OT vs IT vs Network Layers

The layer classification is one of the most important fields in BreachSpider. It determines who on your team is responsible for remediating each finding, how findings are grouped on the dashboard, and how compliance reports categorize your exposure.

Three Layers

OT (Operational Technology)

Process control devices that directly interact with or control physical processes.

Includes: PLCs, RTUs, DCS controllers, HMI application software, SCADA server applications, safety instrumented systems (SIS).

Remediated by: OT engineers, process control team, automation vendors.

Patching characteristics:

• Patching is high-risk and requires maintenance windows.
• Many OT devices cannot be patched without shutting down the controlled process.
• Some legacy OT devices have no available patches -- the firmware is end-of-life.
• Vendor involvement is often required for firmware updates.
• Compensating controls (network segmentation, protocol filtering, enhanced monitoring) are common and accepted alternatives to patching.

Compliance note: NERC CIP-007 requires documented patch management for BES Cyber Assets. The OT layer in BreachSpider maps directly to your CIP-007 asset categorization for control system devices.

OS (Operating System)

Operating systems and application software running on devices in or adjacent to the OT environment.

Includes: Windows on HMIs, engineering workstations, historians, servers, Linux-based SCADA platforms, database servers in the OT DMZ.

Remediated by: IT patching team, sometimes OT team for OT-adjacent systems that IT cannot access.

Patching characteristics:

• Standard IT patch management processes apply.
• OT-connected Windows machines require patch testing before deployment to avoid breaking HMI or engineering software.
• Automated patch deployment tools (WSUS, SCCM) may or may not be present in OT zones.
• Engineering workstations are high-value targets -- the Stuxnet attack vector exploited Windows vulnerabilities on these machines to reach PLCs.

Risk context: A Windows CVE on an HMI workstation sitting on the OT network is not just an IT problem. It is a potential path to process control compromise. Treat OS-layer findings in OT environments with the same urgency as OT-layer findings.

NETWORK (Network Infrastructure)

Switches, routers, firewalls, and other network devices in the OT environment.

Includes: Industrial Ethernet switches, OT firewalls, routers connecting remote sites, VPN concentrators, wireless access points in OT zones.

Remediated by: Network team.

Patching characteristics:

• Firmware updates may cause brief link interruptions.
• Redundant paths should be verified before updating.
• VPN appliance vulnerabilities are frequently targeted as initial access vectors to OT networks.

Risk context: Network devices are the perimeter. A compromised OT firewall or VPN concentrator gives an attacker direct access to the control network. KEV entries on network devices should be treated as critical regardless of their CVSS score.

Why Layers Matter

Dashboard Visibility

The dashboard By Layer section shows:

• OT: X findings -- the OT team owns these.
• OS: X findings -- the IT team owns these.
• NETWORK: X findings -- the network team owns these.

This gives you an instant answer to "who remediates what" without sorting through every finding individually.

Team Routing

When you create tickets from findings, the layer determines the default assignee:

• OT findings route to OT engineering contacts.
• OS findings route to IT patching contacts.
• NETWORK findings route to network team contacts.

Auto-ticket rules can filter by layer, so you can create rules like "all critical NETWORK findings create a Jira issue in the Network Security project."

Compliance Reporting

NERC CIP evidence packages categorize findings by layer to demonstrate that each asset category has its own documented patch management process. The IEC 62443 report uses layer classification to map findings to the appropriate security zone.

Assigning the Right Layer

Some devices span multiple layers. An HMI workstation runs Windows (OS) with WinCC (OT). In BreachSpider, you assign the primary layer -- the one that determines who is responsible for remediating the most critical findings on that device.

For HMIs and engineering workstations: assign OS if the IT team manages patching, or OT if the OT team manages the entire device including the OS.

If you operate in an environment where OT and IT teams jointly manage devices, pick the layer that matches your organizational responsibility structure. The goal is to ensure every finding has a clear owner.

Layer Selection Guide