The modern way of handleing incidents in OT: Agentic AI and Fusion SOC

A common misconception in industrial and critical infrastructure protection is that OT systems are safer simply because they are not connected to the internet. In reality, cases like Stuxnet proved that even air-gapped environments can be compromised. Closed operation helps, but it is not enough on its own. Supplier access, remote connections, USB devices, maintenance activity, and human error all remain significant risks.

Another key lesson is that OT incident management should not be separated from IT. Serious incidents require shared processes, shared visibility, and coordinated expertise. This is the principle behind the Fusion SOC model: one operational framework, with the right experts involved based on the situation.

Why does isolated incident handling fall short?

OT incidents are closely tied to production processes, network zones, and highly specific system logic. That makes context essential. Without OT specialists, it can be hard to tell whether an anomaly is a cyberattack, a misconfiguration, or a routine operational issue. At the same time, without cybersecurity teams involved early, signs of an attack may be missed.

Coordination is also critical for safety. In IT, the default response may be to isolate or shut down a system quickly. In OT, that can cause major disruption and even safety risks. Response decisions therefore need shared responsibility.

How does Fusion SOC work in operation?

Fusion SOC is not just a concept but an operating model. It creates a shared process and information space where IT and OT events can be interpreted together, giving organizations a full view of an incident rather than isolated alerts.

OT still requires dedicated tools, tailored rules, and zone-specific responses. But detection, correlation, and coordination should be built on a common foundation. In practice, this follows the familiar incident response lifecycle: preparation, detection and analysis, containment, resolution, recovery, and follow-up.

How is agentic AI applied in practice?

Agentic AI supports analysts by taking over part of the investigation workflow. It can process an alert, identify affected assets and events, collect relevant data, reconstruct the timeline, and prepare a summary with recommended actions.

By combining IT and OT data with context and threat intelligence, it helps speed up triage, analysis, and reporting. The goal is not to replace human experts, but to let them focus on higher-value decisions.

AI is not the starting point

For organizations building OT security, AI should not be the first priority. The foundation comes first: segmentation, OT-specific endpoint protection, secure remote access, USB control, supplier requirements, training, and awareness.

Only when these basics are in place can AI deliver real business and security value. This is also the direction of regulations such as NIS2, which are making cybersecurity a core operational issue.

What comes next for OT security?

The future of OT security is not about one technology alone. It depends on whether organizations can create a common language across IT, OT, and cybersecurity.

When that happens, agentic AI becomes a real multiplier. It strengthens collaboration, speeds up response, and helps organizations build a more mature OT incident management capability.

Read the full article on our International subsidiary’s website by clicking on the logo:

Do you have a question? Would you like a solution? Get in touch with our colleagues!