
Understanding NDR Architecture for Modern Security


Team Shieldworkz
Understanding NDR Architecture for Modern OT Security
Every industrial network tells a story through its traffic. Every command sent to a programmable logic controller, every handshake between a historian and an engineering workstation, every unexpected connection reaching out from a remote terminal unit is part of that story. Most organizations, however, are not reading it. They are relying on firewalls and antivirus tools that were never designed to understand the language of industrial control systems, and by the time an anomaly is noticed, the damage is already unfolding on the plant floor.
Network Detection and Response, commonly known as NDR, has emerged as one of the most important architectural layers for closing that gap. But NDR is not a single product you install and forget. It is a layered architecture of sensors, analytics, intelligence, and response workflows, each playing a distinct role in spotting the signals that traditional IT-focused security tools miss inside operational technology environments.
The stakes have shifted in a way that is hard to overstate. A decade ago, most industrial networks were physically isolated from the internet, and the primary security concern was accidental misconfiguration rather than deliberate compromise. Today, remote access for vendors, cloud-connected historians, and the steady digitization of maintenance and production data mean that nearly every control network has some path, direct or indirect, to the outside world. Visibility into that network is no longer a nice-to-have. It is the difference between catching an intrusion in its early, quiet stages and discovering it only after production has already been disrupted.
What Is Network Detection and Response, Really?
At its simplest, Network Detection and Response is a security approach that continuously monitors network traffic to identify malicious behavior, policy violations, and abnormal communication patterns, then supports a coordinated response before the situation escalates. Unlike signature-based tools that only catch known threats, NDR platforms rely heavily on behavioral analysis, so they can flag activity that has never been seen before but still looks wrong for that environment.
In an OT context, this distinction matters enormously. Industrial networks are far more predictable than typical corporate IT networks. A PLC usually talks to the same handful of devices, at similar intervals, using the same industrial protocols, day after day. That predictability is actually an advantage for defenders, because any deviation from the established pattern becomes much easier to spot, provided the underlying architecture is built to understand those patterns in the first place.
NDR is not meant to replace segmentation, endpoint protection, or governance frameworks. It complements them by providing the visibility layer that most industrial environments have historically lacked, turning invisible east-west traffic between control system assets into a monitored, analyzed, and actionable data source.
It is worth being precise about what makes this category different from the network monitoring tools many plants already own. Traditional network performance monitoring tells an engineer whether a link is up, whether bandwidth is being consumed, or whether a device has dropped offline. It answers operational questions. NDR answers security questions: whether a connection should exist at all, whether a command is appropriate for the device receiving it, and whether a pattern of activity resembles reconnaissance, lateral movement, or an attempt to manipulate a physical process. The two disciplines often share the same wires and sometimes the same sensors, but they are solving fundamentally different problems, and conflating them is one of the more common mistakes organizations make early in their security journey.
Another point worth clarifying: NDR is not the same as an intrusion detection system in the traditional sense. Classic IDS technology leans almost entirely on signatures, meaning it can only recognize threats that have already been catalogued somewhere. Industrial environments frequently face novel misuse of legitimate protocols, insider misconfigurations, and slow-moving reconnaissance that no signature will ever match. Behavioral detection, sitting at the heart of NDR architecture, is what allows a platform to say, in effect, that although a specific threat has never been seen before, the behavior does not match how this device normally operates, which is precisely the kind of judgment industrial environments need most.
The Core Architecture of an NDR Solution
A mature NDR platform is built from several interconnected layers. Understanding each layer helps security leaders evaluate solutions on substance rather than marketing language, and helps engineering teams plan deployments that will not disrupt sensitive control processes.
1. Traffic Capture and Sensor Layer
This is the foundation of the architecture. Sensors, deployed as passive taps, SPAN ports, or inline network probes, capture raw traffic across the network. In OT environments, passive deployment is almost always preferred, since it observes copies of traffic without ever touching live control communications, eliminating the risk of introducing latency into time-sensitive processes.
2. Protocol Parsing and Deep Packet Inspection
Once traffic is captured, it must be understood. This layer decodes industrial protocols such as Modbus, DNP3, IEC 60870-5-104, EtherNet/IP, PROFINET, and OPC UA, extracting the meaningful fields, such as function codes, register addresses, and command types, rather than treating the traffic as an opaque stream of bytes. This is the layer that separates purpose-built OT detection platforms from generic IT tools repurposed for industrial use.
3. Behavioral Analytics and Detection Engine
Here, the platform builds a baseline of what normal communication looks like across every asset, then applies statistical models, rule-based logic, and machine learning to identify deviations. This might include a new device suddenly appearing on the network, an engineering workstation issuing commands it has never issued before, or a device communicating outside of its expected operational hours.
4. Threat Intelligence Integration
Behavioral detection is powerful, but it becomes far more precise when paired with curated threat intelligence specific to industrial environments, including known malicious indicators, vulnerable protocol implementations, and tactics associated with threat groups that specifically target critical infrastructure.
5. Correlation and Investigation Layer
Individual alerts rarely tell the full story. This layer stitches together related events across time and across assets, giving analysts a coherent picture of an unfolding incident rather than a flood of disconnected notifications.
6. Response Orchestration and Workflow Layer
Finally, the architecture must support action. This includes automated alerting, integration with security information and event management platforms, ticketing systems, and, where appropriate, controlled response actions such as isolating a compromised segment, all while respecting the operational constraints of the plant floor.
It is important to note that automated response in OT looks very different from automated response in a typical office network. Automatically severing a connection to a corporate laptop is a minor inconvenience. Automatically severing a connection to a controller managing a pressure valve or a turbine could itself create a safety event. For this reason, mature NDR architectures separate detection speed from response speed by design, giving human operators a clear decision point before any action with physical consequences is taken, while still automating the parts of the workflow, such as alert routing and evidence gathering, that carry no operational risk.
Putting the Layers Together
None of these six layers operates in isolation, and the value of NDR architecture comes from how tightly they are integrated rather than from any single component in isolation. A sensor without protocol parsing produces noise. Protocol parsing without behavioral analytics produces a log file nobody reads. Behavioral analytics without correlation produces alert fatigue. And detection without response orchestration produces awareness without action. Evaluating a platform on the strength of its weakest layer is usually more revealing than evaluating it on the strength of its strongest one, since incidents tend to exploit exactly the gap the architecture left open.
Figure: Layered flow of an OT-focused NDR architecture, from traffic capture through to coordinated response
Architecture Layer | Primary Function | Why It Matters in OT |
Sensor & Capture Layer | Passively collects raw network traffic | Zero-impact monitoring protects sensitive, real-time control processes |
Protocol Parsing (DPI) | Decodes industrial protocols into readable fields | Generic IT tools cannot interpret Modbus, DNP3, or PROFINET commands |
Behavioral Analytics | Builds baselines and flags deviations | OT traffic is highly predictable, making anomalies easy to isolate |
Threat Intelligence | Matches activity against known industrial threats | Adds context and reduces false positives specific to ICS threats |
Correlation Engine | Links related alerts into a single incident view | Prevents alert fatigue among lean OT security teams |
Response Orchestration | Coordinates alerts, tickets, and containment actions | Speeds up response without disrupting production uptime |
Why OT Environments Need a Purpose-Built NDR Approach
Many organizations initially try to extend their existing IT-focused detection tools into the plant environment. This almost always creates friction, and sometimes creates outright risk.
Passive Monitoring Is Non-Negotiable
Active scanning techniques common in IT security can overwhelm fragile legacy devices, some of which are decades old and were never built to handle unexpected network requests. A purpose-built OT NDR architecture is designed around passive visibility, so monitoring never becomes a source of downtime itself.
Protocol Awareness Is the Differentiator
A detection platform that cannot parse industrial protocols is, in practice, blind to the majority of meaningful activity inside a control network. Recognizing a Modbus write command to a critical register is fundamentally different from recognizing generic TCP traffic, and only protocol-aware architectures can make that distinction.
Asset Context Changes Everything
Knowing that a connection occurred is far less useful than knowing that a specific engineering workstation issued a firmware update command to a safety instrumented system outside its scheduled maintenance window. OT-specific NDR platforms tie detection to rich asset context, including device type, function, vendor, and criticality.
Uptime Is a Security Requirement, Not Just an Operational One
In IT security, a brief service interruption during an investigation is usually tolerable. In a manufacturing plant, an energy facility, or a water treatment site, downtime can mean halted production lines, financial losses measured in the millions per hour, or in the most serious cases, a direct impact on public safety. This changes how every architectural decision has to be evaluated. A detection platform that is technically excellent but requires active probing, agent installation on fragile devices, or any action that could interrupt a control loop is simply not viable for most industrial settings, regardless of how sophisticated its analytics engine may be.
The Convergence of IT and OT Makes Boundaries Blurry
Modern industrial facilities are rarely air-gapped anymore. Historians push data to cloud analytics platforms, vendors maintain remote access for support, and enterprise resource planning systems pull production data directly from the plant floor. Every one of these connections is a legitimate business need and, at the same time, a potential pathway for compromise. NDR architecture becomes especially valuable at these convergence points, since it can observe and baseline traffic crossing the IT-OT boundary in a way that neither a purely IT-focused tool nor a purely OT-focused tool can do on its own.
Real-World Incidents That Show Why Detection Architecture Matters
Industrial cybersecurity is not a theoretical discipline. The following incidents, now widely documented across the security community, illustrate what happens when detection visibility is missing, delayed, or ignored, and why layered NDR architecture has become a board-level conversation rather than a purely technical one.
Incident | Sector | Root Cause | Key Lesson |
Ukraine power grid disruption (2015) | Energy & Utilities | Attackers gained remote access and issued unauthorized commands to substation breakers | Command-level visibility into control traffic could have flagged the unauthorized breaker operations far earlier |
Industrial safety system compromise (2017) | Petrochemical | Malware targeted a safety instrumented system, attempting to manipulate safety logic | Behavioral monitoring of safety-system communication is critical, since these systems are rarely expected to change |
Pipeline operational shutdown (2021) | Energy | Ransomware on the IT side forced a precautionary shutdown of pipeline operations | Even IT-originated incidents can cascade into OT downtime without clear network segmentation and monitoring boundaries |
Aluminum manufacturer production disruption (2019) | Manufacturing | Widespread ransomware forced a temporary return to manual operations across multiple plants | Early anomaly detection at the network layer can shrink the window attackers have to spread laterally |
Water treatment facility intrusion attempt (2021) | Water & Wastewater | Remote access tool was used to attempt unauthorized changes to chemical treatment levels | Continuous monitoring of remote access sessions is essential, not optional, for public safety systems |
The common thread across each of these events is not exotic malware or advanced nation-state tradecraft. It is the absence of continuous, protocol-aware visibility into what was actually happening across the control network at the moment it mattered most. A layered NDR architecture would not have guaranteed prevention in every case, but it would have dramatically shortened the time between compromise and containment, which is often the single biggest factor separating a contained incident from a full-scale operational crisis.
It is also worth noting how differently each of these incidents would have unfolded with strong network-level visibility in place. Unauthorized breaker commands, unexpected safety-logic changes, and unusual remote-access sessions are all, at their core, network events before they become physical ones. A breaker does not open on its own; a command travels across the network first. A safety system does not silently reprogram itself; a series of writes crosses the wire first. This is precisely the window that NDR architecture is built to observe, and it is a window measured in minutes or hours rather than the days or weeks it often takes for physical symptoms to surface and be traced back to their true cause.
Risks and Challenges in Deploying NDR Across Industrial Networks
Understanding the architecture is only half the equation. Deploying it successfully across a live industrial environment introduces its own set of challenges that decision-makers should plan for from day one.
Legacy device sensitivity: Many industrial devices were designed with no security hardening at all, and even passive monitoring must be validated carefully around older equipment to avoid unintended interference.
Fragmented network visibility: Years of organic network growth often leave plants with undocumented connections, shadow IT, and forgotten remote access points that must be discovered before they can be monitored.
Alert fatigue and skill gaps: Many OT teams are lean, and flooding them with unprioritized alerts leads to important warnings being missed among the noise.
Cross-team ownership questions: OT, IT, and security teams often have overlapping but unclear responsibilities, which can slow down both deployment and incident response.
Data volume and retention: Industrial networks generate continuous traffic, and storing, analyzing, and retaining that data for investigations requires deliberate planning.
Integration with existing operations: NDR platforms must fit into existing change management and maintenance windows without disrupting production schedules.
There is also a less visible risk worth naming directly: the cost of doing nothing. Many industrial organizations delay detection investments while waiting for a clearer budget cycle, a completed asset inventory, or a quieter operational period that never quite arrives. Every month of delay is a month in which lateral movement, misconfigurations, and unauthorized access can accumulate unnoticed. The organizations that fare best during an actual incident are rarely the ones with the most expensive tools, but the ones that started building visibility before they needed it, giving their teams the pattern recognition and institutional familiarity that only comes from living with the data over time.
Practical Recommendations and Best Practices for NDR Implementation
Organizations that succeed with NDR tend to follow a similar path, treating it as a phased program rather than a single deployment event.
Start With Comprehensive Asset Discovery
You cannot monitor what you cannot see. A thorough, passive asset inventory should always precede detection deployment, establishing a clear picture of every device, connection, and protocol in use.
Deploy in Phases, Starting With Critical Zones
Rather than attempting a plant-wide rollout at once, prioritize the zones with the highest operational or safety impact, then expand outward as confidence and tuning improve.
Tune Baselines With Operational Teams
Security and engineering teams should jointly validate what counts as normal behavior, since operational context is something a purely technical team may not fully have on its own.
Build Clear Escalation Paths Before Go-Live
Every alert should have a defined owner and a defined next step. Detection without a response plan simply creates more noise.
Best Practice | Business Benefit |
Passive-first sensor deployment | Protects uptime while establishing full visibility |
Protocol-aware detection tuning | Reduces false positives and analyst fatigue |
Joint OT-IT governance model | Speeds up decision-making during real incidents |
Phased rollout by criticality | Limits operational risk during initial deployment |
Regular threat intelligence updates | Keeps detection relevant against evolving ICS-specific threats |
Documented incident response playbooks | Converts alerts into consistent, measurable action |
How Shieldworkz Supports Organizations
Shieldworkz works alongside industrial operators to design and implement detection architectures that respect the realities of live production environments, rather than forcing IT-first tools into spaces they were never built for.
Comprehensive OT and ICS asset visibility, built through passive discovery that never interferes with live operations
Protocol-aware monitoring tailored to the specific control systems, PLCs, and SCADA platforms already in use across a facility
Behavioral baselining developed in partnership with plant engineering teams, so alerts reflect real operational context
Threat intelligence curated specifically for industrial and critical infrastructure threat patterns
Clear, actionable incident response guidance designed around production continuity, not just technical remediation
Ongoing advisory support to help security leaders align detection investments with regulatory expectations and long-term risk reduction goals
How Detection Priorities Shift Across Different Industrial Sectors
While the underlying architecture of NDR remains consistent, the priorities placed on each layer shift depending on the industry. A one-size-fits-all deployment rarely delivers the value that a sector-aware deployment does.
Manufacturing
Manufacturing environments tend to have the widest diversity of equipment ages and vendors, often accumulated over decades of expansion and acquisition. Here, asset discovery and protocol diversity handling carry the most weight, since a single production line may mix equipment from several different eras and manufacturers, each communicating differently.
Energy and Utilities
Energy and utility operators typically manage geographically distributed assets, from substations to remote pumping stations, connected over a mix of fiber, cellular, and legacy serial links. Here, detection architecture must account for intermittent connectivity and prioritize visibility into remote access sessions, since these are consistently among the most targeted entry points in this sector.
Water and Wastewater
Water treatment facilities often operate with smaller security teams and tighter budgets relative to their operational risk, since even a brief manipulation of chemical dosing or treatment levels carries direct public health consequences. For this sector, straightforward alerting and clear escalation paths matter more than advanced customization, since the goal is rapid, confident action rather than deep forensic tuning.
Oil, Gas, and Petrochemical
These environments frequently include safety instrumented systems that must never be touched without extreme caution. Detection architecture here places a premium on read-only, passive monitoring and on behavioral baselines that specifically flag any unexpected communication with safety-critical controllers, since these systems are designed to change rarely, if ever, under normal operating conditions.
Measuring the Success of Your NDR Deployment
Security leaders are increasingly expected to demonstrate return on investment to executive stakeholders, and detection architecture is no exception. Rather than measuring success purely by the number of alerts generated, mature programs track a small set of meaningful indicators.
Metric | What It Tells You |
Mean time to detect (MTTD) | How quickly abnormal activity is identified after it begins |
Mean time to respond (MTTR) | How quickly a validated incident moves from alert to containment |
Asset visibility coverage | The percentage of the environment actively monitored versus assumed |
False positive rate over time | Whether baseline tuning is improving analyst trust in the platform |
Alert-to-incident ratio | Whether alerts are translating into meaningful, actionable investigations |
Tracking these metrics consistently, and reviewing them with both security and operations stakeholders, turns NDR from a line item on a budget into a demonstrable driver of operational resilience, which is ultimately the conversation every CISO needs to be equipped to have with the executive team and the board.
Frequently Asked Questions About NDR Architecture
Does NDR require agents installed on OT devices?
No. Reputable OT-focused NDR platforms operate passively, observing network traffic through taps or mirrored ports rather than installing software agents on controllers, historians, or engineering workstations, many of which cannot support additional software without vendor recertification.
How long does it take to see meaningful value from an NDR deployment?
Initial asset visibility is often available within the first few weeks of deployment, though reliable behavioral baselines and low false-positive rates typically take a few months to mature, as the platform observes a full range of normal operational cycles, including maintenance windows and seasonal production changes.
Can NDR replace a firewall or segmentation strategy?
No. NDR is a visibility and detection layer, not a prevention control on its own. It works best alongside strong network segmentation, access control, and endpoint protections, filling the gap those controls leave around what happens inside an already-permitted connection.
Is NDR only relevant for large enterprises?
Not at all. Mid-sized manufacturers, municipal utilities, and regional operators face the same category of threats as larger organizations, often with fewer internal resources to detect them. Scaled, right-sized NDR deployments can be just as valuable, and in some cases more urgent, for smaller operational footprints.
Conclusion
Detection architecture has quietly become one of the most consequential decisions an industrial organization can make. The incidents that dominate headlines rarely begin with a dramatic breach; they begin with a small, unnoticed deviation in network behavior that goes unaddressed for far too long. A well-designed NDR architecture, built specifically for the language and rhythms of operational technology, closes that window and gives security leaders the one thing they need most in a crisis: time.
For OT security leaders, ICS engineers, plant managers, and CISOs alike, understanding this architecture is no longer optional. It is a foundational part of protecting the systems that keep production running, communities powered, and critical infrastructure safe.
Book a Free Consultation with Our Experts
If your organization is evaluating how network detection and response fits into your broader OT security strategy, our team is glad to walk through your specific environment, current visibility gaps, and practical next steps. There is no obligation, just a focused conversation with people who understand industrial operations as well as they understand cybersecurity.
Reach out today to schedule your free consultation and take the next step toward a more resilient, better-protected operational environment.
Additional resources:
Comprehensive Guide to Network Detection and Response NDR in 2026 here
NERC CIP-015 Internal Network Security Monitoring Readiness Checklist for Electric Utilities here
IEC 62443 and NIS2 Compliance Checklist here
Free Removable Media Policy Template for OT and IT Teams here
احصل على تحديثات أسبوعية
الموارد والأخبار
تعرف على كيفية معالجة حلولنا الرائدة في مجال أمن تكنولوجيا التشغيل (OT) للتحديات الأمنية الحيوية
قد تود أيضًا

Securing critical infrastructure operations during geo-political events and beyond

Team Shieldworkz

How NDR Strengthens Cyber Risk Management

Team Shieldworkz

What Is Network Detection and Response and Why It Matters for OT Security

Team Shieldworkz

What Bajaj Auto and Tata Electronics cyber incidents reveal about manufacturing espionage and extortion

Prayukth K V

How CPS in Manufacturing Improves Productivity and Efficiency

Team Shieldworkz

Network Detection and Response Under IEC 62443: Compliance Requirements and Implementation

Team Shieldworkz

