OT / ICS Security

Domain overview

This domain covers Modbus, DNP3, PLC exposure, engineering workstation risk, unsafe network segmentation, protocol misuse, historian and HMI trust, process manipulation paths and the special handling required for operational environments. The right offensive mindset is deliberate: map the process, respect safety and make every finding legible to both engineers and security teams.

How to approach this surface

• Start with process awareness. Without understanding what the system controls, protocol traffic is just noise.
• Engineering workstations, HMIs and historians often matter more than PLCs alone because they are the human bridge into process logic.
• Segmentation claims deserve aggressive validation. Flat routing, dual-homed assets, vendor tunnels and weak jump hosts undo many paper architectures.
• Protocol misuse can be just as dangerous as code execution. Read/write functions, mode changes and trust in unauthenticated commands still matter.
• Reporting in OT must speak to safety and process consequence, not only to technical exploitability.

Related certification and framework context

• MITRE ATT&CK for ICSTechnique framing for industrial environments and operational technology.
• CISA ICS AdvisoriesPublic industrial advisories and protocol/product context.
• SANS ICS ResourcesPublic OT and ICS learning resources.

Curated public references

• MITRE ATT&CK for ICSIndustrial technique matrix and ICS-specific operational framing.
• CISA ICS Best PracticesOperational guidance around segmentation, access and system hardening.
• Wireshark Modbus Dissector ReferenceProtocol visibility and capture support for Modbus traffic.
• Wireshark DNP3 Dissector ReferenceProtocol visibility and capture support for DNP3 traffic.
• OpenPLC ProjectHands-on lab context for PLC behaviour and logic.
• ICSNPPNetwork protocol parsers for ICS packet analysis in Zeek.

Brief index