.webp)
The IT Cybersecurity Playbook Doesn't Work on a BMS: Inside the Standard OT Version Morgan Stanley Runs
IT's cybersecurity playbook typically sounds something like: run regular vulnerability scans, put a security agent on every device, log everything. That playbook doesn't translate well to the OT world. At NexusCast in January, Grace Lai, Executive Director at Morgan Stanley, walked through why the playbook fails and what Morgan Stanley does instead.
Many BMS systems are sensitive enough to active scans that the scan itself can knock equipment offline. The second problem is the device itself: most IoT and OT hardware is agentless, with no operating system layer to install a security agent on. The standard IT mix of vulnerability scans and endpoint agents breaks down with OT networks.
Morgan Stanley's alternative approach starts with passive pattern recognition. Passive monitoring has been the default in OT cybersecurity for years. The security layer sits on the network and watches what's moving across it: who's talking to whom, over which protocols, in what order. Asset inventory comes from device fingerprints in the traffic itself, not from probing. Morgan Stanley's version layers explicit policy on top. Scalable group tagging (SGT) intent rules, derived from its segmentation architecture (BMS devices only talking to the systems they should; IoT grouped and scoped to its function), define what each device class is supposed to do. Anything that deviates from those rules gets flagged.
Two procurement filters raise the floor on what's allowed onto the network in the first place. Lai pointed to industry-wide crowdsourced device catalogs that surface manufacturer, firmware version, and end-of-support status before a device is selected. And she referenced 802.1x certificate-based authentication as a vendor-side capability worth requiring, a control that makes it materially harder for an unauthorized device to join the network at all.
The operating discipline she emphasized: don't auto-remediate the moment something looks off. Establish the baseline first. Most environments are introducing more IoT and OT devices, not fewer, and the definition of normal traffic will keep moving.
Register for the next Nexus Labs event.
Sign up for the newsletter to get 5 stories like this per week:
IT's cybersecurity playbook typically sounds something like: run regular vulnerability scans, put a security agent on every device, log everything. That playbook doesn't translate well to the OT world. At NexusCast in January, Grace Lai, Executive Director at Morgan Stanley, walked through why the playbook fails and what Morgan Stanley does instead.
Many BMS systems are sensitive enough to active scans that the scan itself can knock equipment offline. The second problem is the device itself: most IoT and OT hardware is agentless, with no operating system layer to install a security agent on. The standard IT mix of vulnerability scans and endpoint agents breaks down with OT networks.
Morgan Stanley's alternative approach starts with passive pattern recognition. Passive monitoring has been the default in OT cybersecurity for years. The security layer sits on the network and watches what's moving across it: who's talking to whom, over which protocols, in what order. Asset inventory comes from device fingerprints in the traffic itself, not from probing. Morgan Stanley's version layers explicit policy on top. Scalable group tagging (SGT) intent rules, derived from its segmentation architecture (BMS devices only talking to the systems they should; IoT grouped and scoped to its function), define what each device class is supposed to do. Anything that deviates from those rules gets flagged.
Two procurement filters raise the floor on what's allowed onto the network in the first place. Lai pointed to industry-wide crowdsourced device catalogs that surface manufacturer, firmware version, and end-of-support status before a device is selected. And she referenced 802.1x certificate-based authentication as a vendor-side capability worth requiring, a control that makes it materially harder for an unauthorized device to join the network at all.
The operating discipline she emphasized: don't auto-remediate the moment something looks off. Establish the baseline first. Most environments are introducing more IoT and OT devices, not fewer, and the definition of normal traffic will keep moving.
Register for the next Nexus Labs event.
Sign up for the newsletter to get 5 stories like this per week:
This is a great piece!
I agree.