Hardening the OT/IT boundary: senior security engineers embedded, detection delivered fixed-fee

The client runs critical infrastructure: generation and distribution assets where an availability incident is a public-safety event, not a help-desk ticket. Their security team was competent and overcommitted — running IT controls well, but thin on the OT side, where the engineering culture, protocols, and uptime constraints differ from a corporate network.

Two realities collided. First, the talent market. The global cybersecurity workforce gap reached 4.8 million people in 2024, up 19% year over year, leaving roughly 47% of demand unmet (ISC2, 2024). In Canada specifically, one in six cybersecurity roles sits unfilled — over 25,000 open positions (Robert Half, 2025). For a niche OT/ICS security skill set, the candidate pool is thinner still: SANS found only ~10% of ICS/OT teams use AI in security and 51% lack a relevant certification (SANS, 2024).

Second, the clock. More than a third of organizations take three to six months to fill a security role, regardless of seniority (ISC2 / TechRepublic, 2024). For a utility, six months of an unfilled senior OT-security seat is six months of unmitigated exposure on assets that carry statutory reliability obligations.

Three concrete gaps, in priority order:

1. The OT/IT boundary was porous. Flat-ish network paths existed between the corporate environment and OT zones — the exact attack path that turns a phishing click into a control-system incident. NERC-CIP expects defined Electronic Security Perimeters and access control at those boundaries; the client had the policy intent but incomplete enforcement and inconsistent logging at the interface.

2. The SIEM was loud but blind. It ingested volume but had almost no OT-aware detection content. Analysts triaged a flood of low-value IT alerts while protocol-level OT events — unexpected engineering-workstation connections, firmware-push attempts, anomalous Modbus/DNP3 patterns — passed unexamined.

3. The staffing gap was structural, not seasonal. The client could not hire its way out on the needed timeline, and the staffing crunch is worsening: more than half of breached organizations reported severe security staffing shortages — a 26.2% year-over-year increase (IBM, 2024).

The cost of getting this wrong is not abstract. The average breach in the industrial sector ran USD 5.56M in 2024 — 18% higher year over year and 13% above the global average (IBM, 2024). And organizations with severe staffing shortages paid USD 1.76M more per breach than adequately staffed peers (IBM, 2024). On the regulatory side, NERC-CIP reliability-standard violations can carry civil penalties up to USD 1M per day, per violation (FERC, 2024).

We split the work along its two natural shapes: continuous capacity (staff augmentation) and a bounded outcome (fixed-fee).

Staff augmentation — senior, embedded, weekly billing. Two senior OT-security engineers joined the client's team under the client's security lead, not as a black-box subcontractor pod. They worked the client's tickets, attended the client's standups, and were accountable to the client's chain of command. Both were AI-literate — comfortable using detection-engineering copilots and log-analysis tooling, not just clicking through a console. This matters because organizations using AI and automation extensively in prevention saw ~USD 2.2M lower breach cost and roughly 100 days faster detection and containment (IBM, 2024); in Canada the figure is CA$2.84M lower cost and a 54-day shorter breach lifecycle (IBM Canada, 2024).

Fixed-fee — detection re-engineering with a defined scope and price. In parallel, a Maverin engagement team took ownership of a bounded deliverable: redesign detection on the OT/IT boundary, with acceptance criteria and a fixed price. The client carried no day-rate risk on the outcome work; the embedded engineers carried the run-rate capacity. No platform lock-in — we built on the client's existing SIEM and firewalls rather than steering them toward a tool we resell.

The Canadian market is moving this way for a reason: 54% of Canadian tech leaders increased their use of contract talent in H2 2025 (Robert Half, 2025). The point isn't "contractors instead of staff" — it's the right shape for each kind of work.

The work organized around the OT/IT boundary and what crosses it.

Segmentation and the Electronic Security Perimeter. We tightened the boundary toward a NERC-CIP-aligned model: defined zones and conduits, an enforced perimeter between corporate IT and OT, and access control at the interface. Engineering-workstation and jump-host paths into OT were inventoried, locked down, and logged. The goal was a boundary you can describe, enforce, and prove in an audit — not a diagram that no longer matches the network.

Detection content built for OT, not borrowed from IT. On the existing SIEM we authored detection logic for the events that actually matter on a control network: unexpected connections into OT zones, firmware-push and configuration-change attempts, anomalous industrial-protocol behavior (Modbus/DNP3), and unauthorized use of engineering credentials. Each detection was written with a documented hypothesis, a data source, and a tuned threshold — so an alert means something, and an analyst knows what to do with it.

Logging and visibility at the interface. OT-side monitoring is maturing across the sector — OT-specific monitoring rose from 33% in 2019 to 52% in 2024 (SANS, 2024) — but partial coverage leaves gaps exactly where boundary attacks live. We closed the highest-risk blind spots first: the paths between IT and OT.

Human-in-the-loop, by design. AI-assisted tooling accelerated detection authoring and log triage, but every detection that could touch a control system shipped behind human review. On critical infrastructure, an automated action with a false positive can itself be the incident.

• Continuous senior coverage during the hiring gap. Two senior OT-security engineers embedded and productive in weeks, not the three-to-six-month industry hiring window — closing the exposure window on the client's NERC-CIP-scoped assets.
• A hardened OT/IT boundary. Defined zones and conduits, an enforced electronic security perimeter, inventoried and locked-down engineering-workstation paths, and logging at the interface.
• OT-aware detection content on the existing SIEM. A library of tuned, documented detections for boundary-crossing and industrial-protocol events — built on the client's own tooling, no new platform to license.
• A noise-reduced analyst workflow. Low-value IT alerts deprioritized and OT-relevant events surfaced, so the team spends its hours on signal.
• Documentation and handover. Runbooks, detection rationale, and a boundary architecture description the client's own team can audit against and maintain — plus knowledge transfer so the capability outlives the engagement.

The headline outcome is timing. Against an industry baseline where a third of security roles take three to six months to fill (ISC2, 2024), embedded senior coverage was in place within weeks. For NERC-CIP-scoped assets, that compression is the difference between a quarter of exposure and a few weeks of it.

The before/after on detection is qualitative but concrete: the boundary went from porous to defined-and-logged; the SIEM went from high-volume / low-signal to OT-aware; analysts went from triaging IT noise to working OT-relevant events.

A note on the numbers below. The industry figures (breach cost, staffing-shortage penalty, AI-and-automation savings, time-to-fill) are real and cited. The engagement-specific outcomes are illustrative — modeled for a utility of this profile, not a measured audit result from a single named client. We label each metric accordingly. The honest version of the claim is: this is the shape of the result a utility in this position can expect, with the regulatory and market context that makes it credible.

Split the work by its shape, not by vendor convenience. Capacity that runs indefinitely belongs in staff augmentation, billed weekly, under your lead. A bounded deliverable with acceptance criteria belongs in a fixed-fee engagement where the vendor — not you — carries the day-rate risk. Don't let a staffing firm sell you a six-month "managed pod" for what is really an outcome you should be able to price.

Insist on senior and embedded. Junior contractors under a vendor's remote lead create a coordination tax you pay forever. Senior engineers under your lead, in your standups, accountable to your chain of command, are an extension of your team — and they transfer knowledge instead of hoarding it.

Fix the boundary before you buy more tools. The OT/IT interface is where a corporate compromise becomes a control-system incident. Defined zones, enforced perimeter, logging at the interface, and OT-aware detection on the SIEM you already own will outperform a new platform bolted onto an undefined network.

Demand no lock-in and a clean handover. If the capability dies when the contractors leave, you bought labor, not a result. Runbooks, detection rationale, an auditable boundary description, and knowledge transfer are part of the deliverable — not an upsell.