I get asked a lot about where to start when designing the protection for your critical infrastructure, and
specifically, where Intrusion Detection Systems (IDS) sit in terms of prioritization.
Here are my thoughts based on my experience, learning and mostly listening to some very sharp practitioners, all of which is more relevant today, particularly in the Middle East. These organizations are focused on operational continuity during an uncertain period, creating a dangerous gap where security fundamentals are deprioritised while threats are actively increasing.
Now is the time to return to basics and focus on ‘locking the door’ first while we still can!
So, where does the IDS sit?
IDS is a key part of an OT Cybersecurity strategy, and it is primarily a visibility and detection control. It monitors OT network traffic and alerts on anomalies or known threats in real time.
Think of it as a security architecture, like a building. Firewalls and network segmentation are the door and walls that defines the perimeter and control the traffic. While IDS is the cameras and alarm system, which monitors everything and generates an alert in case of any unauthorised movement.
In OT environments, that’s valuable because:
- Networks are predictable/static, so anomalies stand out more easily
- Attackers can dwell undetected for long periods without monitoring
- It improves incident response and situational awareness
But is it a priority?
Yes! IDS is a key component of an OT security architecture. Not in isolation.
In OT, priorities follow a risk-based, safety-first, defence-in-depth approach where:
-
Get Foundational priorities right
Before IDS delivers real value, these come first:
- Asset inventory & visibility (perhaps part of a wider risk/gap/vulnerability/maturity assessment)
- Network segmentation (zones/conduits, Purdue model)
- Firewalls/access control
- Secure remote access
- Patch & vulnerability management (where feasible)
Firewalls and segmentation are typically the frontline controls that reduce attack surface and enforce policy. These are your locks and walls. Without them, IDS is monitoring an open building
-
Then IDS becomes high value
Once the basics are in place, IDS becomes critical because:
- You now have something meaningful to monitor
- It provides deep visibility into industrial protocols (Modbus, DNP3, etc.)
- It enables early detection without disrupting operations (passive monitoring is ideal for OT)
In mature OT environments, it is considered essential for Level 1–3 monitoring.
The Key nuance in OT
Unlike in the IT, OT IDS is usually passive. It detects, doesn’t block, to avoid disrupting processes where false positives and lack of context can be an issue without tuning. This means IDS complements your preventive controls; it doesn’t replace them.
So, in a region under active threat, you can’t afford to skip the basics countermeasures like firewalls, secure network design, and user & access control.
Bottom Line
Yes, IDS is a high-priority capability for OT security. But it is not the first priority! It becomes critical after you establish a basic security architecture.
A simple way to think about this is:
- Firewalls & segmentation → lock the doors
- IDS → install cameras and alarms
You need both, but you don’t start with cameras.
Book a demo of OTNexus and secure your operations against the ransomware ecosystem that’s active in the wild right now.
