receiving sensor information from a plurality of sensors of an industrial operation, sensor information from at least a portion of the plurality sensors is used for functionality of a plurality of equipment of the industrial operation;

monitoring data traffic on a network communicably connecting the plurality of equipment of the industrial operation;

deriving a baseline signature from the sensor information, the baseline signature encompassing a range of normal operating conditions;

identifying an abnormal operating condition of the industrial operation based on a comparison between additional sensor information from the plurality of sensors and the baseline signature;

identifying an abnormal data traffic condition based on the data traffic on the network;

determining that a correlation exists between the abnormal operating condition and the abnormal data traffic condition, the correlation indicating that (i) the abnormal data traffic condition is a potential cause of the abnormal operating condition or (ii) the abnormal data traffic condition and the abnormal operating condition have a shared cause; and

sending a security alert in response to determining that the correlation exists between the abnormal operating condition and the abnormal data traffic condition.