Loading...
NACSA NCII · IEC 62443 · NIST 800-82 · Petronas Guidelines
OT Security-as-a-Service Malaysia
Passive industrial network sensor leased on a 36-month bundle. Full OT/ICS asset visibility with zero production impact — for manufacturing, oil and gas, utilities, and NCII-designated operators.
OT Threat Landscape
Ransomware has reached the plant floor — and OT operators are unprepared
The convergence of IT and OT networks — driven by Industry 4.0, remote monitoring, cloud-connected SCADA, and digital twin initiatives — has fundamentally changed the threat landscape for industrial operators. OT systems that were previously isolated now share network infrastructure with corporate IT. This connectivity delivers operational benefits but opens attack paths that OT engineers were not designed to defend against.
Three OT-specific threat scenarios observed in the region: (1) Ransomware via IT/OT lateral movement — adversaries compromise a corporate workstation via phishing, traverse the IT network, exploit a poorly segmented IT/OT boundary, and deploy ransomware on SCADA servers. Production halts when operators lose process visibility. (2) Remote access abuse — vendor and maintenance contractor VPN access into OT networks is often permanent, unmonitored, and credential-shared. A compromised contractor account provides direct access to PLCs and RTUs. (3) Rogue device persistence — threat actors have been observed installing small unauthorised devices on OT network switch ports to maintain persistent access invisible to IT monitoring tools.
Malaysian manufacturing facilities, petrochemical operators, and power utilities under Tenaga Nasional and SESB are increasingly subject to Cyber Security Act 2024 obligations as NCII-designated entities. The monitoring requirement in that framework cannot be satisfied by IT security tools that have no visibility into OT protocols. See the managed security leasing overview and consider pairing with Backup-as-a-Service for ransomware recovery planning specific to OT environments.
Deployment Safety
The passive-first principle — security that cannot cause a safety event
The foundational requirement for any OT security control is that it must not be able to cause a safety event. A tool that actively probes PLCs — sending Modbus or S7 read/write requests to test for vulnerabilities — risks triggering unexpected PLC behaviour, causing process trips, or interfering with real-time control cycles. This is why the active-scanning approaches used in IT security are categorically inappropriate for OT environments.
Our OT sensor is passive by design. The sensor receives a copy of all network traffic via a SPAN port or optical TAP and analyses it without injecting any traffic. PLCs and RTUs do not receive any traffic from the sensor. The sensor cannot cause process interference under any failure mode — even if the sensor hardware fails completely, the mirrored traffic path fails safely without affecting the primary network.
Our deployment methodology requires plant engineer sign-off at each stage. We review the P&ID (piping and instrumentation diagram) with the plant engineering team before installation to confirm which network segments are in scope and how SPAN/TAP configuration will be performed without affecting production traffic paths. The sensor is installed during a planned maintenance window where available, and the initial passive discovery phase runs for one week before we present the asset inventory and network baseline to the plant team for review. For air-gapped plants, sensor data is collected locally and synced via secure data diode or manual transfer.
Frequently asked questions
How does OT-Security-as-a-Service avoid disrupting our production operations?
The sensor is passive — it only analyses traffic that is mirrored to it via a SPAN port or network TAP. It injects zero packets into the OT network. PLCs, RTUs, HMIs, and SCADA servers do not know the sensor exists. This is the fundamental architectural requirement for any OT security tool: the security control must not be capable of causing a safety event. Our deployment methodology requires sign-off from plant engineers before any hardware is installed, and the TAP/SPAN configuration is reviewed against the plant P&ID to confirm no production traffic path is modified.
What OT protocols does the sensor understand?
All three vendors — Claroty, Nozomi, and Dragos — support over 200 industrial protocols out of the box. This includes Modbus, DNP3, IEC 61850, IEC 60870-5-104, Siemens S7 (300/400/1200/1500), Profinet, EtherNet/IP, OPC-UA, OPC-DA, HART, BACnet, LonWorks, and many others. Protocol coverage is updated continuously as vendors release new signatures. For unusual or proprietary protocols specific to your equipment vendor, we work with the vendor to add support during the discovery phase.
How does OT monitoring align with NACSA obligations under the Cyber Security Act 2024?
The Cyber Security Act 2024 establishes NACSA as the national cybersecurity authority with power to designate National Critical Information Infrastructure across eleven sectors including energy, water, manufacturing, and transport. NCII designation imposes annual risk assessments, biennial audits, and mandatory incident reporting. Continuous OT network monitoring directly supports the monitoring obligation and provides the asset inventory, anomaly detection, and incident telemetry that NACSA-aligned risk assessments require. nCrypt supplies NACSA-aligned documentation covering asset inventory, network topology, monitoring coverage, and incident response procedures. This service helps organisations prepare for NCII compliance but does not constitute legal advice.
Can the OT sensor detect ransomware before it impacts production?
Yes, for several common ransomware behaviours. Before encryption, ransomware typically performs network enumeration (scanning for accessible shares and systems), lateral movement (moving from a compromised IT workstation toward OT systems), and data staging (aggregating files before exfiltration). The OT sensor detects these behaviours as anomalies against the established network baseline — unusual connection patterns between the IT/OT boundary, unexpected Modbus read cycles, new devices appearing on the OT network. Early detection triggers an alert to nCrypt SOC and, if confirmed, allows containment before the encryption payload reaches OT systems.
Our OT network has assets from 10 different vendors. Can the sensor handle this?
Yes. Heterogeneous OT environments are the norm, not the exception. Most manufacturing plants accumulate assets over decades from multiple vendors — Siemens, Rockwell, Honeywell, ABB, Schneider Electric, Emerson — with different protocols, different software versions, and different patch levels. Asset discovery during the first deployment week identifies every device that communicates on the monitored network segments, including devices that IT has no record of. This asset inventory is often the first complete OT asset register an organisation has ever had.
How does this integrate with our IT security operations?
OT alerts feed the same nCrypt SOC as IT alerts, but OT-specific runbooks are applied by analysts trained in process-safety implications. Containment actions that are appropriate in IT (isolating a workstation) can be dangerous in OT (isolating a SCADA server may cause a loss of process view). Our OT-SOC runbooks require explicit process-safety review before any containment action on OT systems. For organisations with an in-house SOC, we feed OT alerts to your SIEM in CEF or JSON format and can train your analysts on OT-specific response procedures.
Hardware-as-a-Service · 36-month bundle
Industrial network visibility, leased. From RM6,000/month.
Claroty, Nozomi, or Dragos sensor — passive visibility into PLCs, RTUs, and SCADA. NACSA-aligned. Zero impact on operations.
What's included in the bundle
OT sensor appliance (passive monitoring)
Asset inventory of all PLCs/RTUs/HMIs
Network baseline and anomaly detection
Quarterly OT threat reports
NACSA / NIST CSF for OT documentation
Hardware refresh at month 30
Who this is for
- ✓Manufacturing facilities with mixed OT vendors
- ✓Oil & gas operators under Petronas / NACSA guidelines
- ✓Utilities (TNB, water authorities) under CNI designation
- ✓Smart-building operators with BMS/SCADA
Deployment timeline
Week 1-2
OT network mapping, SPAN/TAP planning with plant engineers
Week 3
Sensor install, passive discovery, asset inventory delivery
Week 4-5
Baseline tuning, alert calibration
Ongoing
24/7 monitoring, monthly tuning, quarterly threat hunts
Sample bundles by company size
SMB
RM 6,000 – 10,000 / month
Single sensor, single plant, <1,000 OT assets
MidMarket
RM 10,000 – 22,000 / month
2-4 plants, HA sensors, 1,000-5,000 OT assets
Enterprise
RM 22,000 – 60,000+ / month
National operator, 10+ sites, 10,000+ OT assets, dedicated OT-SOC team
Aligned to your regulatory obligations
NACSA CNI guidelinesIEC 62443NIST 800-82PDPA
Frequently asked questions
Need a one-off engagement instead of a leased bundle?
See our consulting service →Get a OT/ICS leasing quote
Share your user count, locations, and current stack. We'll respond within 24 hours.
Ready to size OT/ICS for your environment?
Three minutes in the calculator. A precise quote emailed within 24 hours.
Financing available via our partner financial institutions. Indicative monthly figures based on standard 36-month terms; final pricing subject to credit assessment and signed master service agreement.