Red Team vs Blue Team: How Operational Technology (OT) Organisations Can Strengthen Cyber Defences

Introduction

Let’s be honest: If you work in manufacturing, energy, utilities, or any OT-heavy industry, cybersecurity probably feels like something handled by “the IT team upstairs.” But here’s the reality check: the systems that keep your machines running, control your production lines, and manage your remote access are all digital now. This means that they are open to vulnerabilities.

A successful cyberattack in an operational technology (OT) environment doesn’t just leak some data; it can bring down entire operations, put safety at risk, or cost you serious money.

So, how can you realistically test and improve your defences without disrupting production?

That’s where Red Team vs. Blue Team exercises come in. They’re not just for the tech crowd; they’re practical tools that help real-world teams figure out what’s working, what isn’t, and how to get better before something bad happens.

Let’s break it down in plain English.

What are Red Teams in Cybersecurity?

Think of the red team as your in-house “pretend attackers.” Their job is to think and act like real-world cyber criminals, but instead of doing damage, they’re showing you where the cracks are before the bad guys find them.

In an OT setting, red team techniques look like:

• Sending fake phishing emails to see if anyone takes the bait.
• Testing if old workstations are still using default passwords.
• Trying to access a remote terminal that shouldn’t be exposed.
• Seeing how easy it is to physically sneak into a restricted area.

They’re not here to play “gotcha”, they’re trying to help you uncover weak spots that may otherwise be invisible.

Furthermore, red teams do not just audit from a checklist; they must think like real attackers. Hence, it allows them to:

1. Spot vulnerabilities that traditional scans and audits may miss.
2. Identify weak points in human behaviour, such as clicking on phishing links or weak access control. This is extremely important, as most cyber attacks begin at home. 
3. They find overlooked paths into sensitive systems, such as unsecured remote access or poor network segmentation. They think outside the box!
4. Improve detection and response capabilities by recognising blind spots.
5. Enhance risk-based decision-making.
6. Feed into better OT-specific defence strategies such as attack mapping, identifying exposed legacy protocols and suggesting friendly fixes that don’t require much downtime.

OT systems often use legacy systems, which means old tech that is not built for modern-day threats. This is where red teams help minimise the gap or the impact the threat may have. 

What are Blue Teams in Cybersecurity?

The blue team is your defenders, the people who monitor systems, respond to incidents and try to keep everything secure and running smoothly.

During an exercise, the blue team doesn’t get a heads-up. They don’t know what the Red Team is planning, which makes it a good test of how fast they can detect a problem, how well they respond, and how prepared the organisation really is. This allows for the simulation to be more realistic.

The challenge in OT is that blue teams often have to defend systems that are old and delicate and can’t afford downtime. You can’t just unplug a programmable logic controller (PLC) or reboot a live production environment like you would in IT.

Benefits of Blue Teaming:

1. Defends Against Real-Time Threats: Monitors, detects and responds to suspicious activity, keeping systems safe while operations run.
2. Protects Critical Infrastructure: Safeguards sensitive OT assets like PLCs, SCADA systems, and HMIs from cyber and physical threats.
3. Maintains Uptime and Operational Safety: Ensures production lines, utilities, and other vital systems stay online and within safe operating limits during incidents.
4. Develops Incident Response Capabilities: Builds playbooks and drills that help teams react swiftly and calmly during real-world attacks or outages.
5. Enhances Threat Visibility Across IT/OT: Improves monitoring across both traditional IT networks and operational technology environments.
6. Strengthens Long-Term Security Posture: Builds layered defences (firewalls, anomaly detection, access controls) that evolve as threats grow more sophisticated.
7. Supports Regulatory Compliance: Helps meet cybersecurity and safety standards (like NIST, IEC 62443, or NIS2) by tracking, logging, and reporting security events.
8. Reduces Impact of Attacks: Limits attacker dwell time, prevents lateral movement, and isolates affected systems to reduce operational disruption.
9. Promotes Continuous Improvement: Learns from Red Team exercises, threat intel, and real incidents to adapt and improve defences over time.
10. Builds a Culture of Security: Acts as a central point for training staff, raising awareness, and encouraging best practices across departments.

While the Red Team breaks things (on purpose) to find weaknesses, the Blue Team keeps the lights on and makes sure they’re hard to switch off.

Purple Teaming: Working Together to Improve

After the simulation ends, the red and blue teams sit down together, compare notes, and figure out what worked, what didn’t, and how to do better next time. This joint effort is sometimes called purple teaming.

It’s not about finger-pointing, it’s about learning and improving across departments. Ultimately, ensuring effective collaboration that will lead to increased productivity and efficiency alongside stronger processes within any given organisation.

How to Run These Simulations in an OT Environment?

Here’s where many OT leaders hesitate, and rightly so. The idea of “testing” security might sound risky. After all, you can’t afford to shut down a plant just to run a simulation.

But the good news is, there are ways to do this safely, carefully, and with real value. Let’s walk through five key best practices:

1.  Start with Clear Goals

Before you begin, ask yourself: What are we trying to learn?

• Are we testing how fast our team can detect an incident?
• Do we want to find out if someone could access a Human Machine Interface (HMI) from outside the building?
• Are we curious about how staff would react to a phishing attempt?

Having a clear objective ensures the exercise is focused and meaningful, not just “hacking for fun.”

2.  Use Realistic, Industry-Relevant Scenarios

A generic hacker simulation won’t do much good.

Instead, build scenarios based on real threats to your sector. For example:

• In a chemical plant, simulate a breach targeting the recipe management system.
• In utilities, test what happens if a malicious actor tries to shut off remote monitoring.
• In manufacturing, simulate ransomware that locks up the production line.

Use actual threat intelligence from sources like MITRE ATT&CK for ICS or past incidents in your industry (gives a visual representation of attack patterns). This makes the exercise more relevant and more impactful.

3.  Prioritise Safety and Isolation

Your production systems are fragile and critical. So, never run tests directly on them without preparation.

Instead:

• Create mirrored test environments where you can run attacks safely.
• Use network segmentation to isolate test zones from live operations.
• Run “tabletop” simulations—strategic discussions where teams walk through attack scenarios without touching real systems.

Safety first. Always.

4.  Don’t Forget the People

Cybersecurity isn’t just about firewalls and software. Humans are often the weakest link, but they can also be your first line of defence.

Include tests that challenge the human layer:

• Phishing simulations
• Physical access challenges (e.g., tailgating into control rooms)
• Policy checks like whether staff are following password or USB protocols

You’ll quickly find where your people need support, training, or clearer policies.

5.  Always Run a Post-Mortem (Purple Teaming)

Once the exercise is over, don’t just say “good job” and move on.

Bring everyone together, Red Team, Blue Team, operations, leadership and review:

• What the attackers did
• How defenders responded
• What went well
• What needs improvement

Update your incident response plans, adjust monitoring tools, and invest in training where gaps are revealed.

This is where the real transformation happens. You’re not just reacting, you’re getting ahead of the curve.

It’s Time To Take Action!

OT systems are becoming more connected, more digitised, and let’s be honest, more vulnerable. What used to be isolated environments are now hooked up to the internet, cloud platforms, and remote access tools.

And threat actors are watching. Ransomware gangs and even insiders have targeted OT organisations in recent years, sometimes with devastating consequences.

Think of the Colonial Pipeline ransomware attack in 2021, which halted fuel supply to large parts of the U.S. East Coast. That wasn’t science fiction, it was a wake-up call.

Red/Blue Team exercises won’t solve everything, but they make you aware, prepared, and agile. In the fast-evolving world of OT cybersecurity, that may make all the difference.

Final Thoughts…

Cyber threats are no longer just an IT problem. In OT environments, the consequences of a breach can ripple into the physical world, impacting safety, productivity, and the bottom line.

Red and Blue Team exercises give you a safe, smart way to find and fix your weaknesses before someone else does. More importantly, they bring people together from IT to engineering to executive leadership to build a culture of resilience.

No need to be a cybersecurity expert. You just need to be willing to ask the right questions and start the conversation.

FAQ’s

1. What’s the main difference between the red and blue teams?

In a simulation attack, red teams are the attackers, trying to find a way to break into a system before real attackers can. On the other hand, blue teams are the defenders, monitoring systems and detecting threats during these simulations.

1. How often should these exercises be done?

I would aim for every 3 to 4 months to stay ahead of threats. Maybe, even conduct smaller tests during the periods these exercises are not happening. I would still opt for regular monitoring as it allows for teams to stay sharp.

1. What skills do Red and Blue Team members need?

Red Team Members: Ability to hack ethically, think outside the box, and have a deep understanding of OT systems. Furthermore, members of this team need to be creative as they need to think of all the possible ways cybercriminals can break in.  Other skills include: social engineering, threat intelligence and software development.

Blue Teams: Attention to detail when spotting threats, proactive when responding to incidents and protecting critical systems.

Soft skills play a huge part when working together (purple teaming). Things such as communication, interpersonal and problem-solving skills. It is also important to be critical to bridge the gap between detection to the attack occuring. 

1. How can we test safely without causing damage?

Make sure to:

• Define clear boundaries for what’s being tested.
• Use test environments and not live systems.
• Segment your network to keep critical systems safe during tests.

References: 

Eugene Wypior. (2023, February 23). Industrial Control Systems Best Practices. SEQRED. https://seqred.pl/en/how-to-effectively-utilise-mitre-attck-for-ics/ 

Jelen, S. (2024, December 13). Red Team vs Blue Team in Cybersecurity | OffSec. OffSec. https://www.offsec.com/blog/red-team-vs-blue-team/ 

Kerner, S. (2022, April 26). Colonial Pipeline Hack explained: Everything You Need to Know. TechTarget. https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explained-Everything-you-need-to-know 

Red Team vs. Blue Team: What’s The Difference? (2024, October 31). SentinelOne. https://www.sentinelone.com/cybersecurity-101/cybersecurity/red-team-vs-blue-team/ 

Staff, C. (2024). Red Team vs Blue Team in Cybersecurity. Coursera. https://www.coursera.org/gb/articles/red-team-vs-blue-team 

Suero, K. (2022, October 7). Red teams vs blue teams: Breaking down security roles. Snyk. https://snyk.io/blog/red-teams-vs-blue-teams/