OT / ICS Security

Domain overview

OT and ICS environments demand slower, clearer work. Safety, legacy trust, fragile communications and process impact all change how offensive validation must be planned and described.

How to approach this surface

• Start with process awareness. Without understanding what the system controls, protocol traffic is just noise.
• Engineering workstations, HMIs and historians often matter more than PLCs alone because they are the human bridge into process logic.
• Segmentation claims deserve aggressive validation. Flat routing, dual-homed assets, vendor tunnels and weak jump hosts undo many paper architectures.
• Protocol misuse can be just as dangerous as code execution. Read/write functions, mode changes and trust in unauthenticated commands still matter.
• Reporting in OT must speak to safety and process consequence, not only to technical exploitability.

Related certification and framework context

• MITRE ATT&CK for ICSTechnique framing for industrial environments and operational technology.
• CISA ICS AdvisoriesPublic industrial advisories and protocol/product context.
• SANS ICS ResourcesPublic OT and ICS learning resources.

Selected public references

• MITRE ATT&CK for ICSIndustrial technique matrix and ICS-specific operational framing.
• CISA ICS Best PracticesOperational guidance around segmentation, access and system hardening.
• Wireshark Modbus Dissector ReferenceProtocol visibility and capture support for Modbus traffic.
• Wireshark DNP3 Dissector ReferenceProtocol visibility and capture support for DNP3 traffic.
• OpenPLC ProjectHands-on lab context for PLC behaviour and logic.
• ICSNPPNetwork protocol parsers for ICS packet analysis in Zeek.

Topic index