Whoever touches your control network has real leverage over your operations. Before you give anyone — including us — access, here's what's worth asking.
A vendor who wants to run a standard IT vulnerability scan against your PLCs without qualification is a red flag. Many legacy control devices weren't built to survive aggressive active scanning — it can crash them. Ask specifically how they discover assets and assess risk without risking availability.
"We know cybersecurity" isn't a methodology. Ask whether their approach is structured around recognized ICS-specific frameworks — IEC 62443, NIST SP 800-82, the Purdue Model — and ask them to explain, specifically, how a framework like zones-and-conduits would apply to your facility. A vendor who can't get concrete here is likely applying a generic playbook.
Ask what happens if a proposed change could affect a safety instrumented system. A credible OT partner has a defined process for scoping changes around maintenance windows and getting explicit sign-off before anything touches a live system — not a "we'll be careful" answer.
Some vendors sell a project, then hand execution to a subcontractor or a junior team you never vetted. Ask directly who will be on-site, what their background is, and whether you'll have a direct line to them after the contract is signed — or just a support ticket queue.
Most real plants have at least some devices running unsupported operating systems or firmware that can't be patched. A partner whose only answer is "replace it" isn't being realistic about capital cycles. Ask how they design compensating controls — segmentation, monitoring, restricted conduits — around assets that can't be hardened directly.
Ask what you actually receive at the end of an assessment or design engagement: a verified asset inventory, a zone/conduit diagram, a risk-ranked findings register, a segmentation policy document? If the answer is vague, the deliverable probably will be too.
Segmentation and hardening aren't one-time events — new devices get added, firmware changes, business needs evolve. Ask how they support the environment they built, and whether that support comes from people who understand your specific architecture or a generic help desk.
A note from us: We wrote this guide to be genuinely useful for evaluating any vendor, not just us — including questions we'd want a prospective client to ask before working with Destria. If you'd like to put these questions to us directly, reach out and we'll answer them plainly.