Most insider detection fails because it hunts intent.
OT needs to hunt anomalies that predict impact.

In industrial environments, “insiders” are often trusted technicians, engineers, and contractors.
Their actions look legitimate until one small change turns into:
– an unsafe state
– a quality excursion
– unplanned downtime

That’s why the winning question isn’t “who is malicious?”
It’s: “What behavior would cause an unsafe state if repeated at scale?”

Behavioral baselines help you answer that without relying on malware signatures or perfect asset inventories.
You’re not trying to label a person.
You’re watching for deviations in:
– what changed
– when it changed
– from where it changed
– how often it changed
– which systems are being touched outside normal patterns

Examples of high-signal OT deviations:
– new engineering workstation talking to a controller it never touched before
– a contractor account executing the same write operation across multiple PLCs
– after-hours logic changes followed by disabled alarms or altered setpoints
– a burst of “normal” commands at an abnormal rate

Outcome: earlier detection, fewer escalations, and interventions before production feels it.

If you could baseline one behavior in your OT environment to reduce risk fast, what would it be?