Which statement accurately differentiates detection-based and prevention-based OT security controls?

• A. Only prevention-based controls are necessary in OT.
• B. Detection-based controls identify anomalies; Prevention-based controls block unauthorized actions.
• C. Detection-based controls are sufficient without prevention-based controls.
• D. Both types are optional in OT.

Answer: (B)

In OT security, detection-based controls monitor for unusual or abnormal activity, flagging it so operators can investigate and contain incidents. Prevention-based controls are about stopping unauthorized actions before they happen, through measures like strict access controls, network segmentation, and whitelisting. The best statement captures both ideas: detection identifies anomalies, while prevention blocks unauthorized actions. OT environments rely on this layered approach because prevention helps stop many threats upfront, but detection is essential to catch and respond to anything that slips through or is previously unknown. Saying that only prevention is needed, or that detection alone is enough, or that both are optional, ignores the practical need for defense-in-depth in these systems.