sector-specific ISACs, and MITRE ATT&CK for ICS -- the taxonomy that maps 83 confirmed adversary techniques across the full ICS attack lifecycle. These sources are structurally different from generic IT feeds. An IP blocklist applies universally; an OT-specific TTP-based detection rule requires understanding which industrial protocol is being monitored and which behaviors indicate malicious versus legitimate engineering activity.

Analysis is where generic intelligence becomes organization-specific intelligence. A VOLTZITE advisory matters differently to an electric utility than to a food manufacturer. A vulnerability in a Siemens PLC matters differently to an organization running Siemens equipment than to one that doesn't. The CFC contextualizes intelligence against the organization's sector, asset inventory, geographic footprint and architecture. Threat intelligence isn't a commodity feed -- it's a customized analysis of the tools, techniques and adversaries specifically targeting that environment.

Routing is where contextualized intelligence reaches the people who can act on it. Detection engineers receive TTP updates. IR teams receive actor profile updates. Vulnerability teams receive advisory data prioritized against the actual asset inventory. Operations leaders receive strategic briefings. In traditional security operations, intelligence flows to IT security teams and stops. The CFC breaks down that silo -- OT-specific intelligence reaches engineering teams in a form they can use, and operational context flows back to the security team.

Action closes the cycle. A functioning intelligence cycle produces four operational deliverables: detection rules mapped to current threat actor TTPs, revised IR playbooks with actor-specific scenarios, compensating control decisions prioritized by active exploitation data, and strategic briefings connecting the threat landscape to investment priorities. Intelligence that doesn't reach at least one of those outputs hasn't been operationalized. It's been consumed.

Detection engineering from actor TTPs. The FrostyGoop case illustrates how intelligence enables detection before an attacker reaches OT systems. Before executing its ICS payload, FrostyGoop performed detectable actions in the IT layer: webshell indicators, credential harvesting attempts and distinctive network communication patterns. Detection engineers working from the malware analysis built rules to catch that precursor activity before it reached control systems. TTP-based detection creates multiple opportunities across the attack chain, including early IT-layer stages where visibility is highest.

This matters especially as adversaries increasingly use living-off-the-land techniques -- exploiting legitimate tools rather than deploying recognizable malware. Conventional signature-based detection has nothing to match. TTP-based rules built from intelligence about which tools specific groups abuse can catch those tools in the wrong context.

Playbook construction from actor profiles. Only 30% of organizations have a formal OT incident response chain, according to Shieldworkz 2025. That gap is costly, but so is the wrong playbook. SANS instructor Dean Parsons is direct: applying IT incident response actions in OT -- aggressive containment, indiscriminate isolation, automated shutdowns -- can halt production, damage equipment or create unsafe conditions. Intelligence-informed OT playbooks include process impact analysis for each containment decision, engineering team escalation paths, protocol-aware investigation procedures, and guidance on when not to isolate. That nuance can only be embedded in a playbook when defenders understand both the threat actor's objectives and what specific containment actions cost operationally.

Compensating control prioritization from vulnerability intelligence. Of the 2,203 vulnerabilities scored High or Critical in OT environments during 2024-2025, only 29 -- 1.32% -- have ever been confirmed as weaponized in the real world, according to EmberOT's ICS Advisory Project. CVSS-score-driven prioritization sends remediation effort chasing vulnerabilities that may never be exploited.

The problem compounds because OT CVSS scores are frequently unreliable. According to the 2026 Dragos Year in Review, 25% of ICS-CERT and NVD vulnerabilities carried incorrect CVSS scores in 2025. Generic CVSS doesn't account for operational impact, physical safety consequence or patch feasibility. Claroty data shows patching typically requires downtime most OT environments can't tolerate, and EmberOT finds 45% of advisories recommend hardware upgrades as the remediation path. Compensating controls aren't a fallback. They're often the only viable option. Intelligence-driven prioritization focuses on the 1.32% -- what the CISA Known Exploited Vulnerabilities catalog and Dragos active threat group reporting identify as requiring immediate action.

The SANS 2025 State of ICS/OT Security Report names the divide precisely: "Too many programs collect threat data but stop short of acting on it. Mature programs operationalize threat intelligence as a continuous feedback loop that correlates multiple sources, validates indicators through hunts, updates detection rules, and measures how quickly those updates propagate to the production environment."

The first three articles established the CFC's prerequisites: executive ownership, an accountability map and an honest maturity baseline. The baseline tells us where the program stands. Threat intelligence tells us what it's standing against. OT threat intelligence is only as valuable as the response capability it informs. In our next article, we examine how the CFC builds the visibility architecture that gives intelligence something to work with -- the foundational capability that makes detection engineering, playbook execution and everything else operationally possible.