Case Study: Eliminating Alert Fatigue, Adding OT Risk Context

09 Aug 2022

“Before being introduced to OTORIO’s solution, it was hard to detect real security threats due to the high volume of false-positive security alerts created by our existing IDS solutions. OTORIO’s RAM² platform managed to present only relevant alerts, reducing alert noise so that the security team can focus and prioritize efforts where they are most needed.”
  - OT Manager, U.S.-based energy & refining company.


Industrial security analysts and operational teams continually find themselves chasing thousands of false alarms generated by intrusion detection systems (IDS). False positives have a detrimental impact on security personnel and are the driving reason that alert fatigue is on the rise. Ignoring alerts is never a good idea. It seems the best way to overcome alert fatigue is to have them contextualized, prioritized, and then eliminate false alarms."

This OT security case study shows how OTORIO helped a U.S.-based oil refinery eliminate alert fatigue and create prioritized alerts with contextualized risk insights.

Eliminating Irrelevant Alerts

A North American oil and petrochemical refinery with four central sites and 50 smaller, remote sites had an issue with alerts stemming from its existing IDS. The IDS created a high volume of ghost assets and false-positive alerts, none of which prioritized risk. 

Its SOC team was swamped, chasing down alerts for ghost assets that didn’t even exist.  This alert chaos made it nearly impossible to detect and respond to actual, high-priority OT security risks and threats. They turned to OTORIO to enhance their oil and gas cybersecurity posture and the ROI of their existing tools.

Introducing RAM2 to the Oil Refinery

We deployed our OT Security solution for Risk Assessment, Monitoring, and Management RAM2 within the refinery and got to work. RAM2 integrated the oil refinery’s existing third-party IDS tool and other data sources into its platform, enabling it to hit the ground running. 

RAM2 began by conducting a thorough asset audit, building an accurate asset inventory, and eliminating the IDS-generated ghost assets that had been haunting the SOC team.

RAM2 reduced alert noise by 80%, removing irrelevant alerts and false positives. It aggregated security events from across the network and presented the team with highly relevant, prioritized alerts on its dashboard.  As a result, the SOC team now has a continuous and reliable 360° view of OT risks to assess from cross-domain industrial data sources.

Prioritizing and Adding Context to OT Risk Insights

The company’s existing IDS solution lacked the ability to prioritize and provide context to risk alerts. Using OTORIO’s RAM2, the oil refinery is now able to prioritize alerts based on their risk severity and business impact (e.g., 76 high-priority alerts out of 27,000+ events).

This risk prioritization empowered the company’s operations and analyst teams to focus on the most important risks and highest-priority mitigation actions that truly mattered. Insights were also enriched with attribution and operational context, enhancing the refinery’s overall security posture. 

Oil Refineries are Feeling the Pressure 

Since Russia began fighting Ukraine, digital security experts have feared a Russian cyber attack on the oil & gas industry. European nations are trying to reduce their reliance on Russian oil, while Russia has either halted or curtailed LNG pipeline flows to Europe.  

Russia has been accused of attacking oil refineries in the past, including LNG refineries in a run-up to the war in Ukraine, and experts are concerned that they have a high likelihood of striking again. For oil and gas refineries, that could mean a target is placed squarely on their facilities. It behooves them to take the steps needed to reduce risk and close any vulnerabilities in their operations. 

Download the client case study for details on how we helped an oil refinery eliminate alert fatigue, prioritize alerts, and created contextualized OT risk insights.