Abstract
Operational Technology (OT) systems are facing increasing cybersecurity risks due to IT/OT convergence, legacy systems, and evolving regulatory demands. Security Operations Centers (SOCs) play a central role in monitoring and responding to these threats. However, existing literature predominantly focuses on IT-centric SOCs, leaving OT SOC models underexplored. This study examines the structure and implementation of SOC models designed for OT systems, based on 14 qualitative interviews with security professionals and industry stakeholders. The findings reveal a spectrum of SOC models, including integrated, dedicated, in-house, outsourced, and vendor-operated. Each possesses distinct trade-offs in visibility, contextual awareness, cost, and operational resilience. The study identifies key factors influencing the selection of the SOC model for industrial clients, including organizational size, OT complexity, and regulatory pressures. It also outlines future directions for integrated SOCs, process-aware monitoring, and federated models. By bridging empirical insights with existing literature, this work contributes a comparative framework for evaluating OT SOC models and informs both academic research and industry practices in securing critical OT infrastructures.