– INDUSTRIAL AND OT NETWORK CONSULTING · TSG LABS · ONTARIO, CANADA

Start a conversationWhat this covers ↓

The problem with applying enterprise thinking to OT

OT environments have constraints that standard enterprise network design does not account for. Systems that cannot tolerate a reboot. Legacy protocols with no authentication. Failure consequences measured in operational disruption, not just data exposure. Applying enterprise security patterns directly to OT environments often causes more problems than they solve.

Hans Study, CISSP, has worked across SCADA, DCS, and ICS environments in utilities, pipelines, water treatment, transportation infrastructure, and defence. The advisory covers OT/IT segmentation design, secure remote access architecture, NERC CIP and CMMC compliance, and monitoring strategies that give operators visibility without the active scanning that can trigger the very outage they are trying to prevent.

The common engagement pattern is an organization that needs a second opinion from someone not trying to sell the monitoring platform. That independence is the point.

When to reach out

OT network engagements typically come from one of four situations: an upcoming compliance deadline, a planned IT/OT integration that needs independent design review, a recent security incident that revealed gaps in the OT network's architecture, or a facility expansion that requires extending or redesigning the existing OT network. All four are good reasons. Reach out early. The cost of finding problems at the design stage is a revision. The cost at the operational stage is an outage.

Start a conversation

Compliance frameworks

Secure Remote Access for OT

Remote access to OT environments is one of the highest-risk connectivity decisions an operator makes. Jump server architecture, vendor access controls, MFA enforcement, and session logging in environments where the alternative is either no remote access or an open connection that bypasses every other control.

Risk-Aware OT Monitoring Strategy

Active scanning is often out of the question in OT environments. Passive monitoring, span port architectures, and out-of-band collection give operators the situational awareness they need without touching the control network. Advisory covers monitoring architecture design and OT-aware SIEM integration.

Physical Security for OT Facilities

Substations, pump stations, and remote unmanned installations have physical security requirements distinct from enterprise environments. Access control and video surveillance integrated with SCADA alarms, and physical security design that satisfies NERC CIP physical access control requirements.

What is the difference between IT security and OT security?

In IT security, the priority order is confidentiality, integrity, then availability. In OT, availability comes first. A control system shut down for a security patch causes an operational disruption that may have safety implications. Legacy OT systems often cannot be patched at all. Security design for OT has to account for these constraints, which is why enterprise security approaches applied directly to OT environments often cause more problems than they solve.

Does TSG Labs provide CMMC advisory for defence contractors with OT in scope?

Yes. Defence contractors whose OT environments handle Controlled Unclassified Information, or whose OT networks connect to systems that do, need to account for CMMC 2.0 requirements in their OT security architecture. Hans Study, CISSP, provides gap assessments, architecture advisory, and documentation support for contractors working toward CMMC Level 2 where OT is in scope.

Who provides independent OT network consulting in Canada?

TSG Labs, based in Ontario, provides independent OT and ICS network consulting across Canada and the US. Hans Study, CISSP, has worked across utility, transportation, government, and defence environments. No monitoring platform to sell. No preferred vendor relationship shaping the recommendation.

Start a conversation