OT Operational Environment
This section establishes the operational context in which the First Watch® Platform is used.
Understanding this context is essential before performing any monitoring, investigation, or enforcement actions.
Industrial control systems operate under fundamentally different constraints compared to enterprise IT environments. These differences define how security must be applied — and why traditional approaches are insufficient.
Industrial Operational Reality
Industrial (OT) environments differ from IT in purpose, constraints, and risk tolerance.
Different Objectives
-
OT environments prioritise:
- Safety
- Physical integrity
- Continuous operation
-
IT environments prioritise:
- Confidentiality
- Data integrity
- Service availability
In OT, loss of availability can result in:
- physical damage
- safety incidents
- environmental impact
- regulatory breaches
Unlike IT, these consequences are not easily reversible.
Different Change Dynamics
- Systems may run continuously for months or years
- Maintenance windows are limited and tightly controlled
- Changes are:
- infrequent
- carefully coordinated
- sometimes executed under time pressure
Documentation may be:
- incomplete
- outdated
- constrained by vendor limitations
By contrast, IT systems are designed for frequent updates and rapid rollback.
Different Technology Landscape
OT environments commonly include:
- Legacy operating systems
- Proprietary protocols
- Vendor-specific tools
- Systems without modern authentication or security controls
Additionally:
- Vendor support contracts may restrict changes
- Certification requirements may limit modifications
Risk of Operational Disruption
Unintended disruption in OT environments carries significant consequences:
- Production downtime with immediate financial impact
- Long recovery times requiring specialised personnel
- Equipment damage or invalid product batches
- Activation of safety systems
- Regulatory and contractual penalties
As a result:
Even well-intentioned security actions can introduce unacceptable risk if applied without full operational context.
Operational Implications
For this reason:
- Monitoring must always precede enforcement
- Actions must be non-disruptive by default
- Enforcement must be applied:
- selectively
- incrementally
- with explicit approval
The First Watch® Platform is designed around these principles.
The Nature of Risk in OT Environments
In industrial systems, cybersecurity risk cannot be separated from process behaviour.
A healthy system typically exhibits:
- Predictable communication patterns
- Stable configurations
- Behaviour aligned with physical and engineering constraints
Understanding this baseline requires:
- time
- observation
- collaboration between operations, engineering, and security
Without this baseline:
it is impossible to distinguish acceptable deviation from genuine risk
Complexity of Abnormal Behaviour
Abnormal or malicious behaviour may:
- appear gradual rather than abrupt
- mimic legitimate maintenance activity
- manifest as minor inefficiencies before alarms
Correct interpretation requires:
- cyber-physical understanding
- contextual awareness
- sometimes controlled experimentation
Such experimentation must be conducted carefully to avoid operational impact.
Illustrative Examples
Configuration Drift vs Malicious Change
A gradual, undocumented PLC change may initially appear as tuning.
Over time, it may reduce safety margins or alter control behaviour.
Without traceability:
- drift remains undetected
- risk accumulates silently
Communication Anomalies
An engineering workstation communicating outside normal maintenance windows may indicate:
- misconfiguration
- or compromise
The difference is not obvious without baseline knowledge.
Unauthorised Application Execution
Engineering workstations are authorised to run specific tools.
Unexpected execution may indicate:
- unauthorised software
- misuse of legitimate tools
- malicious payloads
For example:
PowerShell execution outside approved windows may allow:
- configuration changes
- remote command execution
- payload download
- bypass of engineering workflows
Without application control:
such activity may remain undetected until impact occurs
Defense-in-Depth in Practice
Industrial risk management must assume uncertainty.
Therefore, protection should follow defense-in-depth principles:
- Multiple independent layers of control
- Separation between:
- observation
- detection
- enforcement
- Controls that prevent escalation even without full understanding
Security Maturity Evolution
Industrial environments typically evolve through stages:
Stage 1 — Flat Network
- SCADA and PLCs share the same network
- All communication is implicitly trusted
- No barriers to misuse or propagation
Stage 2 — Firewall Segmentation
- Communication paths are restricted
- Exposure is reduced
However, firewalls:
- lack operational context
- cannot determine intent
- allow technically valid but operationally inappropriate actions
Stage 3 — Deterministic Control with First Watch®
First Watch introduces:
- Structured asset visibility
- Policy-defined allowed behaviour
- Enforcement aligned with operational intent
In this model:
- Firewall → controls access
- First Watch → controls behaviour
Protection is:
- deterministic
- policy-driven
- auditable
Monitoring as a Primary Control
Monitoring is not a passive function.
It is the foundation of safe protection.
Role of Monitoring
- Firewalls define where traffic may flow
- Monitoring shows how it actually flows
- Enforcement acts only after behaviour is understood
Why Monitoring Matters
Monitoring enables:
- Validation of communication patterns
- Detection of abnormal timing or frequency
- Identification of activity outside approved windows
It allows organisations to:
learn before enforcing
Risks of Skipping Monitoring
Example 1 — Blocking Legitimate Control
Blocking PLC writes without baseline knowledge may:
- interrupt control loops
- trigger shutdown
Example 2 — Disrupting Maintenance
Blocking vendor tools without prior observation may:
- delay maintenance
- increase operational risk
Example 3 — Misinterpreting Behaviour
Restricting communication frequency without understanding process dynamics may:
- worsen process instability
Limitations of Monitoring
Monitoring alone:
- does not prevent actions
- does not block misuse
- does not eliminate risk
Visibility is not protection
Change as an Operational Constant
Change is inherent in industrial systems.
Common changes include:
- SCADA updates
- PLC logic modifications
- Setpoint adjustments
- Engineering workstation activity
- Network infrastructure changes
Each introduces potential risk.
Risks Associated with Change
- Incorrect changes degrade performance
- Unauthorised changes introduce hidden risk
- Malicious actors exploit legitimate workflows
Requirements for Safe Change
All changes must be:
- explicitly authorised
- time-bound
- traceable
Without this:
intent cannot be determined and risk cannot be managed
Role of First Watch®
The platform enables:
- validation of approved changes
- rapid investigation
- prevention of harmful modifications
- auditability for compliance
Human-Centric Operations
Industrial systems remain fundamentally human-driven.
Technology supports decisions — it does not replace them.
Evidence-Based Decision Making
The platform provides:
- visibility of changes
- context of activity
- traceability of actions
This enables:
- informed decisions
- reduced ambiguity
Controlled Enforcement
The platform allows:
- systems to be protected by default
- controlled temporary access
- automatic return to protected state
This ensures:
- changes occur only when approved
- risk is minimised
Human Responsibility
Personnel remain responsible for:
- approving changes
- interpreting alerts
- coordinating response
The platform enforces policy — humans retain control