What is Threat Intelligence?
Threat Intelligence is the systematic gathering, analysis and application of information about existing and emerging cyber threats. The goal is to help organisations better protect, prepare and respond to attacks.
In OT networks, Threat Intelligence is crucial for identifying relevant threats and focusing defence on techniques that are actually used against industrial systems.
🧠 How does Threat Intelligence work?
- Threat information is collected through:
- Open sources (OSINT)
- Commercial feeds
- Communities and government bodies (such as NCSC, CERT, CISA)
- Internal sources (e.g. SIEM, incident logs)
- This data is analysed to:
- Identify indicators of compromise (IOCs) (e.g. IP addresses, domains, hashes)
- Map adversary TTPs (see MITRE ATT&CK)
- Assess risks for the specific environment (e.g. an OT network)
- The information is applied in:
- Threat Hunting
- Detection rules (SIEM, EDR)
- Policy and prioritisation of patch management and Incident Response
Threat Intelligence is only valuable when applied in an action-oriented and context-specific way.
🏭 Application of Threat Intelligence in OT environments
- Identifying attackers targeting ICS, such as Xenotime, Sandworm or APT33
- Enriching SIEM data with OT-specific threat feeds
- Updating Firewall rules and IDS signatures based on current threats
- Mapping attackers to techniques within MITRE ATT&CK for ICS
- Use during tabletop exercises and Threat Simulations
OT Threat Intelligence is often different from IT intelligence: less frequent, but often much more impactful.
🔍 Strategic vs. tactical vs. technical
| Type | Goal | Application in OT |
|---|---|---|
| Strategic | High-level: who are the threat actors and why | Risk assessment and investment decisions |
| Tactical | How they operate (TTPs, MITRE) | Structuring detection and defence |
| Technical | IOCs: IPs, domains, malware hashes | Blocking and alerting in firewall/EDR/SIEM |
🔐 Security aspects
- Threat Intelligence increases situational awareness within OT
- Combine with MITRE D3FEND for more effective defence
- Integrate feeds into SIEM, SOAR or SOC for automatic enrichment
- Collaborate with sector initiatives (e.g. ISACs) for industry-specific intel
- Apply intelligence policy in line with IEC 62443, ISO 27001 or NIS2
Relevance is crucial: too much noise leads to blindness; too little intel leads to surprise.
📌 In summary
Threat Intelligence enables OT organisations to take targeted security measures, based on current threats and known attackers. It is an indispensable building block within a mature Cybersecurity strategy.