The IT playbook of hash and IP indicators breaks down inside a substation or plant. Effective OT indicators look more like protocol behavior, engineering workstation drift, and unexpected point writes.
Ask a SOC analyst what an IOC looks like and you will get file hashes, IP addresses, and domains. Ask an OT engineer the same question and you will get a blank stare, because none of those artifacts are how compromise shows up on a control network.
Why IT indicators fall apart in OT
Control networks rarely see new executables. Engineering workstations run known software for years. Talking to unknown IPs is often blocked at the firewall by design. A file hash feed built for enterprise endpoints has almost no surface area to match against inside a substation.
Worse, over indexing on IT style IOCs creates a false sense of coverage. The SOC sees "no matches" and reports the environment clean, when in reality the sensors are looking for the wrong things.
What an OT indicator actually looks like
Useful OT indicators tend to describe behavior, not artifacts:
- A Modbus write to a coil range that has never been written from that source before.
- An IEC-104 general interrogation from an operator workstation outside its normal window.
- A new MMS association to an IED from a host that has never spoken 61850 before.
- A firmware download to an engineering workstation that did not come from the approved vendor path.
- DNP3 unsolicited responses appearing after a configuration change no one filed.
These are indicators of operational anomaly. They map to MITRE ATT&CK for ICS techniques directly and they are what actually shows up during a real intrusion.
Where ThreatSpire fits
The IOC management surface in ThreatSpire is built to hold behavioral indicators alongside classic atomic ones. A single "indicator" can be a protocol pattern, a source and function code pair, or an engineering workstation drift signature. That makes the indicator list something an OT team can actually defend against, rather than a dumping ground of IT hashes that will never fire.
Practical starting point
Pick three OT protocols in your environment. For each, write down the five behaviors that should never happen from an untrusted host. Load those as indicators. That single exercise will produce more useful OT detection coverage than any commercial hash feed you can buy.

