SCHEDULE

OT Network assessment

Home » Blog » OT Network assessment
Matjaž Demšar Vlado Č. Stajić
24 October 2025

Feeling nostalgic – yet?

Some of us still remember, how things looked in IT decades ago and when I think about it, a nostalgic smile crosses my face. Seems like we were living in a children’s game, called “playing computers”; that is how simple life then seems now. I have been in IT since the break of millennium and it was not until the end of first decade, when I first encountered the idea of production IT. That is how we called it back then, although I have spent larger part of my career in production companies or at large industrial multinationals.

Todays’ world is a lot different. We do not talk only about convergence, but sometimes even hyperconvergence of IT and OT. Technology and organizational progress have brought OT ever closer to IT, the latter being a natural consumer of vast flows of data created by manufacturing systems. While this may seem like a dream of data and business analysists, it something quite opposite to hordes of people, trying to build dams and fish barriers in this river of data and communications. Every stakeholder in this story has their own vision of what this looks like – OT based personnel is trying to optimize the uptime of production, make sure that there is as much predictability as possible in the processes and the maintenance costs as low as possible, which directly impacts profitability. IT crowd wants to be able to secure the whole landscape and make sure, that organization is safe from threats. CSO is trying to bring everything together – make sure that security policies are sound as well as not too restrictive – a sort of a balancing act on the knife blade, where every wrong step can hurt. An enormous task, no doubt. And one I have seen too many fail at.

Matjaž Demšar at NIL’s Key client gathering in October 2025

We have the challenge, now we need to rise up to it

In order to tackle this challenge, any approach should be based on specific properties of the OT. In this aspect, it reminds me a bit of non-Newtonian liquids – the more IT policies you bring in, the harder the surface and the bigger the resistance. You have to be enough flexible to make the fluid respond to your inputs. Of course, there is also a lot of sense in it – OT world is focusing on running and controlling a process and one of the iron rules here is “Always keep control of the process”. This means that no cybersecurity or security mechanism shall interfere with the control of the process.

One such framework to handle cybersecurity in the OT is the ISA/IEC 62443 family of standards. Now at almost 25 years old, we can say it has matured quite a bit and every year, a new application use is found for it. This is not supposed to be an introduction to it, and we will perhaps focus on it another day. This blog is about one of the cornerstones of the family – industrial cybersecurity risk assessment.

Risks are not all equal

At the core of the ISA/IEC 62443 is the risk management approach. In a field, where every plant, every process and manufacturing cell is different, this is the one thing, that can bring order. By knowing all about the risk, organizations are able to minimize them and control the potential harm it might bring. Of course, knowledge of risks must be as good as possible, to avoid unnecessary or insufficient actions related to cybersecurity controls. In order to make sure of that, we make use of assessments, which show us the possible risks, consequences they can have and their likelihood as well. Assessments can take many forms and are usually depending on the use case itself, maturity of the organization, the dedication – direct indicator of leadership support and availability of qualified personnel.

Instructor Robert Lesar
Robert Lesar Instructor
Video

Cisco Cyber Vision in Action: How to Secure Your OT Network

17 September 2025
Watch the recording of the industrial security webinar and learn how you can use Cisco Cyber Vision to improve the security of your operational technology […]
Read more

To accommodate all this, assessments can take many forms and can range from simple, tabletop assessments, where documentation is studied, diagrams are analysed and interviews with all the necessary people are performed. Almost mandatory part is a site walkthrough, where the actual production site is visited and situation in the shop floor is observed. I have not done a single assessment so far without physical walkthrough and the one I did without physical presence was done by a colleague holding an online camera and listening to our instructions online, where to go and what to look at. I think this illustrates the importance of an actual walkthrough well enough.

Vlado Č. Stajić and Matjaž Demšar at NIL’s Key client gathering in October 2025

Often, this alone does not provide the necessary information, and it is a Sisyphean task to go through all the necessary information manually. What I mean here is the asset information collection and communication analysis. It would be a lie to say that I have not done it in my career so far and also lie to say, that I would like to repeat it any time soon. Collecting all the risk management information from industrial assets is a nightmare in anything but a demo system, especially if there is no system such as Manufacturing Operations Management (MOM), Maintenance Information System (MIS), Computerized Maintenance Management System (CMMS) or similar in place. And guess what – there usually is not. At least in the vast majority of companies worldwide.

You are not alone

In order to achieve visibility and bring some transparency into OT environment we often resort to various tools, whose main purpose is to plug into the network and based on a carefully prepared configuration, ingest data and analyse it in a way, that makes risk and vulnerabilities clearly visible. This way, we can focus on using our knowledge to prepare the best possible strategy to contain risks or minimize them.

So, what are some of the biggest benefits of using these tools, when we use them as part of the assessment? First, we can get the full OT system inventory, at least for the devices that take part in communication. Tools like Cisco Cyber Vision can read OT traffic communication and parse the packets to get insight into the devices, that are doing the talking. While analysing, they can read also asset inventory information, such as vendor information, firmware versions, models and other information, that helps match these to known vulnerabilities.

These tools can also dissect the traffic and identify the communication partners and information about the contents; not only that, they identify the actual OT protocols and the kind of an operation – in some cases, they are able to show actual contents of a packet, that is easily readable by a process engineer who can identify if such traffic is legitimate or part of a possible incident. Having such insight into the actual control system changes and process data can be priceless when assessing the OT operations.

Achieving all this without technical means is almost impossible without enormous labour costs all while having a considerable margin for error; some of the detected issues, like anomalies in network communication data, risk scoring, vulnerability detection, misconfiguration identification and OT communication problems detection require a team of experts, which further adds to the strain on resources and costs, making of such efforts only an exercise in “letting go of it”.

Of course, assessment on their own have no real purpose. They must be a part of a wider cybersecurity effort. In most cases, they are in the centre of an effort to solve customer pain points – without true motivation, most of them are doomed in the beginning. Once there are clear motivation and requirements, certainty of successful outcome is magnified several fold.

Matjaž Demšar and Vlado Č. Stajić at NIL’s Client gathering in October 2025

There are also other friends

So, how does a simple OT cybersecurity assessment look like? It has to start with a reason – a motivation by the customer to start this journey. This usually comes from an organization centric and business-based pain points. This is the motivation, mentioned above. Operational part is mostly revolving around data gathering, analysis and interviews, where we try to get as much information from customer as possible, even some that looks irrelevant at first sight. In the end, most of it fits like in a mosaic. We can make extensive use of various tools to collect and organize data and that is where Cyber Vision and similar, mostly OT centric applications find themselves at home.

Once all the information is gathered and synced with customer, we return to our proverbial lair and crunch it – until it is ready to be presented to all the stakeholders. At the same time, we can outline the next steps and concrete actions in order to move forward. This last step though often overlooked is the most crucial. Can you guess why? Return to the first step, talking about motivation. Motivated organizations need action plan – it is not all about a check box. We can say, it is not just about the goal, but about journey. And we provide the maps for the winding road.

 

At NIL, we’re proud to be a Cisco Platinum Learning Partner—which means we don’t just teach technology; we help organizations put it into action.
Recently, we had an exciting opportunity to help a major state-level transportation agency in California strengthen both its IT and OT (Operational Technology) expertise. Our goal was to equip their teams with the skills to better understand, monitor, and secure the increasingly connected worlds of IT and industrial systems.
The success of that engagement quickly caught attention. Word spread across Cisco’s ecosystem, and soon we were invited to enable several Cisco partners on the East Coast to perform Cisco CyberVision assessments—a methodology used to analyze and visualize what’s really happening inside an industrial network.

From Training Room to Factory Floor

After the training, one of the partners reached out again. They had just landed a major project but felt uncertain about tackling their first real-world OT assessment on their own.
We decided to join forces.
Together, we headed to Michigan, where the customer—a large automotive manufacturer—wanted to gain visibility into its production network. Two of our experts worked on site alongside the partner’s team to deploy Cisco CyberVision sensors, collect data, and analyze the current state of the OT environment.

What We Found

As with many OT networks, there were some positives and some surprises.
On the positive side, the customer already had:
  • A level of network segmentation between zones
  • Firewall rules in place to filter certain types of traffic
But the assessment also uncovered a number of weaknesses that could affect security or stability, such as:
  • Full interconnection between OT and IT networks
  • Outdated systems (e.g., Windows XP with SMBv1)
  • Default passwords and even unauthorized remote access by third parties
  • Unsecured FTP transfers of software
  • Devices configured on the wrong VLANs or with misconfigured switches
  • Extraneous communication and DNS queries to the Internet
These insights gave the customer a clear, factual picture of what was happening in their network—often for the first time.
In several cases, it was eye-opening to see how invisible issues could have direct operational or security impacts.
Vlado Č. Stajić at NIL’s Key client gathering in October 2025

Turning Insights Into Action

The assessment report didn’t stop at detection. Together with the local partner, we delivered a practical roadmap of remediation steps—actions the customer could take to harden and future-proof their OT environment.
Key recommendations included:
  • Disabling Windows Update Delivery Optimization (WUDO) on OT systems and controlling updates via WSUS servers
  • Introducing cell/area-based industrial firewalls
  • Enforcing segmentation directly at the switch level
  • Deploying a web application firewall to screen Internet-bound traffic
  • Updating or replacing obsolete systems
  • Running targeted risk assessments for individual production “wings”
These measures not only address existing issues but also create a framework for continuous improvement and visibility.

From Visibility to Resilience

This project reinforced an important lesson: visibility is the foundation of security.
You can’t protect what you can’t see.
By combining training, partnership, and hands-on fieldwork, we helped a customer transform raw network data into actionable security intelligence—laying the groundwork for safer, more efficient, and more resilient industrial operations.

Summary

  • NIL, as a Cisco Platinum Learning Partner, helped a major public agency strengthen IT/OT knowledge.
  • This led to enablement of multiple Cisco partners on the East Coast in performing Cisco CyberVision assessments.
  • Together with one of those partners, NIL executed a real-world OT assessment for a large automotive manufacturer in Michigan.
  • Findings revealed both good practices (segmentation, firewall rules) and key vulnerabilities (legacy systems, default credentials, insecure transfers).
  • The joint remediation roadmap provided clear, actionable steps to improve segmentation, patch management, and long-term OT security.
  • The project highlighted how visibility and collaboration drive cybersecurity maturity in industrial environments.