What the Red Team Sees That You Don't: The OT Visibility Gap

Blind spots are not a hypothesis at engagement start. They are an operating assumption because the data supports that posture. SANS 2025 found only about one in eight organizations has full ICS Kill Chain visibility from initial IT compromise through potential physical process impact.

Coverage drops hardest in the layers adversaries target most: operations, supervisory control, and remote field environments. KAMACITE activity underscores this pattern through sustained reconnaissance against HMIs, drives, and edge connectivity points. Article 4 in this series covered the OT intelligence gap that enables this behavior in under-monitored environments.

In the 2015 Ukraine grid attack, adversaries entered through spearphishing and remained active for approximately nine months before power disruption. During that period they mapped IT and OT pathways, collected component data, and staged attack capability with no effective interruption.

A capable monitoring program could have detected abnormal traffic much earlier. The lesson remains current. Ten years later, NERC CIP-015 was approved to require internal network security monitoring for bulk electric systems. The Red Team does not need nine months to prove what that timeline already showed.

The recurring exposure is the seam where enterprise monitoring ends and OT monitoring has not been built. Standard IT tools do not decode protocol behavior for Modbus, DNP3, PROFINET, EtherNet/IP, and related industrial communications.

FrostyGoop in 2024 and CRASHOVERRIDE in 2016 both demonstrated protocol-native exploitation paths that bypass traditional IT-centric visibility. In Mandiant documented work, red team operators reached DCS OPC components using common weaknesses and public tooling. The issue was not advanced exploit novelty. The issue was a long-standing visibility gap.

CISA SILENTSHIELD documented undetected adversary emulation across multiple sites. EDR existed but did not close monitoring gaps alone. Other CISA assessments found persistent access on legacy systems without endpoint coverage for extended periods, including preexisting web shell exposure that had not been discovered.

CISA's conclusion was direct: host controls alone are insufficient without network-layer visibility. Investment in tooling does not automatically create detection capability across OT attack paths.

Dragos reports that 61% of industrial organizations struggle to monitor critical assets effectively. Red Team passive reconnaissance frequently identifies unmanaged devices, unknown firmware exposure, and undocumented communication paths.

Colonial Pipeline showed the operational consequence of this uncertainty. IT compromise drove a voluntary OT shutdown because defenders could not determine OT compromise status with confidence. The visibility gap was expensive even if OT impact had not yet been confirmed.

Red Team outputs are actionable because they map timeline, route, and impact against your real environment. Abstract risk can be deferred. Documented lateral movement through unmonitored segments with zero alerting is harder to ignore.

SANS and Dragos analysis show organizations with comprehensive asset visibility are 3.7x more likely to achieve full ICS Kill Chain visibility. Findings do not argue that monitoring investment failed. They define where monitoring coverage must expand and what delay costs when it does not.

The Red Team operates in the gap between governance and implementation. The companion Leadership Layer article, What You Fund Is What You See, covers funding authority. The CFC as OT Visibility Architecture covers implementation architecture. The Red Team validates whether these layers produced real coverage.

For attacker-side path analysis, see The Shadow Current Map. For prior series links, see Article 4 and Article 3. Learn more in the executive brief, The Missing Leadership Layer in Industrial Cybersecurity.