Process-Oriented OT Cybersecurity: The View Beyond the Network

A cyberattack on operational technology rarely looks like one.  

Process values appear stable, dashboards report normal parameters, yet behind those readings the control logic has already been altered. When attackers manipulate data at the PLC or HMI level, the very systems designed to ensure safety become part of the attack surface.

Traditional OT tools can't detect that manipulation - they monitor the same network and data paths that may have been compromised. Once the control environment is breached, even limited changes to control logic or communication paths can distort how the process behaves and what operators see.

Even limited manipulation of control logic or communication paths can create a dangerous gap between what operators see and what is actually occurring in the process. At that point, the system designed to provide assurance becomes a potential point of deception.

Most cybersecurity tools depend on the same network pathways that attackers target first.
Once those pathways are compromised, every connected system - including Intrusion Detection Systems - becomes vulnerable to manipulation. If an attacker falsifies process data at the PLC or HMI level, the organization effectively loses visibility into its own operations.

At that point, the CISO faces two imperfect options:

• Shut down production, risking unnecessary downtime if the intrusion is limited to IT or network layers.
• Continue operating, risking damage to assets, safety systems, or production if the process itself has been compromised.

Without an independent, out-of-band view of the physical process, there's no way to know which decision is right.

A recent incident at Microsoft's Australia East data-center region illustrates how such visibility gaps can escalate.  A brief power disturbance disrupted the cooling systems that supported critical server clusters.  Control displays did not immediately show a fault, even as temperatures in the equipment halls began to rise.  Later analysis pointed to a coordination issue between chillers and pump controls - a process-layer failure that higher-level monitoring systems did not detect in real time.

The event revealed a broader truth: when monitoring is confined to the network layer, organizations risk missing failures (or attacks) that begin in the physical process itself.
Operational certainty depends on a separate, unfiltered view of the process layer: data that remains trustworthy even when automation systems or network tools fall out of sync.

Process-oriented OT cybersecurity solves the visibility gap. 

It provides CISOs with a direct, out-of-band view of Level 0 process signal data that can't be spoofed through compromised PLC/HMI paths.

SIGA's SigaML² applies Multi-Level Machine Learning across all layers of the Purdue Model (0–4), combining network-level visibility with unfiltered electrical signal data from the process layer.

It brings together three core components:

1. SigaGuard hardware sensors - installed non-intrusively on select I/Os to capture raw electrical signals directly from equipment.
2. SigaGuardX software - analyzes process and network data in real time to identify anomalies, false data injections, and process deviations.
3. S-PAS simulation platform - enables cybersecurity and operations teams to safely rehearse attack scenarios, refine response playbooks, and improve coordination.

Together, these tools form a CISO decision-support system during active cyberattacks - helping teams verify the integrity of process data, assess the scope of impact, and decide whether to isolate, continue operations, or initiate recovery. 

For CISOs in critical infrastructure, data centers, and manufacturing, "process-oriented" cybersecurity is no longer optional. It's the foundation for operational resilience.