Someone on your team is responsible for OT security right now. Maybe it’s you. And if you’re honest about it, you probably can’t see what’s actually happening across most of the environments you’re supposed to protect.
That’s not a failure of effort or awareness. It’s a structural problem. The tools, budgets, and deployment models available to most security teams were not built for the places where OT actually lives.
The assumptions that don’t survive contact with OT
IT security has spent two decades building a set of operating assumptions that work well in the IT component of data centers, cloud environments, and corporate networks. Reliable connectivity. Standard operating systems. The ability to install and maintain agents on endpoints. Centralized infrastructure to collect and process telemetry. Budgets that scale with the attack surface.
Every one of these assumptions tends to break down when it comes to OT.
Your substations don’t have reliable connectivity, while others have no connectivity at all. Your PLCs and RTUs are running firmware from a decade ago and can’t tolerate a port scan, let alone an agent installation. Your treatment plants, pumping stations, and remote generation sites are scattered across geography with no rack space, no IT infrastructure, and sometimes no climate-controlled room to put a server in.
Safety certifications prevent you from touching certain systems. Maintenance windows are measured in hours, not days. And the budget to instrument a remote substation with permanent monitoring infrastructure? It doesn’t exist for the majority of your sites.
None of this is news to the people living it. But it explains why “OT visibility” keeps showing up in security strategies while actual coverage barely moves.
What this looks like on a Tuesday morning
Here’s a version of this that plays out constantly and quietly across critical infrastructure.
You’re a security lead covering 60 OT sites. Your team deployed continuous monitoring at the five largest facilities two years ago. Those sites generate alerts, your analysts triage them, and the program looks functional from a reporting standpoint.
The other 55 sites? You have network diagrams that are probably outdated. You have annual compliance checklists that tell you what should be configured, not what actually is. You have no telemetry, no baselines, and no way to know if someone compromised an engineering workstation at a remote substation six months ago and has been sitting there since.
You’re not lacking awareness of the risk. You know exactly where the blind spots are. What you lack is a practical way to get sensors and forensic capability into environments that won’t accommodate your existing tools.
And so the blind spots persist. Not because anyone decided the risk was acceptable, but because nobody has offered a deployment model that works within the constraints.
The real bottleneck isn’t detection. It’s getting there.
The OT security market has poured years of effort into building better detection engines. Better signatures. Better anomaly models. Better protocol parsers for Modbus, DNP3, IEC 61850, and the rest. That work has genuine value.
But detection only works if you can get the sensor to the site.
For your five largest facilities with permanent infrastructure, connectivity, and IT support on-site, the current generation of monitoring platforms works. That’s the use case they were designed for: continuous telemetry collection at connected, well-resourced sites.
For everything else, the deployment model is the bottleneck. You can’t install a rack-mounted appliance at a substation that doesn’t have a rack. You can’t stream telemetry from an air-gapped treatment plant. You can’t justify a six-figure infrastructure buildout at each of 40 remote sites that individually wouldn’t make the top of a risk register but collectively represent an enormous blind spot.
The industry has largely solved the detection problem for sites that can support the infrastructure. It has not solved the access problem for sites that can’t.
Rethinking what “deployment” means in OT
The organizations that are actually closing their OT visibility gaps have stopped trying to force-fit infrastructure-dependent monitoring into environments that reject it. Instead, they’ve started asking a different question: what if the security capability traveled to the environment, rather than requiring the environment to accommodate the tool?
This is a deployment model shift, not a technology shift. The analytics, the protocol parsing, and the detection logic still matter. But they need to be packaged in a way that works without permanent infrastructure, without connectivity, and without a two-month deployment project at every site.
That means portable. That means rapid. That means independent of network connectivity and cloud dependencies. That means something a team can carry to a substation, deploy in a maintenance window, capture meaningful data, and either leave in place or bring to the next site on the list.
This isn’t a theoretical concept. Teams are doing this now, at scale, across federal energy infrastructure, municipal utilities, manufacturing facilities, and defense installations. The pattern is consistent: when you bring the right capability to the right site, you find things. Invisible vulnerabilities. Configurations that don’t match the documentation. Network traffic that shouldn’t exist. Threats that have been sitting quietly because no one was looking.
This is what we built Valkyrie and Cygnet to solve
Valkyrie is our OT threat hunting and monitoring platform. Cygnet is the flyaway kit that carries it anywhere. Together, they’re how teams get real OT visibility into the places that have resisted every other approach.
Cygnet fits in a ruggedized case under four pounds. It deploys in minutes, runs completely air-gapped, and captures both network traffic and host-level forensic data without installing agents on anything. No rack space, no connectivity, no infrastructure buildout required. Plug into a network port and start collecting.
Valkyrie handles the analysis. It parses industrial protocols natively, correlates network and endpoint data, and includes pre-built threat hunting workflows developed from real OT incidents across federal energy, water, manufacturing, and defense environments. Your team doesn’t need five years of ICS experience to run a credible hunt. The tradecraft is built into the platform.
The combination means you can walk into a remote substation, an air-gapped treatment plant, or a manufacturing floor during a maintenance window and have comprehensive OT visibility operational before lunch.
The gap won’t close on its own
OT environments are expanding. Renewable energy sites, distributed generation, building automation systems, smart manufacturing, and water infrastructure modernization. Each new site adds to the attack surface. Very few of them come with the infrastructure needed to support traditional monitoring.
If you’re waiting for budgets, bandwidth, and infrastructure to align before extending security coverage to the rest of your OT footprint, the gap will keep growing.
The teams making progress are the ones who stopped waiting and started deploying security that fits the environment they actually have. Not the one they wish they had.
Insane Cyber builds tactical OT security tools and provides expert services for environments where traditional monitoring can’t operate.
