Security for Oil and Gas: anatomy of defending OT networks against ransomware, sabotage and espionage
Refineries, pipelines and platforms depend on OT systems that cannot stop. Decripte contains intrusions before they become an operational shutdown, segregates industrial zones and monitors the environment 24x7 with a containment SLA of up to 1 hour.
Direct answer
To protect the oil and gas sector, you must treat the OT network (refining, pipelines, SCADA) as the critical asset it is: segregate industrial zones physically and logically from the corporate network following the IEC 62443 / Purdue model, deploy passive monitoring that can see industrial protocols (Modbus, DNP3, OPC, IEC 60870-5-104) without interfering with the process, maintain a 24x7 SOC with detection capability across IT and OT, and have an industrial incident response plan that prioritizes process safety and containment before shutting down the plant. Decripte delivers these four fronts in an integrated way — free diagnosis at decripte.com.br/intelligence-center and contracting at decripte.io/start.
24/7
SOC monitoring IT and OT
≤1h
Containment SLA per incident
IEC 62443
OT zone segregation model
ISO 27001
Structured compliance
In summary
- ›The OT network of a refinery or pipeline cannot be treated as ordinary IT: availability and process safety come before confidentiality, and any response action must consider physical risk.
- ›Most intrusions in oil and gas begin in IT (email, VPN, supplier) and migrate to OT for lack of segregation — the decisive control is the segmentation of zones and conduits in the IEC 62443/Purdue model.
- ›Ransomware with an operational shutdown is the scenario of greatest economic impact: containment must isolate propagation without turning off what keeps the plant in a safe state.
- ›Effective OT monitoring is passive: it sees Modbus, DNP3, OPC and IEC-104 through traffic mirroring, without injecting packets or restarting sensitive devices.
- ›Decripte combines a 24x7 SOC, Incident Response with a containment SLA of ≤1h, Pentest with an OT scope and Compliance (ISO 27001/LGPD) to cover prevention, detection and response.
- ›Start with the free diagnosis at decripte.com.br/intelligence-center to map your exposure surface before an incident forces the decision.
Cibersegurança para Oil and Gas
Refineries, pipelines and platforms depend on OT systems that cannot stop. Decripte contains intrusions before they become an operational shutdown, segregates industrial zones and monitors the environment 24x7 with a containment SLA of up to 1 hour.
Why oil and gas became a priority target for cyber attacks
The oil and gas sector concentrates three characteristics that make it one of the most coveted targets for cyber adversaries: high economic value, national criticality and dependence on industrial automation systems designed decades ago, when the internet and the cyber threat were not part of the risk model. A refinery, a pipeline terminal or a production platform is, at once, a billion-dollar financial asset, a piece of the country's critical infrastructure and an environment where a control failure can cause physical, environmental and human harm. This combination attracts everyone from financially motivated ransomware groups to state-sponsored actors interested in espionage and in pre-positioning for sabotage.
The fundamental difference between protecting a bank and protecting a refinery lies in the nature of what can go wrong. In traditional IT, the worst case is usually data leakage or the unavailability of a service. In OT (Operational Technology), the worst case is the loss of control over a physical process: a valve that should close and does not, a tampered pressure sensor, a bypassed safety interlock logic. That is why, in the oil and gas sector, the classic information-security triad — confidentiality, integrity and availability — is inverted: process availability and integrity come first, and any defense action must be designed so as not to create, in itself, an operational risk.
What is at stake when OT is compromised
The risk is not just data — it is a physical process
In an OT incident, shutting down a server to 'contain' can be exactly the wrong action: that server may be the one keeping the plant in a safe state. Industrial incident response requires understanding the process before acting, something a generic IT team does not do.
Another factor that raises the risk is IT/OT convergence. To gain efficiency — real-time telemetry, predictive maintenance, executive dashboards, ERP integration — companies connected industrial networks that were historically isolated (air-gapped) to the corporate network and, by extension, to the internet. This convergence brought real business value, but it also opened paths that did not exist before. Today, the vast majority of intrusions in OT environments do not begin in OT: they begin in IT, through phishing, a misconfigured VPN, a leaked credential or a compromised supplier, and only then move laterally into the industrial environment. Defending the sector requires accepting this reality: the IT→OT frontier is the real battlefield.
The five threats that most affect refineries, pipelines and platforms
Threats to the oil and gas sector are not abstract. They follow observable patterns, and understanding each vector is the first step to defending. Decripte structures the defense around the five most relevant risks for the sector, described below.
1. Attacks on the OT systems of refining and pipelines
SCADA systems, PLCs (Programmable Logic Controllers), RTUs (Remote Terminal Units) and DCS (Distributed Control Systems) control the physical heart of the operation: distillation-column temperature, pipeline pressure, terminal flow rate, valve opening. Many of these devices use industrial protocols with no native authentication — Modbus, DNP3, classic OPC — designed for reliability, not for security. An attacker with network access to the OT segment can, in theory, send commands that change setpoints or disable alarms. The most dangerous attack does not bring the system down: it keeps it up while subtly manipulating the logic. That is why OT defense prioritizes segregation and visibility within the control network itself.
2. Ransomware with an operational shutdown
Ransomware is today the threat of greatest economic impact for the sector. Even when the malware reaches only the corporate network, the company often decides to stop the operation as a precaution — because it cannot guarantee that OT was not affected. This preventive shutdown, in a refinery or a pipeline terminal, costs millions per day and can have knock-on effects on supply. The attacker's goal is exactly that: to use the criticality of the process as extortion leverage. OT visibility is what allows NOT stopping unnecessarily, taking the leverage away from the criminal.
Why ransomware is so effective against oil and gas
The criticality of the operation becomes the attacker's weapon: the company cannot 'wait and see'. Faced with the slightest doubt about OT integrity, the safe decision is to stop — and it is precisely the cost of that stop that the criminal monetizes in the negotiation.
Three vectors complete the picture. Espionage and theft of strategic data: seismic data, reserves, process formulas and bidding strategies are extremely high-value assets, silently exfiltrated by competitors or state-sponsored actors, often over months without tripping the operation. Cyber sabotage: the pre-positioning scenario, in which the attacker keeps latent access to OT waiting for the moment to cause physical harm — explosions, environmental leaks, supply shortages — is the most serious threat in terms of national security. Supplier compromise: automation integrators, equipment manufacturers and maintenance companies have privileged remote access to OT, and compromising a supplier with an account without MFA is often easier than attacking the plant directly — granting the same access.
Supplier compromise: the most exploited link
Integrators, manufacturers and maintenance providers have privileged remote access to OT, often via dedicated VPNs and forgotten accounts without MFA. The supply-chain attack does not need a vulnerability in your plant — it just needs a flaw in the partner who holds the key to your door.
Is oil and gas data already exposed or up for sale? Find out now — for free.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
The OT security model Decripte applies: zones, conduits and the Purdue model
The backbone of industrial defense is segregation. The international reference standard for automation security is the IEC 62443 series, which organizes the environment into zones (groups of assets with the same criticality level and security requirement) and conduits (the controlled communication channels between zones). Overlaid on this logic is the Purdue Model, which stratifies the operation into levels: from Level 0 (physical sensors and actuators) to Level 4/5 (corporate network and internet), through process control (Levels 1-2), supervision (SCADA/DCS) and an industrial demilitarized zone (IDMZ) between OT and IT.
The industrial IDMZ: the frontier that prevents IT→OT migration
Most serious incidents happen because there is no real frontier between the corporate network and the control network. The IDMZ is that frontier: no traffic should cross directly from IT to OT. Telemetry data that must reach the ERP passes through intermediate servers (data brokers, replicated historians) inside the IDMZ, so that a compromise in IT has no direct path to the PLCs. When Decripte takes on an environment, mapping and hardening this frontier is one of the first priorities.
OT architecture principles that Decripte implements
- ✓Segregation of zones and conduits per IEC 62443, with explicit firewall rules between levels
- ✓Industrial IDMZ between the corporate network and the control network, with no direct IT→OT route
- ✓Complete inventory of OT assets (PLCs, RTUs, HMIs, industrial switches) — you cannot protect what you do not know
- ✓Third-party remote access via a monitored jump host, with MFA and session recording
- ✓Passive monitoring of industrial protocols through port mirroring (SPAN), without traffic injection
- ✓Hardening of engineering workstations and SCADA/historian servers, the main pivot vector
It is important to stress what segregation is NOT: it is not simply placing a firewall between IT and OT and considering the job done. Real segregation means each zone has its own policy, that the conduits carry only strictly necessary traffic, that monitoring exists inside each zone (not just at the edge) and that remote access — the attackers' preferred vector — is strictly controlled, mediated by jump hosts and audited.
Anatomy of an intrusion into the OT network of a refinery (anonymized real-world example)
Anonymized real-world example
The case below is an anonymized real-world example, built from real attack patterns against the oil and gas sector. it does not identify the client nor a real incident. It serves to show, step by step, how an intrusion evolves and how Decripte acts to contain it before the operational shutdown.
Imagine a mid-sized refinery with a corporate network converged with the OT network for real-time telemetry. The attack does not begin in OT — it begins, as almost always, in IT. A spear-phishing email aimed at a process engineer delivers an implant that establishes remote access to their workstation. The workstation, being on the corporate network but having connectivity to the OT engineering workstation (a firewall exception created years earlier 'to make maintenance easier'), becomes the bridge. From there the attacker performs silent reconnaissance: maps the historian, identifies the PLCs, observes the Modbus and OPC protocols in transit. The goal is ransomware with an extortion component through the threat of a shutdown.
What failed and what saved it
What allowed entry was the classic combination: successful phishing, absence of MFA on the engineer's account and an IT→OT firewall rule that should never have existed. What averted the catastrophe was Decripte's OT monitoring: the anomalous traffic between the engineering workstation and the PLCs — mass configuration-read commands that matched no maintenance window — triggered an alert in the SOC. Detection happened in the reconnaissance phase, before encryption and before any process manipulation. The full timeline is detailed in the case-study section below.
The turning point
The difference between 'contained incident' and 'refinery down for days' was the detection window. Because OT monitoring saw the reconnaissance on the control network — and did not wait for the ransomware to detonate on IT — containment happened while the attacker was still mapping, not executing.
How Decripte responds to an industrial incident without stopping the plant
Incident response in OT environments follows a different logic from traditional IT. The principle governing every decision is process safety: no containment action can create a physical risk greater than the attack itself. This means, for example, that isolating OT from IT is almost always safe and desirable, but shutting down a SCADA server or a PLC can push the process into a dangerous state. That is why Decripte works side by side with the plant's operations and engineering, never in isolation.
Surgical containment, not mass shutdown
The first containment action in an OT incident is to cut off propagation at the right point: typically, isolating the corporate network from the control network by reinforcing or closing the IDMZ conduits, while OT keeps operating in a safe, monitored mode. The attacker's path is isolated without shutting down what keeps the plant stable. In parallel, compromised accounts are revoked, third-party access is suspended and the command traffic to the PLCs is inspected in real time.
Process safety above all
In OT, the question before any response action is: 'does this put the physical process at risk?'. Containment is designed with process engineering so that containing the attacker never means creating an industrial safety incident.
After containment comes eradication — removing the attacker's access completely, not partially. Poorly done eradication is the most common reason for recurrence: the attacker comes back because a secondary implant, a service account or a supplier access was forgotten. Decripte only declares eradication complete after a forensic analysis that reconstructs the entire access chain. Next, recovery restores systems from validated backups and reintegrates zones in a controlled way, monitoring every step. Finally, the lessons learned become concrete improvements in architecture and detection.
What would an incident in oil and gas cost? See your real risk before it happens.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
The role of the 24x7 SOC in oil and gas defense
In a sector where the attacker can remain silent for months before acting, continuous detection is what separates the company that discovers the adversary in the reconnaissance phase from the one that discovers it when the ransomware has already detonated. Decripte's 24x7 SOC monitors the IT and OT domains simultaneously, correlating events: an anomalous login on IT followed by unusual traffic toward OT is the kind of signal that, in isolation, goes unnoticed, but that, when correlated, triggers immediate investigation.
OT monitoring is passive by design
Unlike IT, where active scans are routine, in OT Decripte's monitoring is passive: it sees traffic through port mirroring, without sending packets that could confuse a PLC or restart a sensitive device. Full visibility, zero operational risk.
The SOC is not just technology — it is a team of analysts who understand the industrial context. Detecting Modbus or DNP3 is different from detecting HTTP traffic: it requires knowing what is normal behavior for a refining process, which maintenance windows are legitimate and which setpoints make sense. This specialization is what reduces false positives to a level where the real alerts are not lost in the noise. The SOC feeds Incident Response directly: when something real happens, there is no context handoff — the same ecosystem that detected already delivers the investigation to the containment team. This continuity is what makes the containment SLA of up to 1 hour feasible.
Compliance and governance: ISO 27001, LGPD and the sector's frameworks
Security in the oil and gas sector is not only technical — it is also regulatory and contractual. The operation is subject to a growing set of governance requirements, and demonstrating security maturity is increasingly a condition for partnerships, public contracts and insurance. Decripte structures compliance so that it reinforces real security, rather than becoming just paper for an audit.
Compliance fronts that Decripte structures
- ✓ISO/IEC 27001 — information security management system covering IT and OT
- ✓IEC 62443 — technical reference for the security of industrial automation and control systems
- ✓LGPD — protection of personal data of employees, third parties and partners, with the ANPD as the authority
- ✓SOC 2 — when there are services and data under third-party contractual responsibility
- ✓Third-party and supply-chain risk management as a formal governance requirement
On the LGPD: although the sector's focus is protecting the industrial process, there is a relevant volume of personal data — employees, providers, contracts — subject to the General Data Protection Law and to oversight by the ANPD (National Data Protection Authority). An incident that exposes this data creates a notification obligation and potential sanction. Decripte treats LGPD compliance as part of the security program, integrating it into the incident response plan so that, in the event of a leak, communication to the data subject and to the authority happens within what the law requires.
Compliance is not security — but its absence is doubled risk
Meeting ISO 27001 or IEC 62443 does not make the company immune to attacks. But the absence of formal governance means inconsistent controls, diffuse responsibilities and, in the event of an incident, far greater legal and reputational exposure. Decripte uses the frameworks as a skeleton, not as theater.
Pentest with an OT scope: finding the flaw before the attacker finds it
Pentest in the oil and gas context requires extra care. A poorly conducted intrusion test in an OT environment can, in itself, cause an operational incident. That is why Decripte conducts industrial pentests with an adapted methodology: active and aggressive tests are restricted to IT and the IDMZ, while the OT assessment prioritizes architecture analysis, configuration review, segregation validation and passive tests. The goal is to map the path a real attacker would travel — typically from IT to OT — and demonstrate where the frontier fails.
What an oil and gas pentest reveals
Typical findings of an industrial pentest
- ✓Overly permissive or forgotten IT→OT firewall rules
- ✓Engineering workstations without hardening, with outdated software and broad access
- ✓Supplier remote accesses without MFA and without monitoring
- ✓Default or shared credentials on HMIs, industrial switches and PLCs
- ✓Lack of internal segregation in OT — the entire control network in a single flat segment
- ✓Historian and SCADA servers exposed from the corporate network
Each finding comes with a recommendation prioritized by real risk to the process, not by generic CVSS severity. A vulnerability that opens a path from IT to the PLCs of a critical unit deserves more attention than a nominally high-severity flaw isolated in a segment with no operational impact. This contextual prioritization is what turns the pentest report into an executable action plan.
Where to start: from the free diagnosis to the complete program
The worst time to discover the fragility of your OT architecture is during an incident. The best is now, under controlled conditions. Decripte offers a path of gradual adoption that starts at no cost and evolves according to the maturity and criticality of the environment.
First step: free diagnosis
The free Threat Management plan (decripte.com.br/intelligence-center) maps your operation's external exposure surface — what an attacker sees from the outside — before any commitment. It is the fastest way to turn uncertainty into visibility.
From the diagnosis, the program is structured on the right fronts for your risk: 24x7 SOC for continuous detection across IT and OT, Incident Response with a containment SLA of up to 1 hour to ensure that, when something happens, containment is fast and surgical, Pentest with an industrial scope to find the flaws before the adversary, and Compliance to give governance and regulatory backing to the whole. To talk to a specialist and design the scope, use decripte.io/start or the form at /contato.
The cost of not acting
One day of unplanned downtime at a refinery or pipeline terminal usually far exceeds the cost of an entire year of a well-structured security program. OT defense is not an expense — it is insurance against the scenario that takes the operation offline.
Anatomy of an intrusion into the OT network of a refinery (anonymized real-world example)
Real, de-identified example
anonymized real-world example, without identifying the client. A mid-sized refinery operates with a corporate network converged with the OT network for real-time telemetry. There is an old firewall exception linking a corporate workstation to the OT engineering workstation, created years earlier 'to make maintenance easier'. The adversary's goal is ransomware with extortion based on the threat of an operational shutdown. Decripte maintains the 24x7 SOC with passive IT and OT monitoring in the environment.
Phase 0 — Initial access (IT)
Spear-phishing aimed at a process engineer delivers a remote-access implant to their corporate workstation. The account had no MFA. The attacker establishes persistence and begins reconnaissance on the corporate network, without yet touching OT.
Phase 1 — Detection
When pivoting through the firewall exception toward the OT engineering workstation, the attacker generates anomalous traffic: mass PLC configuration reads via Modbus and OPC, outside any maintenance window. Decripte's passive OT monitoring correlates the anomalous login on IT with this unusual traffic toward OT and triggers a high-severity alert in the SOC. Detection still in the reconnaissance phase — before any encryption.
Phase 2 — Containment
The Incident Response team activates surgical containment in coordination with process engineering: the IDMZ conduits are closed, isolating the corporate network from the control network, while OT keeps operating in a safe, monitored mode. The compromised account is revoked, the IT→OT firewall exception is removed and third-party accesses are suspended. The plant does not stop.
Phase 3 — Eradication
Forensic analysis reconstructs the entire access chain from the initial email. Secondary implants and persistence mechanisms are identified and removed. Eradication is only declared complete when forensics confirms there is no longer any attacker access path — avoiding recurrence.
Phase 4 — Recovery
Affected IT systems are restored from validated backups. The zones are reintegrated in a controlled, monitored way, with real-time inspection of the command traffic to the PLCs. The operation resumes IT/OT connectivity only through the hardened IDMZ conduits.
Phase 5 — Lessons learned
The root causes become concrete improvements: mandatory MFA, elimination of direct IT→OT firewall rules, a monitored jump host for third-party access, hardening of the engineering workstations and new detection rules in the SOC for the observed reconnaissance pattern. The incident strengthens the architecture instead of just closing the ticket.
Outcome with Decripte
Because OT monitoring saw the reconnaissance on the control network — instead of waiting for the ransomware to detonate on IT — containment happened while the attacker was still mapping, not executing. There was no operational shutdown, no encryption of critical systems and no process manipulation. The difference between 'incident contained in hours' and 'refinery down for days with million-dollar extortion' was the detection window combined with a containment designed with process engineering, under Decripte's containment SLA of up to 1 hour.
Don’t wait for the incident. Start hardening oil and gas today.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
How Decripte responds to an incident in an oil and gas environment
Industrial incident response follows a non-negotiable rule: no containment action can create a physical risk greater than the attack itself. Every step is coordinated with the plant's process engineering.
- Triage and IT/OT correlation: the SOC validates the alert, correlates IT and OT signals and quickly determines whether the incident touches the control network or is restricted to the corporate one.
- Process-safety assessment: before any action, the team assesses the physical impact of each containment option together with operations — shutting down a SCADA server can be more dangerous than the attack.
- Surgical containment: the attacker's path is isolated at the right point, typically closing the IDMZ conduits between IT and OT, without shutting down what keeps the plant in a safe state, within the containment SLA of up to 1 hour.
- Access revocation: compromised accounts are disabled, supplier and third-party accesses suspended and the command traffic to PLCs is inspected in real time.
- Complete eradication with forensics: reconstruction of the access chain to remove all persistence mechanisms — secondary implants, service accounts, forgotten accesses — avoiding recurrence.
- Controlled recovery: restoration from validated backups and gradual, monitored reintegration of the zones, with IT/OT connectivity resuming only through the hardened conduits.
- Communication and compliance: management of regulatory obligations (LGPD/ANPD when personal data is exposed) and structured communication to stakeholders, with a documented chronology.
- Lessons learned and hardening: the root causes become concrete improvements in architecture, access policy and new detection rules in the SOC.
How Decripte structures security for oil and gas
The sector's defense rests on four integrated pillars, which cover prevention, detection and response without leaving OT without visibility or the plant exposed to operational risk.
Segregation of zones and conduits (IEC 62443 / Purdue)
Establish the industrial IDMZ and segment OT into zones with their own policy, eliminating direct IT→OT routes. It is the control that prevents the migration of a compromise from IT to the control network.
Visibility and passive OT monitoring
Complete inventory of industrial assets and monitoring through port mirroring, seeing Modbus, DNP3, OPC and IEC-104 without injecting traffic or restarting sensitive devices. You cannot protect what you cannot see.
24x7 SOC with IT/OT correlation and Incident Response
Continuous detection that correlates signals from both domains and delivers, without context loss, to the containment team — with a containment SLA of up to 1 hour and a response plan designed for process safety.
Third-party risk management and remote access
Inventory of supplier accesses, mediation through monitored jump hosts with MFA and session recording, closing the most exploited supply-chain compromise vector in the sector.
Compliance and governance (ISO 27001, LGPD, IEC 62443)
Frameworks used as the skeleton of the program — not as audit theater — giving consistency to controls, clarity of responsibilities and regulatory backing integrated into the response plan.
Recommended plans for Oil and Gas
24x7 SOC
In oil and gas the attacker can remain silent for months before acting. The 24x7 SOC with IT/OT correlation detects the reconnaissance on the control network still in the initial phase, before the ransomware detonates or the process is manipulated.
See plan →Incident Response
When the incident touches OT, every minute matters and every action carries physical risk. The containment SLA of up to 1 hour, with surgical containment coordinated with process engineering, contains the attacker without stopping the plant.
See plan →Pentest
Map the real path an attacker would travel from IT to the PLCs and demonstrate where segregation fails — with a methodology adapted to OT, without causing an operational incident during the test.
See plan →Compliance
Structure ISO 27001, IEC 62443 and LGPD as the skeleton of the security program, giving governance, control consistency and the regulatory backing required in the sector's contracts and partnerships.
See plan →Frequently asked questions
Can monitoring the OT network interfere with the plant's operation?
No, when done correctly. Decripte's OT monitoring is passive: it sees traffic through port mirroring (SPAN), without sending any packets to the devices. Unlike IT, where active scans are routine, in OT no traffic is injected that could confuse a PLC or restart a sensitive piece of equipment. Full visibility, zero operational risk.
In a ransomware attack, will I need to stop the refinery?
Decripte's goal is precisely to avoid that. Surgical containment isolates the attacker's path — typically closing the conduits between the corporate network and OT — while the plant keeps operating in a safe, monitored mode. The preventive shutdown, which is what the attacker wants to monetize, only occurs when there is no OT visibility. With well-executed monitoring and containment, the operation continues.
My OT network is isolated (air-gapped). Do I still need cybersecurity?
The air gap is rarely as complete as imagined. Supplier accesses, maintenance USB drives, engineering laptops, firewall exceptions created 'temporarily' and the very IT/OT convergence for telemetry all open paths. Most OT intrusions begin in IT and migrate. Treating OT as isolated and therefore ignoring its security is one of the most common and most exploited mistakes.
What is the industrial IDMZ and why does it matter so much?
The IDMZ (industrial demilitarized zone) is the controlled frontier between the corporate network and the control network. It ensures that no traffic crosses directly from IT to OT: telemetry data passes through intermediate servers, so that a compromise in IT has no direct route to the PLCs. It is one of the most decisive controls for preventing IT→OT migration.
How does Decripte handle the risk from suppliers and maintenance providers?
Integrators and maintenance providers have privileged remote access to OT, making them one of the most exploited vectors. Decripte inventories these accesses, enforces MFA, mediates every connection through monitored jump hosts with session recording and continuously monitors what each third party does on the network. Compromising a supplier can no longer mean compromising the plant.
Can a pentest damage my OT systems during the test?
No, with the right methodology. Decripte restricts active and aggressive tests to IT and the IDMZ, while the OT assessment prioritizes architecture analysis, configuration review and passive tests. The goal is to map the path from IT to the PLCs and demonstrate where segregation fails, without ever creating an operational incident during the test.
Which standards and regulations apply to oil and gas security in Brazil?
Technically, the international reference for industrial automation is the IEC 62443 series, and for information security management, ISO/IEC 27001. In the field of personal data, the LGPD applies, overseen by the ANPD, with a notification obligation in the event of a leak. Decripte structures these frameworks in an integrated way with the security program and the response plan.
Where should I start if I do not yet have an OT security program?
With the free diagnosis at decripte.com.br/intelligence-center, which maps the operation's external exposure surface before any commitment. From there, the program evolves into a 24x7 SOC, Incident Response, Pentest and Compliance according to the environment's risk. To talk to a specialist, use decripte.io/start or the form at /contato.
Sector terms
- OT (Operational Technology)
- Operational technology — the set of hardware and software that monitors and controls physical industrial processes (PLCs, RTUs, SCADA, DCS). Unlike IT, its priority is availability and process safety, not data confidentiality.
- SCADA
- Supervisory Control and Data Acquisition — a supervision and data-acquisition system that lets operators monitor and control industrial processes (refining, pipelines, terminals) from control centers.
- IEC 62443
- A series of international standards for the security of industrial automation and control systems. It defines the zones-and-conduits model that structures the segregation between industrial and corporate networks.
- Purdue Model
- A reference model that stratifies the industrial operation into levels, from Level 0 (physical sensors and actuators) to Level 4/5 (corporate network and internet), with an industrial IDMZ separating OT from IT.
- IDMZ
- Industrial demilitarized zone — a controlled frontier between the corporate network and the control network, which prevents direct IT→OT traffic and blocks the migration of a compromise from IT to the industrial systems.
- PLC
- Programmable Logic Controller — a device that executes the control logic of physical processes (valve opening, pressure and temperature control). Many use protocols with no native authentication, such as Modbus.
Decripte protects and responds to incidents in oil and gas.
Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.
