The challenge
The manufacturer operated converged IT/OT environments at seven sites. PLCs, HMIs and SCADA systems had been retrofitted onto modern networks but were never designed for security. A previous attempt to deploy endpoint agents into OT had crashed two production lines.
Leadership needed visibility into OT activity without any agent footprint on production equipment, plus 24/7 monitoring across all sites simultaneously.
The approach
Vijilan deployed passive network sensors at each site, mirroring switch traffic to a Cribl Stream pipeline. Zero agents on PLCs, HMIs, or SCADA endpoints. Zero in-line latency.
The Vijilan SOC built playbooks specific to OT response, including a "do not isolate" decision tree for safety-critical equipment. Containment actions for OT events route to the OT engineering team for approval rather than auto-executing.
Real-time monitoring covered Modbus, DNP3, EtherNet/IP, Profinet and BACnet traffic. Anomalies on OT segments cross-correlated with corporate IT events in ThreatLog SIEM.
The outcome
In year one, the SOC caught two compromised IT endpoints attempting lateral movement into the OT segment. Both were contained on the IT side before reaching production systems.
Continuous OT asset inventory uncovered 47 previously unknown devices, including legacy HMI workstations running unpatched Windows XP that had been forgotten in storage.
Production uptime held at 99.9%. The OT security program passed audit for IEC 62443 maturity level 2 on first attempt.
"Our line cannot pause for security. Vijilan is the only partner who never asked it to."