The Process-Oriented View: CISO Visibility During an OT Attack

It’s 3 AM. The CISO’s phone rings. A critical OT cyberattack is underway.

Within minutes, the most critical assets – turbines, pumps, valves, and compressors – could be compromised. Every second matters.
If attackers gain command of the industrial process, the consequences can be catastrophic.

The CISO’s default move is to check the ICS. But what if the displays are wrong?

What if the controls themselves have been compromised and the data displayed to operators has been manipulated to hide the attack?

Nearly every cybersecurity tool looks at data flowing through the same channels the attacker controls. Once that data is falsified inside a PLC or HMI, the control room will insist that everything is fine – right up until it isn’t. At that point, the CISO faces a high-stakes decision:

• Shutting down operations could be enormously costly (and ultimately unnecessary) if the intrusion is limited to the network layer.
• But continuing to run without visibility into the underlying processes, risks damage to physical assets, safety systems, and production.

Earlier this year, at the Risevatnet dam in Norway, operators lost visibility into key systems following a cyber incident. The breach wasn’t detected by any Intrusion Detection System. It was discovered by a security guard who noticed irregular activity on-site.

In OT environments, relying on a random human observation is not a security strategy.

Once the intrusion is underway, CISOs need a direct, out-of-band view into the industrial process – a data stream that can’t be altered by hackers and that provides verifiable evidence of what’s really happening.

right

That’s where SIGA’s SigaML² platform comes in.  It combines 3 core components:

SigaML² applies Multi-Level Machine Learning across all levels of the Purdue Model (0–4), detecting and classifying OT cyber events in real time.

1. SigaGuard hardware sensors – installed non-intrusively on selected I/Os – provides unfiltered electrical signal data from the physical layer. This data cannot be spoofed or corrupted.
2. SigaGuardX software continuously analyzes data from Levels 0–4 to identify anomalies and false data injections, even when control systems appear normal.
3. S-PAS, the process attack simulation module, lets cybersecurity and operations teams safely rehearse attack scenarios, build response playbooks, and strengthen coordination.

Together, these capabilities provide the CISO and operations team with a real-time decision support system. During an active incident, SigaML² helps determine whether the event is operational or cyber in nature – and informs containment decisions such as whether to isolate, continue operations, or initiate recovery.

SigaML² reflects a global regulatory shift.

Standards such as NIS2 in Europe, CIRCIA in the U.S., and the latest NIST guidance all emphasize continuous, process-level monitoring and the ability to detect manipulation at the field I/O level.

Regulators and boards alike now expect CISOs to prove that incident detection and response extend beyond the network to the physical process itself.

At 3 AM, the CISO needs certainty – an unfiltered signal from the process that tells them exactly what’s happening.

That’s what SIGA delivers: true process-layer visibility when it matters most.