OrangeCon 2026

Operational Technology environments are among the hardest to defend and the hardest to test. Where protocols are proprietary, traffic patterns are deterministic, and the cost of a false positive is not just noise - it can mean interrupting a live physical process. Testing detection capability in IT/OT infrastructure is essential - not only to verify what gets caught, but to understand where detection fails, what needs to be tuned, and whether signature-based or anomaly-based approaches are more effective at each stage.

This talk presents an ongoing research effort into executing and detecting attack scenarios inside a physical OT test environment that simulates the water pipeline infrastructure. The kill chain spans the full IT/OT boundary - from initial access and reconnaissance on the IT side, through lateral movement into OT, to direct manipulation of pipeline control components. At every stage, network traffic, sensor telemetry, and operational data flows are collected, building a ground-truth dataset of normal and adversarial behavior. A central metric under observation during the tests is the Water Horizon - tracking whether consumers receive their water on time - and how threat actors targeting flow rates and sensor values affect it.

Detection is approached across two layers: SIEM-based rules and signatures, and behavioral anomaly detection baselining normal OT process behavior. Both detection layers draw on a combination of sensor data and network traffic, with cross-layer correlation used to increase alert confidence. The talk walks through which kill chain stages each detection layer identifies, where rules might fall short, and behavioral anomalies can surface threats that signatures miss, and where open questions remain.

This is a work in progress. The goal is not to present conclusions - it is to share the methodology, open the discussion, and explore where OT detection can be improved.