Look, here's the thing about OT cybersecurity. Most of the people who need to understand it have never seen it. They've heard the acronyms. They've sat through the slide decks. Maybe they've watched a YouTube video about Stuxnet and called it a day. But they've never actually stood in front of a working PLC, watched a live HMI, and traced a Modbus packet through a tap to a passive sensor while somebody explained what any of it does.

That's why we built the OT Wall. And that's why we brought it to DEFCON Singapore.

On the Creator Stage at the Marina Bay Sands Expo, I looked out at a packed room of practitioners wearing blue translation headsets, listening in real time as I walked through the SANS Five Critical Controls. We were not there to learn anything new. We have done this work for decades. We were there to explain it. To translate. To meet people where they were and walk them across.

OT is not a black box. It just looks like one to most of the people we need to defend it.

The talk on the Creator Stage was 20 minutes. The conversations afterward were six hours. And those conversations are where the real work happened, because that is where you find out what people actually do not understand.

Two conversations stuck with me. One with an IT cybersecurity practitioner. One with a student. Both pointed at the same gap, from different sides.

An attendee with a strong IT security background asked me, with real frustration in his voice, why in 20 years of OT cybersecurity we have not moved to secure protocols. Why is Modbus still in the clear? Why is DNP3 not encrypted by default? Why are we still running open protocols on networks where critical decisions get made? In his world, this is malpractice. He could not understand how an entire industry could leave the front door wide open for two decades and call itself mature.

Here is the thing. He was not wrong about the open protocols. He was wrong about the priority. In IT, the CIA triad runs C-I-A. Confidentiality first, then integrity, then availability. The whole industry is built around that order. In OT, we flip it. Availability first. Then integrity. Then confidentiality. If a turbine controller cannot read a setpoint because the encryption handshake hung for 80 milliseconds, somebody might die. The math is different. The risk model is different. And the answers that work in IT can hurt people in OT.

That is why Modbus is still in the clear. Not because the engineers were lazy. Because the engineers were careful. They picked deterministic, lightweight, low-latency, predictable behavior over confidentiality every single time. And when you understand that the process they are protecting is somebody's drinking water, somebody's electricity, somebody's hospital, you stop asking why they have not encrypted it. You start asking how to protect it without breaking what already works.

In IT, we patch and we move on. In OT, we cannot patch, and we have to defend it anyway.

A student came up wanting to talk about pen testing in OT. She was sharp. Curious. She had read every book on the subject and could quote the kill chain backwards. Her question was, where do you start? What is the first thing you scan? What do you exploit?

I told her about a baby.

If you have a three month old baby, I said, you already know it is vulnerable. You do not need to do a pen test to find that out. You know it cannot feed itself. It cannot clean itself. It cannot defend itself. You can list the vulnerabilities right now without scanning a thing. So what do you do? You do not give it an egg and expect it to cook its own dinner. You do not hand it the keys to the car and tell it to drive itself somewhere safe. You do not lay out clothes on the floor and expect it to figure out the buttons. You feed it. You change it. You put it in a crib so it cannot roll off the bed. You put a camera in the room so you know when it is crying. You build a whole system of compensating controls around a vulnerable thing, because removing the vulnerability is not on the table.

OT is the baby.

We know the PLC is old. We know it is running firmware from 2014. We know the engineering workstation still has Windows XP because the vendor will void the warranty if we touch it. We know the managed switches have not had a firmware update in two decades. We know all of it. We do not need a pen test to find vulnerabilities that everybody already knows are there. We need a parenting plan.

That is what the SANS Five Critical Controls actually are. They are the parenting plan.

You cannot give the baby an egg and expect dinner. You cannot give the OT engineer a CVSS score and expect a patch.

ICS Village had three talks on the Creator Stage at DEFCON Singapore. When we got the submissions back and saw them lined up next to each other, we laughed. Not because the schedule was repetitive. Because the theme was the same.

Three speakers. Different angles. Same message. Get the basics right.

•      Adversaries Have AI. You Have $0. Here's How You Win Anyway - Aaron Crow   An honest take on what AI changes for the attacker, what it does not change, and the same five fundamentals that close the doors anyway.

•      Actual OT Cyber Security - Dillon Lee https://www.linkedin.com/in/dillon-lee/  Practical, no-vendor-pitch view of what defending an OT environment actually looks like, day to day, in the real world.

•      Why Is It Running Windows XP? - Tom VanNorman https://www.linkedin.com/in/thomasvannorman/ The honest answer to the question every IT person asks first, and what to do about it without breaking the plant.

Three independent submissions. None of us coordinated. All three landed in the same place. Foundations. Basics. The simple things that matter in OT cybersecurity. That is not a coincidence and it is not laziness. It is the field telling itself the truth.

Three speakers. Three different angles. One message. Do the basics. That is not repetition. It is the work.

It is easy to get caught up in the latest apps, the latest vendors, the latest tech. I am a nerd. I love the tech. I will absolutely sit down and geek out about a new threat-detection capability or a clever new protocol break. The fun stuff is fun. That is why it is fun.

But securing any environment is more than just the tech. People, process, and technology. In that order, most days. The reason three independent OT speakers all submitted talks about basics is that we keep walking into environments where the tech is the smallest problem. The biggest problem is that nobody talks to each other. The second biggest problem is that nobody documented the network. The third biggest problem is that nobody owns the asset. The tech is fine. The tech is usually fine.

If you walked away from any of the three talks at DEFCON Singapore with a single takeaway, I hope it is this. The basics are not boring. The basics are what works. Everything else is a layer on top of getting the basics right, and most environments have not gotten the basics right. That is where the work is.

First, the framing. We were at DEFCON Singapore supporting ICS Village. ICS Village is a non-profit focused on education around critical infrastructure, OT, and cybersecurity. Their volunteers flew to the other side of the globe to be there. They built the village. They ran the booth. They had the conversations until their voices gave out. The wall is one piece of what they brought. The volunteers are the rest.

The OT Wall itself is a working, miniaturized industrial control system. Not a poster. Not a lab sim. A real one. A FortiGate firewall sits at the front, doing real segmentation. Behind it, a DMZ runs HyperPort for secure remote access, with MFA and session recording on every connection. Past that, an OT network runs PLCs, an HMI, and an engineering workstation, all talking real industrial protocols. And quietly watching all of it, EmberOT does passive monitoring through SPAN ports and a pair of network taps, one Garland and one Ixia, doing the same job two different ways.

Everything you would find in a real plant, on a 3D-printed mount you can carry through an airport. People walk up. They poke at it. They ask questions. We answer them. That's the whole show.

Let me say this clearly because it matters. We have FortiGate on the wall, but a firewall can be Palo Alto, Cisco, Check Point, anything. We have HyperPort for secure remote access, but secure remote access can be Dispel, Claroty, Cyolo, others. We have EmberOT for passive monitoring, but monitoring can be Dragos, Nozomi, Claroty, plenty of good options. The vendors we chose are excellent partners, and that is why they are represented on the wall. They are not the only answer. They are an answer.

The point of the wall is the function, not the brand. The function is the boundary. The function is the secure access workflow. The function is the visibility. If you have a different vendor doing the same function, you are doing the same work. The wall shows you what the work looks like.

One thing visitors notice when they get close. The hardware on the wall is built for industrial environments. DC power instead of AC. Heat-sink cases with no internal fans because dust kills fans and plants are dusty. DIN rail mounting. Wider operating temperature ranges. Different connectors. Different physical packaging. Everything sized to live inside a control cabinet that gets opened twice a year and otherwise sits in a hot room.

But here is the thing. Open the case and you find the same guts you would find in any IT data center. The FortiGate is still a firewall running the same FortiOS. The switches are doing layer 2 and 3 the same way enterprise switches do. The same IP. The same routing. The same SPAN ports, taps, syslog, ARP, nmap. Different shell, same internals. That is the conversation worth having with somebody coming from IT. The skills you already have transfer. The use cases and the consequences are what change.

That is why we built it as a physical thing instead of a slide deck. A picture is worth a thousand words. Putting hands on hardware is worth a thousand pictures.

Yes, there is a Tesla coil on the wall. Two buttons on the front, one red, one green. Both wired to a Siemens PLC. Press green, the coil turns on and the room hears it. Press red, it stops. People jump the first time. That is the point.

OT is not just bits and bytes. OT has physical reactions. Pumps start. Valves open. Breakers trip. Things heat up, cool down, spin, stop. When something goes wrong in OT, you can hear it. You can sometimes feel it. The Tesla coil makes that visceral in a way no diagram can. You press a button on a network somebody else built and the room jumps. That is the entire OT cybersecurity threat model in three seconds.

OT has physical consequences. The Tesla coil makes that real. The blackout at the substation is the same idea, with worse stakes.

Beside the wall, ICS Village ran a Capture the Flag. Six small working systems, each with its own controls and HMI. The scenario was simple. The water plant has stopped working. Get it back online. Attendees moved knobs, interacted with PLC functions, looked at downstream impacts, and figured it out as a team. Not a cyber CTF. An OT CTF. Closer to an escape room than a hacking contest. The point was not to break in. The point was to see how things work, what depends on what, and why fixing one thing breaks another.

Watching IT folks work through that CTF was educational for me, too. The moment somebody realizes that turning a valve in zone two changes pressure in zone four, and that the HMI in zone four is showing them something they have to interpret quickly, is the moment they start understanding OT. You cannot get that from a slide. You have to do it.

The point of all of it, the wall, the CTF, the booth, the conversations, is to make OT visible. Because once you can see it, you can think about defending it. And right now, most of the world cannot see it.

Two things changed recently that anybody defending critical infrastructure needs to think about.

AI is changing the economics of attack. Recon that used to take a week now takes an afternoon. The skill compression is real. You no longer need a 10-year ICS specialist to abuse Modbus or DNP3. You need an LLM and a goal. Anthropic's Mythos found over 2,000 zero-day vulnerabilities in seven weeks. Two thousand. In seven weeks.

OT was never going to patch its way out of that. Honestly, we never really patched OT very well in the first place. Most plants get one major patching window a year, if they're lucky. Now, in the time it takes to schedule the next one, AI has found more vulnerabilities than your whole maintenance window can address.

AI does not invent new doors. It just walks through the open ones faster. So let's talk about closing the doors.

That's the gap. And honestly, that's the good news. Because the doors that get walked through are almost always the same five doors. They were the same doors before AI showed up. They will be the same doors after. And every one of them is fixable with what you already own.

The OT Wall is set up to show you those five doors. And the simple controls that close them.

So if you cannot patch the baby, what do you do? You build a system around it. The SANS Five ICS Critical Controls are that system. Not because they're new or sexy or because somebody is paying me to say it. Because they actually work, and because every breach assessment I have done in 25 years comes back to one of these five being missing or broken. Every time.

On the Creator Stage we walked through each one in 20 minutes, with the room wearing translation headsets and the wall sitting back at the ICS Village booth waiting for the after-talk crowd. Here is how each control shows up on the wall, and what we want people to take away when they walk past it.

Your IT incident response plan is not your OT plan. Different goals. Different stakeholders. Different acceptable outcomes. An IT plan written for ransomware on the file server tells you exactly the wrong thing to do when you lose view and control of a turbine.

The OT Wall has a tabletop scenario taped to the front of it. The scenario is, your operator just lost the HMI. Walk me through what happens next. The first thing people realize is that they don't know who they would call. The second thing they realize is that the people they would call have probably never been in the same room. That gap, right there, is the work.

If your tabletop is just IT and cyber in a conference room, you are not running a tabletop. You are running a meeting.

The FortiGate on the wall is not decoration. It is doing real work. There is a real boundary between the corporate network and the OT network. There is a real DMZ. There is real default-deny in the rule set. People walk up and ask if it is just for show. No. That box is the difference between segmentation and a label.

A VLAN is a label. A firewall is a decision. Most of the OT environments I walk into have one big broadcast domain with VLANs marketed as segmentation. They are not. The OT Wall makes the distinction physical. You can literally see where the boundary is, and what stops at it.

This is the one I get the most questions about. People want to know how EmberOT works without disrupting the process. So we show them. Two taps. One Garland, one Ixia. Both passive. Both invisible to the live traffic. The PLC and HMI keep talking to each other and have no idea anything is watching. Meanwhile, EmberOT is building an asset inventory, mapping every conversation, and cross-referencing what it sees against known vulnerabilities.

The thing that surprises people is how cheap visibility actually is. I have watched a small water utility with no budget grab a spare laptop, get engineering approval, mirror a port on an OT switch, and stand up passive monitoring in an afternoon. They saw things on day one they did not know were happening. The OT Wall shows you what that setup looks like. From there, it scales.

You cannot patch what you do not know exists. And you cannot defend what you cannot see.

This one needs a little extra context, because the obvious answer is wrong for OT. The obvious answer is, put MFA on everything. Great. Most OT devices physically cannot do MFA. PLCs do not have MFA. HMIs from 2014 do not have MFA. So what?

So the MFA goes at the gateway. That is what HyperPort is doing on the wall. Outside user authenticates to the corporate network. Then they authenticate again, with MFA and a different account, into HyperPort. HyperPort enforces role-based access (vendor A can reach systems 1, 2, and 3, the operator can reach everything), does the protocol break, records the session, and then jumps the user to whatever they're allowed to touch. There is no routed traffic from outside to the OT asset. There is a workflow.

If you cannot list every door into your OT network on a single sheet of paper, you do not have remote access. You have remote chaos. The OT Wall makes the doors visible. There are exactly two of them. They go through the DMZ. Anything else is the bug.

Two PLCs on the wall. Same firmware. Same vulnerability. Same CVSS score. One controls the demo lights. One controls the demo turbine. Same vulnerability, totally different risk. If your patch list is sorted by CVSS, you are doing the wrong thing.

Visibility from Control 3 feeds vulnerability prioritization in Control 5. EmberOT cross-references CVEs against the firmware actually on your wire, not what you wish was there. Then you patch based on what would hurt you, not what scored highest on a database somebody else maintains.

Let me say this part properly. ICS Village is a non-profit, which means the people who built the village, packed it in crates, flew it 9,000 miles to Singapore, set it up, ran it for the whole event, and packed it back out are not getting paid for it. They did it because they care about the work. That is worth saying out loud. The wall does not show up in Singapore by itself. The CTF does not run itself. None of this happens without volunteers who think OT cybersecurity matters and are willing to lose a weekend in their lives to prove it.

If you came by the booth, the person explaining the CTF to you was probably one of those volunteers. The person walking somebody through the architecture diagram was probably one of those volunteers. The folks restarting the demo gear when somebody pressed the wrong button was probably one of those volunteers. They deserve the credit.

DEFCON Singapore was the right place for this because the energy, water, transportation, manufacturing, and telecom infrastructure of Asia-Pacific is enormous, growing, and increasingly the target of nation-state activity. The threat actors do not care which side of the Pacific you live on. The defenders here have the same five problems and the same five fixes. The questions we got were the same questions we get at RSA, Defcon Las Vegas, every regional conference, just delivered with different accents. The work is universal.

ICS Village volunteers flew to the other side of the globe to make OT visible to one more room of practitioners. That is what builds the field.

If you walked past the OT Wall and you only remember three things, here they are.

Whether you call it OT or not, your building runs on it. HVAC, elevators, badge readers, cameras, fire suppression, UPS. If you work in a building right now, OT is keeping you comfortable and safe. The question is not whether you have OT. The question is whether anybody is watching it.

Boundary, segmentation, monitoring, secure remote access, risk-based patching. None of this is new. Most of it is missing. The adversaries are not magic. They are following the path of least resistance, just faster than they used to. Close the easy paths and most attackers move on to a softer target.

A FortiGate. A jump host. A spare laptop. A mirror port. A box of donuts for the engineering team. The OT Wall is small on purpose. It is sized like a real first project. If a small water utility with no budget can stand up passive monitoring in an afternoon, your organization can too. Stop waiting for the platform. Start with what you have. Baby steps. 100 percent.

If you came by the wall during DEFCON Singapore, thank you. The conversations were the best part. If you missed it, the wall travels. We bring it to other ICS Village events, and the lessons travel even when the plywood doesn't.

And if you want to keep the conversation going, the PrOTect IT All podcast is where I talk to practitioners about exactly this kind of work. 100 plus episodes, no sales pitches, no FUD. Real engineers, real plants, real lessons. Find it at protectitallpod.com.

OT is different, not harder. Get the fundamentals right and the rest sorts itself out. See you at the next one.

RESOURCES

•      Podcast: protectitallpod.com  /  100+ episodes, practitioner-focused

•      ICS Village: icsvillage.com  /  non-profit critical-infrastructure education

•      SANS ICS 5 Critical Controls: the framework referenced throughout this article

•      LinkedIn: linkedin.com/in/aaronccrow