Quick summary

Operational technology is now a deliberate target, and as industrial networks connect to IT, prevention alone is no longer enough. Detecting intrusions and monitoring OT networks continuously has become essential, but it has to be done in ways that suit OT rather than borrowing IT tools wholesale. This article explains why OT detection matters, how it differs from IT monitoring, and what effective OT monitoring involves.

Introduction

For years, operational technology, the systems that run substations, plants and industrial processes, was protected mainly by isolation. It sat on separate networks, used obscure protocols, and was rarely connected to anything an attacker could reach. Security frameworks focused on keeping it walled off.

That assumption has broken down. As OT connects to IT systems and the wider network for efficiency and remote management, it has become reachable, and attackers have noticed. Defending it now requires more than walls and segmentation; it requires the ability to see what is happening inside OT networks and to detect intrusions when they occur. For energy and industrial operators across the EU, OT monitoring has moved from a refinement to a core part of cyber defence.

OT is now a deliberate target

The threat data makes the shift clear. ENISA's 2025 threat landscape, based on close to 4,900 incidents, found that operational technology systems were among the most targeted, accounting for around 18 percent of observed threats, and noted that traditionally isolated industrial networks are increasingly exposed as they connect to IT (ENISA, 2025).

The methods are maturing too. ENISA reported that vulnerability exploitation accounted for over a fifth of initial access, and that roughly two-thirds of those exploitation cases led to malware being deployed as a follow-up, with energy systems a particular focus for both state-aligned groups and hacktivists (ENISA, 2025). The reason this matters is that OT is no longer caught only by accidental, opportunistic malware; it is being targeted deliberately by capable actors, which is a different and more serious problem.

OT has moved from collateral damage to a chosen target, which changes what defending it requires.

Takeaway: Operational technology is now among the most targeted system types, deliberately pursued by capable attackers as it connects to IT.

Why prevention is not enough

Segmentation, access control and secure design remain essential, and frameworks such as IEC 62443 provide the structure for them. But prevention assumes you can keep every attacker out, and the incident data shows that assumption fails often enough to be dangerous. Once an attacker is inside an OT network, an environment with no monitoring is effectively blind.

Detection closes that gap by assuming some intrusions will succeed and ensuring they are seen quickly. It is also increasingly a legal expectation: under the NIS2 Directive, essential entities including energy operators must manage risk and report significant incidents within tight deadlines, which is impossible without the ability to detect them in the first place (European Commission, 2024). The implication is that monitoring is no longer optional good practice, it is the precondition for meeting the incident-reporting obligations operators are now bound by.

Takeaway: Prevention will sometimes fail, and reporting duties assume detection, so monitoring OT for intrusions is now both prudent and required.

How OT monitoring differs from IT

The instinct to apply IT security tools to OT is understandable and usually wrong. OT systems are sensitive to disruption: an active scan that an IT network shrugs off can disturb a process controller, and availability and safety take priority over everything else. Monitoring therefore has to be done in ways that do not interfere with operations.

This usually means passive, network-based monitoring that observes traffic without injecting anything into it, combined with deep understanding of industrial protocols such as IEC 60870-5-104, IEC 61850 and Modbus. It also plays to an OT advantage: industrial traffic is far more repetitive and predictable than IT traffic, so abnormal behaviour stands out more clearly, making anomaly and behavioural detection genuinely effective. The reason this matters is that effective OT monitoring is not IT monitoring relocated, it is a discipline built around OT's constraints and its unusually regular traffic.

OT's sensitivity rules out intrusive IT tools, but its predictable traffic makes anomaly detection unusually powerful.

Takeaway: OT monitoring must be passive and protocol-aware, and it benefits from the fact that abnormal behaviour stands out against highly regular industrial traffic.

Building OT detection that works

Effective detection starts with knowing what is there. Many operators lack a complete inventory of their OT assets, and you cannot monitor or protect what you cannot see, so asset discovery and visibility come first. From there, passive monitoring can establish a baseline of normal communication and flag deviations from it.

This works best when it fits the structure operators already use. Mapping monitoring onto the zones and conduits of IEC 62443 aligns detection with the segmentation already in place, and feeding alerts into a response process, whether an internal team or a managed service, ensures that detection leads to action rather than just noise. The implication is that OT detection is a programme, not a product: visibility, baselining, integration with existing security architecture, and a route from alert to response all have to be in place for it to deliver.

Takeaway: OT detection depends on asset visibility, behavioural baselining, alignment with existing segmentation, and a clear path from alert to response.

Detection as a resilience and compliance requirement

The case for OT monitoring is ultimately about resilience. The ability to detect an intrusion early is what limits its impact, turning a potential outage or safety event into a contained incident. In critical infrastructure, that difference is measured in real-world consequences, not just data loss.

Regulation has caught up with this logic. Beyond NIS2's incident-reporting duties, the broader EU framework, including the electricity sector's network code on cybersecurity and product rules requiring vulnerability reporting through a common platform from 2026, all assume operators can see and report what happens in their systems. The reason this matters is that detection is becoming part of the audited security posture operators are expected to demonstrate, not a discretionary extra they can defer.

Takeaway: OT detection is now a measurable part of both resilience and regulatory compliance, expected rather than optional.

Conclusion

The isolation that once protected operational technology is gone, and the threat data confirms that OT is being targeted deliberately as it connects to the wider network. Prevention remains necessary but is no longer sufficient, because some intrusions will succeed and an unmonitored OT environment cannot see them.

Intrusion detection and continuous monitoring close that gap, but only when done in ways that respect OT's constraints, passive, protocol-aware, built on asset visibility and a clear response path. For energy and industrial operators facing both capable attackers and tightening reporting obligations, that capability has become a core part of running critical systems safely and lawfully.

FAQ

What is OT intrusion detection?

OT intrusion detection is the practice of monitoring operational technology networks, the systems controlling industrial processes and energy infrastructure, to identify malicious activity or anomalies. Unlike prevention, which tries to keep attackers out, detection assumes some intrusions will succeed and focuses on spotting them quickly so they can be contained before causing serious harm.

Why isn't preventing attacks enough for OT?

Because prevention sometimes fails. Segmentation, access control and secure design are essential but cannot guarantee that no attacker ever gets in, and incident data shows breaches do occur. Without monitoring, an OT environment is blind to an intrusion once it happens. Detection also underpins the incident-reporting obligations operators now face under regulations such as NIS2.

How is OT monitoring different from IT monitoring?

OT systems are sensitive to disruption and prioritise availability and safety, so intrusive IT techniques such as active scanning can be harmful. OT monitoring therefore relies on passive, network-based observation and deep knowledge of industrial protocols. It also benefits from the fact that OT traffic is highly repetitive, which makes anomalous behaviour easier to detect than in variable IT environments.

What does an effective OT monitoring programme need?

It starts with a complete inventory of OT assets, since you cannot monitor what you cannot see. From there it needs passive monitoring to baseline normal behaviour and flag deviations, alignment with the segmentation defined in frameworks such as IEC 62443, and a clear process for turning alerts into response. It is a programme combining visibility, detection and response, not a single product.

Is OT monitoring required by regulation?

Increasingly, yes, in effect. The NIS2 Directive requires essential entities including energy operators to manage risk and report significant incidents within tight deadlines, which presupposes the ability to detect them. The electricity sector's network code on cybersecurity and product-level vulnerability-reporting rules reinforce the expectation that operators can see and report what happens in their systems.

Sources

• ENISA Threat Landscape 2025 - ENISA - 2025 - https://www.enisa.europa.eu/sites/default/files/2026-01/ENISA%20Threat%20Landscape%202025_v1.2.pdf
• NIS2 Directive - European Commission - 2024 - https://digital-strategy.ec.europa.eu/en/policies/nis2-directive