IP cameras. PLCs. HVAC controllers. Access panels. Smart meters. The modern enterprise is full of connected devices that were never designed with security in mind — and most organizations have no idea what those devices are doing on the network.
This is the IoT and OT security gap. And it is growing.
The Problem with Connected Devices
Traditional endpoint security — antivirus, EDR agents, patch management — does not work on IoT and OT devices. You cannot install an agent on a PLC. You cannot patch a building management controller without shutting down the floor. These devices sit silently on your network, often for years, and they represent a significant blind spot.
Attackers know this. Industrial control systems, IP cameras, and smart building infrastructure have all been exploited in high-profile breaches. The attack does not always target the device itself — it uses the device as a foothold to move laterally into the rest of the network.
What OT/IoT Security Monitoring Actually Looks Like
The good news: you do not need to install anything on the devices themselves. Passive network monitoring — placing a sensor on the OT network segment — gives you visibility into everything that is happening without touching a single device.
A modern open-source IoT/OT security stack looks like this:
- Passive network sensor (Zeek or Suricata) deployed on the OT segment — sees all traffic without disruption
- Protocol-aware detection — understands industrial protocols like Modbus, BACnet, and MQTT, and flags anomalous behavior
- Device inventory and fingerprinting — automatically discovers what is on the network and alerts when a new, unknown device appears
- SIEM integration (Wazuh + OpenSearch) — correlates IoT alerts with the rest of your security posture
- Automated case creation (DFIR-IRIS) and alerting (PagerDuty / LINE Notify) — so your team responds, not just receives notifications
flowchart TD
subgraph OT["OT / IoT Network Segment"]
D1[PLC / SCADA]
D2[IP Cameras]
D3[HVAC / BMS]
D4[Smart Meters]
end
TAP["Passive Sensor — Zeek / Suricata\n(no agent install required)"]
subgraph SIEM["SIEM — Wazuh + OpenSearch"]
DEC["Custom Decoders\nModbus · BACnet · MQTT"]
INV["Device Inventory & Fingerprinting"]
COR["Alert Correlation & Rule Engine"]
end
subgraph RESPONSE["Incident Response"]
IRIS["DFIR-IRIS\nCase Management"]
SOAR["Shuffle SOAR\nPlaybook Automation"]
ALERT["PagerDuty / LINE Notify\nOn-call Alerting"]
end
IT["IT Network\nServers · Endpoints · FortiGate · VMware"]
OT -->|mirror port / TAP| TAP
TAP --> DEC
TAP --> INV
DEC --> COR
INV --> COR
IT -->|syslog / agent| COR
COR --> IRIS
IRIS --> SOAR
SOAR --> ALERTThe result is a unified SOC that covers not just your servers and endpoints, but every connected device in your facility.
Why Open Source Changes the Economics
Enterprise OT security platforms — Claroty, Nozomi Networks, Dragos — are powerful, but they are priced for Fortune 500 companies. Mid-market organizations in manufacturing, facilities management, and healthcare often cannot justify the cost.
An open-source-based OT/IoT monitoring stack delivers the same core capability — passive visibility, anomaly detection, automated alerting — at a fraction of the price. The key is having the right implementation partner who understands both the technology and your operational environment.
How Simplico Approaches This
At Simplico, we have built SOC infrastructure for clients across manufacturing, logistics, and enterprise IT. Our stack — Wazuh, OpenSearch, DFIR-IRIS, and Shuffle SOAR — is already in production for Windows, Linux, FortiGate, and VMware environments.
Extending that stack to cover IoT and OT networks is a natural evolution. We deploy passive sensors, write custom Wazuh decoders for your device types, and integrate everything into the same dashboard and alerting pipeline your security team already uses.
The soc-integrator: One Pipeline, Zero Manual Handoffs
The piece that makes this work in practice is something we built in-house — the Simplico soc-integrator, a FastAPI middleware service that connects every layer of the SOC stack automatically.
When Wazuh fires an alert, the soc-integrator takes over: it creates a structured case in DFIR-IRIS, triggers the appropriate playbook in Shuffle SOAR, and escalates to PagerDuty for on-call notification — all without manual intervention. For IoT and OT environments, this matters even more than in traditional IT: device anomalies need to move from detection to response in seconds, not minutes.
Most organizations using open-source SOC tools spend weeks hand-configuring webhooks and API bridges between each component. The soc-integrator ships that integration pre-built, tested, and production-ready. Your team responds to incidents, not integration problems.
No rip-and-replace. No expensive licenses. Just visibility where you had none before — and a response pipeline that actually closes the loop.
Ready to see what is actually on your network? Contact us at hello@simplico.net or visit simplico.net to start a conversation.
Latest Posts
- Why Your ERP Project Failed — And What to Do Next May 24, 2026
- Your ERP Shouldn’t Hit a Ceiling: Custom ERP Development on Frappe May 23, 2026
- Lean Stacks: Why We Pick Boring, Purpose-Built Tools Over Frameworks May 23, 2026
- The Seam Problem: Five Ways Enterprise ERP Integrations Fail May 18, 2026
- The Production Gap: Why 80% of Enterprise AI Pilots Never Ship May 17, 2026
- ERPNext for Asian Factory Operators: Why Out-of-the-Box AP Workflow Falls Short — and the Country-Pluggable Architecture That Fixes It May 10, 2026