Technical Deep Dive

Architecture, protocols, platforms, and methodology behind CyberFabric's OT Security Operations Center. This page is for security architects, OT engineers, and technical evaluators.

SOC Architecture

CyberFabric operates a three-tier SOC model purpose-built for OT/ICS environments:

Tier	Function	SLA	Staffing
Tier 1	AI-driven automated triage and containment. Multi-source correlation (SIEM, NDR, UEBA, TIP). False positive elimination.	<200ms	Automated + ML
Tier 2	Human investigation of escalated incidents. OT-context analysis. Playbook execution.	5 min	OT analysts (ex-plant engineers)
Tier 3	Critical incident command. Cross-functional coordination. Forensic investigation.	15 min	Senior incident commanders

Proactive operations include weekly threat hunting (behavioral analytics, ICS YARA rules, APT TTPs), monthly deep sweeps, and continuous threat intel correlation against customer-specific asset inventories.

Detection Platform: Stellar Cyber Open XDR

CyberFabric's default SecOps engine when customers don't have an existing stack:

Core Capabilities

• NG-SIEM — Log aggregation, normalization, and correlation across IT/OT boundaries
• OT-Aware NDR — L2-L7 deep packet inspection with native industrial protocol decoders
• UEBA — Behavioral baselines for operators, devices, and process patterns
• SOAR — Automated playbook execution with OT-safe response actions
• TIP — Threat Intelligence Platform with ICS-specific feeds
• Multi-Layer AI — Unsupervised ML, supervised ML, graph ML, rules engine, and edge AI
• 400+ integrations — Pre-built connectors for major security and OT vendors

Supported Industrial Protocols

Modbus TCP/RTU    DNP3           OPC-UA          OPC-DA
BACnet            PROFINET       EtherNet/IP     S7comm
IEC 60870-5-104   IEC 61850      HART-IP         CIP
GOOSE             MMS            GE-SRTP         Emerson ROC

Detection Performance

Metric	Value	Methodology
Mean Time to Detect (MTTD)	8× faster than manual SOC	Automated correlation + ML triage
False Positive Reduction	90%+	Multi-Layer AI with OT context
Analyst Productivity	80%+ improvement	Automated triage, enrichment, and case management
Auto-Containment	<200ms	SOAR-driven with OT-safe guardrails

Infrastructure: Ixian Decentralized Platform

CyberFabric's infrastructure layer for data transport, device identity, and audit integrity:

Architecture

• Decentralized topology — No central server, no cloud dependency, no single point of failure
• S2 Streaming Network — High-throughput data streaming for real-time telemetry
• DLT (Distributed Ledger) — Immutable audit trails for evidence chain integrity
• PKI Device Identity — Self-sovereign device certificates, no central CA dependency
• Post-quantum cryptography — Quantum-resistant algorithms for all communications
• Air-gap capable — Full operation without internet connectivity

Why Decentralized for OT?

Cloud-based OT security creates three risks that decentralized architecture eliminates:

• Availability — Cloud outage = blind SOC. Decentralized = no single point of failure.
• Sovereignty — Cloud = your critical infrastructure data on someone else's servers. Decentralized = data never leaves your control.
• Vendor lock-in — Cloud = vendor kill switch. Decentralized = open-source, self-sovereign.

Open-source and auditable: github.com/ixian-platform

Forward-Deployed Engineer (FDE) Model

The FDE model is CyberFabric's primary deployment and customer success methodology. Each FDE is a senior OT security specialist with direct ICS/SCADA experience.

Deployment Timeline

Phase	Duration	Activities
Immersion	Week 1–2	On-site environment mapping, asset inventory, protocol identification, safety system assessment, existing tool evaluation, stakeholder interviews
Deployment	Week 3–6	Sensor placement, platform configuration, behavioral baseline collection, custom detection rule development, integration with existing tools
SOC Integration	Week 7–12	Live SOC onboarding, playbook development with operators, threshold tuning, first tabletop exercise, initial threat hunt
Optimization	Ongoing	Monthly detection reviews, baseline recalibration, new asset onboarding, staff training, quarterly posture assessments

FDE Qualifications

• 5+ years in ICS/SCADA environments (plant engineering, control systems, or OT security)
• Protocol-level expertise in Modbus, DNP3, OPC-UA, and at least two additional industrial protocols
• Incident response experience in OT environments
• GICSP, GRID, or equivalent ICS security certifications

Tool-Agnostic Integration

CyberFabric integrates with existing customer security and OT tools. The SOC normalizes, correlates, and operates across heterogeneous stacks.

Supported Integrations

Category	Platforms
SIEM	Splunk, IBM QRadar, Microsoft Sentinel, Elastic SIEM, LogRhythm
EDR / XDR	CrowdStrike, SentinelOne, Microsoft Defender, Carbon Black
Network Security	Palo Alto Networks, Fortinet, Cisco, Check Point
OT Security	Nozomi Networks, Claroty, Dragos, OTORIO, Armis
Cloud / Identity	AWS, Azure, GCP, Okta, Active Directory
Threat Intel	MITRE ATT&CK for ICS, Mandiant, Recorded Future, ICS-CERT

Compliance Mapping

SOC operations map directly to regulatory framework controls:

Framework	Scope	SOC Mapping
IEC 62443	Industrial automation security	Zones, conduits, monitoring, incident response
NIST SP 800-82	ICS security guide	Continuous monitoring, access control, audit
NIS2 Directive	EU critical infrastructure	Incident reporting, risk management, supply chain
NERC CIP	North American bulk electric	Electronic security perimeter, monitoring, IR
MITRE ATT&CK ICS	ICS threat framework	Detection coverage mapped to all 12 tactics
ISA-95 / Purdue	OT network segmentation	Level-aware detection and response policies

← Back to cyberfabric.co