Serial-Based Defensive Cyberspace Operations

How can a defensive cyber operator effectively identify malicious cyber activity occurring on serial networks? There are a number of serial-based computer networks and systems that provide mission critical impacts to the DoD. Operators are not trained on serial data, and do not know how to read anomalies, and are unable to protect these environments. Looking to identify both equipment and a process for hunting for malicious activity on serial networks.

• Bond, Maj. Cash, "Redefining the Cyber Edge: Operational Technology Should be Foundational to Cyber Training Pipelines," AF Fellows, 2025.
  • Bond confirms this exact operational deficiency, noting that OT relies on entirely different ports, protocols, data transmission methods, and malicious signatures than standard IT networks. Because current defensive operators lack the foundational education to recognize these unique OT indicators, the DoD is essentially accepting the risk of the unknown. To enable operators to effectively identify anomalies, he suggests teams must map out the full IT and OT network architecture and their dependencies to establish a clear software and hardware baseline, which allows integrated sensory systems to actively alert on unusual behavior or known cyber vulnerabilities across both domains.