OT THREAT DETECTION

OT deception technology explained

How realistic industrial decoys reveal reconnaissance and intrusion activity without placing production assets in the detection path.

DETECTION ARCHITECTURE

Detect the intruder before the real process is reached

PhantomPlant places believable but isolated industrial assets where reconnaissance is likely to encounter them. Any connection is suspicious because legitimate operators and production applications have no reason to use the decoys.

Unknown or compromised hostInternal threat · stolen access · remote foothold
Network scanService discoveryProtocol browseCredential attempt

RECONNAISSANCE REACHES A DECOY
OT SUBNET / VLANReal and decoy assets are visible in the same representative network segment
PHANTOMPLANT DECOY ASSETSDiscoverable in the OT subnet, but logically isolated from production control
Decoy PLCModbus · S7 · EtherNet/IP
Decoy HMIWeb interface · process context
Decoy SCADAServices · tags · alarms
Decoy ServerOPC UA · SMB · SSH · RDP
Decoy Engineering StationFiles · shares · credentials

Source IPTarget assetProtocol and commandTimestampSession evidence

REAL PRODUCTION ASSETSLegitimate operational systems in the same subnet
PLC / DCSSCADA / HMISafety SystemsHistorianPhysical Process
Decoys have no production-control capability.No production credentials, routing role or command path to real equipment.

HIGH-CONFIDENCE EVENT
1

CollectRecord protocol interaction and source context
2

CorrelateGroup scans, sessions and repeated behaviour
3

AlertSend actionable event to SOC/SIEM
4

InvestigateTrace the host before critical assets are reached
Illustrative deployment. Decoys may share representative OT subnets with real assets while remaining logically isolated from production credentials, routing and control functions.
Low-noise signal

Legitimate OT workflows do not use the decoy, so contact has immediate investigative value.

Earlier in the attack path

Scanning and enumeration can be observed before an attacker selects a real controller or server.

Protocol-level context

Events show the targeted service, command, source and sequence—not only a generic connection.

Why OT needs high-confidence detection

Industrial networks often contain legacy devices, long asset lifecycles and protocols that were not designed for hostile environments. Passive monitoring is valuable, but it can produce large volumes of context and ambiguous alerts.

A deception asset has no legitimate operational user. A connection, browse request or protocol interaction with that asset is therefore unusual by design and can provide a high-confidence early-warning signal.

What an OT deception environment contains

OT deception technology deploys decoys that resemble PLCs, HMIs, engineering workstations, servers and industrial services. Effective decoys respond consistently enough to sustain reconnaissance and produce useful evidence, without controlling real equipment.

The environment may expose protocols such as Modbus TCP, S7, EtherNet/IP, OPC UA, web interfaces or common IT services. Asset names, network placement and apparent process context should be believable for the site.

  • Industrial protocol emulation
  • Plausible asset identities and services
  • Central event collection and alerting
  • Isolation from production control

Where deception fits in defence in depth

Deception complements segmentation, asset inventory, endpoint protection and network monitoring. It does not replace them. Its role is to create detection opportunities where legitimate interaction should not occur.

Decoys can be placed near user segments, server zones, remote-access paths or representative OT subnets. Alerts should feed an existing SOC, SIEM or incident workflow with source, destination, protocol and interaction detail.

How to evaluate a platform

Test whether the decoys look credible to the tools and techniques an attacker would use. Confirm that deployment does not introduce a route to production systems and that alerts remain useful when scanning, enumeration and credential attempts occur.

Operational simplicity matters: teams need repeatable deployment, controlled configuration, health monitoring and clear ownership for investigating events.

  • Protocol fidelity
  • Safe isolation
  • Actionable event context
  • Low operational overhead
FAQ

Frequently asked questions

Is OT deception a honeypot?

A honeypot is one form of deception. OT platforms usually coordinate multiple decoy assets, protocols, identities and alert workflows.

Can a decoy affect production?

It should be isolated from control functions and must never issue commands to real equipment.

Why are deception alerts high confidence?

Legitimate users and applications have no reason to interact with decoy assets, so contact is inherently suspicious.

NEXT STEP

Apply the architecture to a real industrial data flow.

Start with one source, one destination and a measurable security or operations objective.