Subscribe to the Non-Human & AI Identity Journal

How can organisations tell whether deception controls are actually helping in OT?

Deception controls are working when they produce high-fidelity alerts on activity that should never occur, such as a human operator touching a decoy HMI or an internal system authenticating to a fake credential. The signal should indicate reconnaissance, misuse, or lateral movement before production systems are reached, not after disruption has started.

Why This Matters for Security Teams

In OT, deception controls are not valuable because they create noise. They are valuable because they tell defenders that an actor has crossed a boundary that should not be crossed at all. A decoy HMI, fake engineering workstation, or honey credential should only be touched during reconnaissance, misuse, or post-compromise movement. That makes deception one of the few controls that can validate hostile intent without waiting for production impact.

Security teams often get the evaluation problem wrong. They count alert volume, not alert quality. They measure whether the deception platform is deployed, not whether it is detecting activity that would otherwise bypass normal monitoring. Good practice is to compare deception alerts against expected OT workflows, maintenance windows, remote support patterns, and asset access paths. If the control cannot distinguish sanctioned engineering activity from suspicious interaction, it is not yet providing operational value.

For control design and assessment, NIST SP 800-53 Rev 5 Security and Privacy Controls is useful because it emphasises the need for monitoring, auditability, and evidence that controls are operating as intended. In practice, many security teams discover deception weakness only after an adversary has already mapped the environment, rather than through intentional validation during normal operations.

How It Works in Practice

Effective measurement starts with defining what “should never happen” inside the OT environment. That means placing decoys where real operators, engineers, or integrated systems should not normally interact, and then tuning detection around the unique behaviours that indicate interest. In OT, this is often less about malware signatures and more about protocol-aware interaction, credential use, or attempts to enumerate devices and services.

Teams usually test deception controls in three ways:

  • They generate controlled interactions from a known test account, host, or workstation and verify that the alert is immediate and attributable.
  • They compare deception hits with OT asset baselines to see whether the trigger correlates with abnormal access paths, not routine maintenance.
  • They review alert enrichment to determine whether the event explains who, what, where, and why enough for response teams to act.

For OT environments, a high-fidelity alert is more important than a large number of alerts. A decoy should produce a response-worthy signal when an endpoint tries to authenticate to a fake service, when a plant asset browses a lure share, or when a remote session touches a honeypot asset. Mature teams also measure time to detection, false positive rate, and whether the alert can be tied to a specific zone, cell, or engineering segment.

That testing should be aligned to adversary behaviours described in MITRE ATT&CK, especially initial access, discovery, and lateral movement patterns that often appear before OT disruption. Where deception sits inside a broader detection strategy, pair it with logging and response expectations from CISA OT defense-in-depth guidance so the alert is not isolated from the rest of the SOC workflow. These controls tend to break down when engineering access is highly shared, because shared accounts and unmanaged remote support make it difficult to prove whether a touch was malicious or routine.

Common Variations and Edge Cases

Tighter deception coverage often increases operational overhead, requiring organisations to balance better detection against maintenance burden and the risk of confusing operators. That tradeoff is especially sharp in OT, where uptime, safety, and vendor support constraints limit how aggressively deception can be deployed.

Best practice is evolving for environments with frequent changes, such as plants with rotating contractors, outsourced engineering, or temporary integration projects. In those settings, deception signals can be meaningful but need stricter context. A login to a decoy PLC interface may be suspicious in one site and expected in another if the environment uses unusual test pathways. Current guidance suggests treating deception as a corroborating control, not a standalone verdict, unless the environment has very stable access patterns.

There are also edge cases where deception appears to “work” but is not yet operationally useful. For example, a lure may attract benign scanners, vulnerability tools, or misconfigured backups. That can still be useful if the team has documented what normal automation looks like and has a clear path to suppress expected noise. The real test is whether the control improves analyst confidence and shortens the path from alert to containment. If the alert cannot be acted on because asset ownership, maintenance records, or network segmentation are unclear, the control has only partial value.

For governance and control mapping, deception should sit alongside policy-backed monitoring expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls and an incident handling process that tells responders what to do when a decoy is touched. In OT, effectiveness is proven less by deployment status and more by whether the alert changes decisions before safety or production is affected.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and CIS-Controls set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 DE.CM-1 Deception only helps if unusual activity is continuously monitored and detected.
MITRE ATT&CK T1087 Deception alerts often map to discovery behaviour such as account and asset enumeration.
CIS-Controls 8.2 Logging and visibility are needed to prove deception is detecting meaningful activity.

Track decoy interactions as monitored events and review whether they improve detection coverage.