Skip to main content

Services

If you run an industrial operation, you have to prove your OT environment is secure. A board, an auditor, an insurer, or a regulator wants evidence. You have to produce it without disrupting the process or putting safety at risk. Most security help was built for IT and does not fit how your operations run.

Cutaway Security helps you close that gap. We work with operators across critical infrastructure: electric and energy utilities, oil and gas, natural gas, water, chemical, food and beverage, warehousing and distribution, and amusement and attractions. Every engagement produces prioritized, actionable findings aligned to how your process actually runs.

Engagements are led by Don C. Weber, an ISA-certified ISA/IEC 62443 Cybersecurity Expert, a SANS Principal Instructor, and co-author of SANS ICS613.

Start a scoping conversation

Why this matters now
#

The barrier that used to protect OT was knowledge. An attacker needed years of industrial experience to move from a remote access device, through the enterprise, into the OT network, and down to the process. That barrier is dropping. AI now does much of that learning for the attacker. The result is quicker gains with far less expertise.

We have shown what this looks like on real equipment, step by step on a live PLC. It is not theory. Dragos documented a real intrusion in which commercial AI models acted as the primary technical executor, identified the OT environment as the crown-jewel target, and probed the path across the IT and OT boundary.

This is not a reason to panic. It is a reason to organize your defenses now, against attackers who move faster with less.

How we approach defense
#

We build on the recognized model for industrial defense: the SANS Five ICS Critical Controls and the ICS Cyber Kill Chain. The five controls (incident response, defensible architecture, network visibility and monitoring, secure remote access, and risk-based vulnerability management) give you a practical way to prevent, detect, respond, and recover that flexes to your risk. Don teaches this material and co-authored the SANS course built on it.

AI-integrated OT defense
#

The same shift that arms attackers can strengthen defenders. We are doing that work today, including an engagement with an electric cooperative. This is not a plan for later. We use AI to speed the defensive work behind your operations: analyzing architecture, reviewing and hardening configurations, building monitoring and threat-hunting content, and supporting the administration around them. Throughout, your people stay in control.

What you can engage us for:

  • Architecture and configuration analysis. When you need to know whether a design or a device configuration holds up, we use AI to review it against the SANS Five Critical Controls and ISA/IEC 62443, and hand you prioritized, human-verified hardening steps.
  • Monitoring and threat-hunting content. When you need visibility but lack the team to build it, we develop and tune detection and hunting content for your environment, mapped to the Five Controls. ICS Watch Dog, our open monitoring configurations tuned with AI assistance, is one public example.
  • Defensive tooling, built fast. When your team needs something that does not exist yet, we stand up a working tool in days. We built a Cisco ASA firewall review tool in about a day, and noted where the AI had to be overruled.

We share what we learn through open-source tools, workshops, and training.

How we use AI responsibly. We push the boundary deliberately, within firm limits. In safety-critical OT, AI assists and accelerates the people doing the work. It does not replace operator judgment, and it does not run autonomous countermeasures against a live process. We work in controlled accounts with model training turned off. You decide what leaves your environment. Your sensitive configurations are not used to train models or shared with other clients. Every output is grounded in your environment and reviewed by people who understand it. You stay in control of what changes and when.

As AI strengthens architecture and threat hunting, continuous improvement begins to complement the periodic assessment cycle. We are out front of that shift, and we bring our clients with us.

Where to start: the assessment journey
#

The assessment journey is our established consulting work. The right first step is rarely a penetration test. Testing should begin passive and go deeper only as the foundation supports it. We meet you where you are and move at the pace your operations allow.

Executive briefing. A conversation for leadership. We help you organize your program and choose the right next step to protect operations, which is often not a pen test. This is the usual front door.

1. High-level and gap assessment
#

  • When: you need a baseline and a prioritized path.
  • Answers: where you stand against the Five Controls, and what to fix first.
  • Delivers: a gap analysis and a prioritized roadmap, informed by bench testing and targeted research when a device or protocol needs a closer look.
  • Next: architecture review.

2. Architecture review
#

  • When: you need to know whether segmentation, data flows, and trust boundaries hold.
  • Answers: whether the design is defensible, and where the gaps are.
  • Delivers: a review aligned with ISA/IEC 62443 and the SANS ICS reference architecture, with prioritized recommendations.
  • Next: a focused security assessment.

3. Security assessment
#

  • When: you need to confirm controls work in the live environment without disrupting it.
  • Answers: whether the controls actually work.
  • Delivers: findings that feed your vulnerability management and risk programs.
  • Next: targeted penetration testing, where it is safe and useful.

4. Penetration testing
#

  • When: the foundation is in place and you need to know what an adversary could really do.
  • Answers: your real exposure, proven.
  • Delivers: authorized, carefully scoped offensive testing with respect for operational safety. Includes assumed breach and M&A analysis.
  • Next: remediation and re-test.

Program maturity is a separate track. We evaluate how your security program is implemented across multiple areas, measure progress, and prioritize investment, so you can show a board, an auditor, an insurer, or a regulator where you stand and where you are headed.

Demonstrated capability
#

We cannot share client names, so here is the work itself. These are public examples of the analysis and tooling behind our engagements.

Each card maps a capability to public proof of it.

Our open-source tools are on GitHub, including ICS Watch Dog and CHAPS. See the Projects page for the full list, and Publications for white papers, talks, and standards work.

Start a scoping conversation
#

The best first step is a scoping conversation about your environment and what you are trying to prove. Tell us what you operate, what you need to demonstrate, and any constraints or timing. We will tell you how we can help.

Start a scoping conversation

Prefer LinkedIn? Reach us at Cutaway Security.

There are no articles to list here yet.