Managed Detection & Response (MDR)

IoT_OT MDR

  • May 9, 2025
  • 0

Sherlocked Security – IoT/OT MDR

Managed Threat Detection & Response for Industrial, Embedded, and Connected Device Ecosystems

1. Statement of Work (SOW)

Service Name: IoT/OT Managed Detection and Response (MDR)
Client Type: Manufacturing, Energy, Utilities, Healthcare, Transportation, Smart Cities
Service Model: Monthly Retainer, Site-Based Rollout, or Fully Managed MDR
Compliance Alignment: IEC 62443, NERC CIP, ISO 27019, HIPAA, NIST CSF, NIST 800-82, NIS2, GDPR

Scope of Work Includes:

  • Discovery and classification of connected assets (IT, OT, and IoT)
  • Passive network monitoring and anomaly detection
  • Real-time threat detection and alert triage
  • Behavioral analytics for PLCs, SCADA, HMI, RTUs, and embedded devices
  • Integration with security operations center (SOC) and SIEM/SOAR platforms
  • Incident response tailored to safety-critical and air-gapped environments
  • Vulnerability assessment of firmware, protocols, and legacy systems
  • Threat intelligence for industrial-specific TTPs and malware (e.g., TRITON, Industroyer)

2. Our Approach

[Asset Discovery] → [Protocol & Traffic Baseline] → [Threat Detection & Alerting] → [Investigation] → [Response Playbooks] → [OT Hardening & Segmentation]

3. Methodology

  • Asset Inventory: Identify all OT/IoT assets using passive scans and ICS-aware tools
  • Baseline Normal Behavior: Learn network flows and command patterns using anomaly models
  • Protocol Inspection: Monitor ICS/SCADA protocols (Modbus, DNP3, BACnet, Profinet, OPC-UA)
  • Threat Detection: Detect unauthorized control commands, firmware changes, lateral movement
  • Investigation: Leverage device fingerprints, MAC anomalies, and traffic timelines
  • Response: Coordinated with engineering/OT teams to avoid downtime or safety impacts
  • Posture Review: Recommendations for segmentation, access control, and patch management

4. Deliverables

  • IoT/OT Threat Detection Reports
  • Asset and Protocol Map
  • Anomalous Behavior Alerts
  • Unauthorized Access & Command Reports
  • Vulnerability & Risk Heatmaps
  • Monthly Operational Resilience Reports
  • Incident Reports & Safety-Aware Playbooks

5. Client Requirements

  • Network diagram and segmentation overview
  • Port mirroring/tap access for passive traffic analysis
  • Asset inventory or P&ID if available
  • Point of contact in plant/facility/OT team
  • Read access to PLC/HMI/RTU management consoles (if available)
  • Emergency contacts for safety protocols during IR
  • Maintenance windows for firmware/device assessment

6. Tooling Stack

  • OT Visibility Platforms: Nozomi, Claroty, Dragos, SCADAfence, Armis, Forescout
  • IoT Device Monitoring: Palo Alto IoT Security, Microsoft Defender for IoT, Ordr
  • SIEM & Data Lakes: Splunk, ELK, Chronicle, Azure Sentinel
  • Protocol Parsers: Zeek, Wireshark dissectors, ICS-specific sensors
  • SOAR: Custom playbooks for ICS-safe responses (block port, alert operator, log-only modes)
  • Network Tools: Passive TAPs, SPAN ports, Bro/Zeek, SecurityOnion

7. Engagement Lifecycle

  1. Network & Asset Discovery
  2. Protocol & Flow Analysis
  3. Threat Detection & Response Enablement
  4. Continuous Monitoring & Alerting
  5. Posture Improvement Recommendations
  6. Quarterly Safety-Aware Threat Simulation
  7. Ongoing Risk & Vulnerability Reviews

8. Why Sherlocked Security?

Feature Sherlocked Advantage
ICS/OT Native Monitoring Passive analysis with no disruption to industrial operations
Protocol Deep Inspection Support for Modbus, Profinet, BACnet, DNP3, IEC-104, OPC-UA, and more
Safety-Critical Playbooks Response plans aligned with safety SOPs and human-in-the-loop options
Legacy Device Support Fingerprinting and behavior analysis even for non-upgradeable devices
Supply Chain Threat Detection Monitoring for rogue firmware, unauthorized remote access, and vendor abuse

9. Case Study

Anomalous PLC Command Detection in Manufacturing Line

Client: Automotive Components Manufacturer
Event: Detection of out-of-schedule STOP command to robotic arm PLC
Tool Used: Nozomi Guardian with Sherlocked response overlay
Action Taken: Alert sent to plant control room; isolated the PLC from remote session
Result: Prevented downtime of critical assembly line, suspected insider threat neutralized

10. Standard Operating Procedure (SOP)

  1. Passive network mapping and asset identification
  2. Protocol inspection and traffic baseline
  3. Alert configuration for unsafe or abnormal activities
  4. Develop ICS-aware response rules and escalation matrix
  5. Integrate with SOC/SIEM for alert correlation
  6. Collaborate with plant engineers for containment actions
  7. Review alerts and incidents monthly
  8. Test segmentation and access control rules
  9. Review vendor access logs and firmware checksums quarterly

11. Readiness Checklist

Pre-Deployment

  • [ ] Network topology and segmentation shared
  • [ ] TAP/SPAN ports configured for monitoring
  • [ ] OT asset inventory (or facility diagrams) provided
  • [ ] Identification of safety-critical zones and devices
  • [ ] Maintenance window scheduled for sensor deployment
  • [ ] List of authorized vendors and remote access protocols
  • [ ] Current alerting/response procedures shared
  • [ ] Approvals for installing passive monitoring devices
  • [ ] Secure access to SIEM or data forwarding destination

During Monitoring

  • [ ] All assets mapped with MAC, vendor, protocol, and segment
  • [ ] Protocols decoded and validated (Modbus, DNP3, BACnet, etc.)
  • [ ] Baseline of normal flows and commands created
  • [ ] Alerts categorized (Unauthorized Commands, New Device, Lateral Movement)
  • [ ] Safety-override alerts configured (STOP/START, upload/download firmware)
  • [ ] Vendor access activity monitored and logged
  • [ ] Unsafe protocol use flagged (e.g., telnet, clear-text control messages)
  • [ ] Firewall/segmentation rules tested regularly
  • [ ] Threat intelligence feeds enriched with OT-specific IOCs
  • [ ] Periodic backup of asset profiles and alert rules

Post-Incident

  • [ ] Root cause and timeline of event documented
  • [ ] Forensic capture of packets and device state (if possible)
  • [ ] ICS logs, HMI/SCADA sessions, and user access reviewed
  • [ ] Incident impact assessed against safety & operations
  • [ ] Playbooks updated with new TTPs or containment strategies
  • [ ] External vendor or supply chain involvement reviewed
  • [ ] Communication to engineering/plant team and regulatory (if needed)
  • [ ] MTTR, MTTD, and containment metrics recorded
  • [ ] Plant operations resumed with operator validation

Continuous Improvement

  • [ ] Quarterly tabletop exercises with OT/engineering team
  • [ ] Review of obsolete/unsupported firmware
  • [ ] Update alert logic based on attack trends (TRITON, Industroyer2, etc.)
  • [ ] Implement or refine OT-specific segmentation (e.g., Purdue Model compliance)
  • [ ] Run vulnerability scans on test/dev mirrors (not production)
  • [ ] Zero-trust strategy applied to vendor and remote access
  • [ ] Improve device fingerprinting and spoofing detection
  • [ ] Expand asset coverage as new devices or protocols are added
  • [ ] Assess physical access and insider risk for critical zones
Wireless Security & Rogue Access Point (AP) Detection
24x7 SOC as a Service