CISO • OT

    OT Protocol Anomalies

    Surface top anomalous OT protocols (e.g., Modbus, OPC UA, BACnet) and associated risk classifications.

    What it shows

    This panel detects OT-native threats—unexpected reads/writes, unusual command patterns, and protocol misuse that can indicate reconnaissance or sabotage.

    How it’s calculated

    • Protocol baselining by site/zone (normal command patterns, normal talkers, normal timing).
    • Anomaly scoring considers function codes, frequency, payload characteristics, and endpoints.
    • Correlates to assets and segmentation boundaries to identify lateral movement.

    What to do next

    1. 1
      Investigate high-risk protocols
      and identify the talkers (engineering station, contractor VPN, rogue device).
    2. 2
      Apply traffic filtering
      or segmentation rules to contain within correct conduits.
    3. 3
      Harden remote access
      and require hardware-backed identity for OT operators.
    4. 4
      Create allow-lists
      for safe operations and alert on any deviation.

    KPIs to watch

    High anomalies
    count
    Protocols affected
    count
    Contained events
    count

    Why this matters to a CISO

    AI only works if it’s trustworthy
    If models drift or confidence drops, you’re flying blind. This keeps the AI layer honest.
    Drift is normal in OT
    New firmware, new shifts, new processes—all cause drift. You need to detect it early before it erodes detection quality.
    Confidence drives automation
    You can’t let AI auto-contain based on shaky confidence. This metric ensures automation stays aligned with risk appetite.
    Feedback loops improve accuracy
    Every analyst decision sharpens the models. This closes the loop between human intelligence and machine learning.
    Reference UI Screenshot
    OT Protocol Anomalies screenshot