Embodiments of the invention relates to the technical field of industrial networks and information security, in particular to an analysis device, method and/or system for an operational technology system and a storage medium. The device includes a parsing module configured to acquire first data related to the operational technology system from a data storage area, and parse out first features of the first data; an identifying module configured to identify an abnormal feature from the first features; and a model generation module configured to acquire second data related to the abnormal feature from the data storage area, and generate an algorithm model based on the second data, where the algorithm model is used for identifying an attack behavior related to the abnormal feature. The attack behavior can be automatically identified, and complementation of the advantages of human intelligence and the advantages of artificial intelligence is realized.