Guide

Questions to Ask Before Hiring an OT Security Partner

Whoever touches your control network has real leverage over your operations. Before you give anyone — including us — access, here's what's worth asking.

1. Do they understand the difference between IT and OT security?

A vendor who wants to run a standard IT vulnerability scan against your PLCs without qualification is a red flag. Many legacy control devices weren't built to survive aggressive active scanning — it can crash them. Ask specifically how they discover assets and assess risk without risking availability.

2. What standards or frameworks structure their methodology?

"We know cybersecurity" isn't a methodology. Ask whether their approach is structured around recognized ICS-specific frameworks — IEC 62443, NIST SP 800-82, the Purdue Model — and ask them to explain, specifically, how a framework like zones-and-conduits would apply to your facility. A vendor who can't get concrete here is likely applying a generic playbook.

3. How do they handle change windows and safety systems?

Ask what happens if a proposed change could affect a safety instrumented system. A credible OT partner has a defined process for scoping changes around maintenance windows and getting explicit sign-off before anything touches a live system — not a "we'll be careful" answer.

4. Who actually does the work?

Some vendors sell a project, then hand execution to a subcontractor or a junior team you never vetted. Ask directly who will be on-site, what their background is, and whether you'll have a direct line to them after the contract is signed — or just a support ticket queue.

5. What do they do about legacy and unsupported systems?

Most real plants have at least some devices running unsupported operating systems or firmware that can't be patched. A partner whose only answer is "replace it" isn't being realistic about capital cycles. Ask how they design compensating controls — segmentation, monitoring, restricted conduits — around assets that can't be hardened directly.

6. Can they show you the artifact, not just the pitch?

Ask what you actually receive at the end of an assessment or design engagement: a verified asset inventory, a zone/conduit diagram, a risk-ranked findings register, a segmentation policy document? If the answer is vague, the deliverable probably will be too.

7. What happens after the project ends?

Segmentation and hardening aren't one-time events — new devices get added, firmware changes, business needs evolve. Ask how they support the environment they built, and whether that support comes from people who understand your specific architecture or a generic help desk.

A note from us: We wrote this guide to be genuinely useful for evaluating any vendor, not just us — including questions we'd want a prospective client to ask before working with Destria. If you'd like to put these questions to us directly, reach out and we'll answer them plainly.

Request a Site Assessment