ICS Security in The Field

At my company, ICS Defense Force, I perform industrial control system (ICS) security assessments and incident response tabletop exercises across many different critical infrastructure sectors across the globe. This includes oil and gas, water, electric power generation, distribution, critical manufacturing, etc., the infrastructure we all rely on to support our modern way of life. It is important to describe my practical field work in this context as it allows me to meet with security teams, engineering staff, IT teams, facility stakeholders, operators, and those leading the charge of security and ICS risk management. Many meetings are held in facilities on the engineering plant floor in hard hats. Common discussions include recent industrial security challenges, maturing from low or no-cost ICS defense technologies, tactical critical infrastructure defenses, and risk trends and analysis.

ICS Risk Trend and Staffing

ICS risk continues to grow year over year. In 2019, 38% of respondents considered threats to ICSs as “high,” and grew to 40% in 2021, 41% in 2022, and 44% in 2023. This is influenced by the increased targeting of critical infrastructure with ransomware campaigns and by scalable ICS-targeted attack frameworks like CRASHOVERRIDE and PIPEDREAM. We are seeing more ICS adversaries “Living Off The Land.” Living off the land attacks allow threat actors to have an impact using less malware, making it harder to detect as engineering systems are set against themselves.

ICS Technology Trend

A well-designed industrial defense-in-depth security program is not a nice-to-have, it is essential. And even then, mature critical infrastructure facilities must go beyond basic passive and preventive controls to proactively defend critical infrastructure. To detect and defend against modern threats while prioritizing engineering and safety, mature ICS facilities and leaders in this space are:

  • Embracing the differences between IT and ICS/OT,
  • Deploying specific ICS-aware controls,
  • Pursuing trained ICS-specific defenders for proactive ICS threat hunting,
  • Obtaining and focusing dedicated ICS security budgets, and
  • Deploying ICS/OT-specific network visibility solutions.

Startling Findings in 2023: Tactical and Strategic Defense Moves

Here are five of the most concerning findings from the 2023 survey data. It is important to note that all these findings pose risks that, if addressed with achievable actions, can be drastically reduced moving forward, regardless of ICS sector.

Finding #1

Only 52% of OT/ICS facilities actually have an ICS specific Incident Response plan

Only 52% of ICS facilities have an ICS/OT-specific incident response plan that is documented, tested using tabletop exercises, and kept up to date. 17% are unsure whether they have such a dedicated ICS incident response plan. What’s critical to understand is this is not your IT incident response plan. “Copying and pasting” IT security controls into an ICS/OT facility’s incident response plan will not work. In fact, this approach is likely to cause serious unintended or disastrous consequences to safety and engineering operations.

Strategic Move

Position your facility to meet best practices by having an engineering-driven ICS-specific incident response plan. Regularly exercise that plan through running ICS tabletops with realistic scenarios derived from sector specific threat intelligence. Ensure all the right teams are included and that the engineering team leads the charge. Build respectable relationships with engineering staff this way and bridge IT and ICS/OT team gaps by prioritizing safety and control systems. It is, after all, the very reason any ICS organization is in business.

Tactical Move

Technical ICS defenders must leverage IT security skillsets and embrace the fact IT and ICS/OT are different. But they must go beyond this fact. They must discover what can be adapted from IT security to actively respond to ICS specific threats using ICS specific controls, technologies, and processes, while prioritizing safety first. Learn how the engineering systems operate at a network level and what happens with priority ICS devices/controllers/remote terminal units that are not available or have been manipulated by adversaries.

Professional Development and Practical Defense

The SANS course, ICS515: ICS Visibility, Detection, and Response meets this challenge head-on teaching students how to perform tactical ICS incident response by leveraging hands-on labs. Labs include assembling and running a programmable logic controller (PLC) like you’d see on a plant floor. Students keep the PLC kit for continued learning after class is over. Students from IT, ICS, engineering, etc., will detect and defend against threats in several realistic ICS environments.

Finding #2

38% of compromises to ICS comes from IT networks

In 2023, most facilities indicate with high confidence that their ICS networks are well segregated and secured from what some call hostile networks, such as IT networks and the Internet. Yet, 38% indicate the initial attack vector of compromises to ICS/OT come from IT networks that allow threats into the ICS network.

Strategic Move

Position the team and budget for the highest return on investment by focusing first on network architecture. All defense controls and processes built on top of a strong network architecture, and strictly controlled segmentation from hostile networks, will have a much higher return on investment and protect that which matters most. Other add-on benefits are for containment during industrial incident response conditions.

Tactical Move

Review all trusted known (and unknown) access paths between IT, ICS, and the Internet. This can be conducted by reviewing ICS perimeter firewall access control lists and remote access to connections into and out of the ICS.

Professional Development and Practical Defense

ICS410: ICS/SCADA Security Essentials meets this challenge head-on. Students learn how to align ICS network architecture to the Purdue Network Architecture and then add security to protect what matters most.

Finding #3

47% of ICS Penetration Testing is against Level 2 devices

47% of penetration testing is against Level 2 devices in the Purdue Model. This is concerning because ICS penetration testing performed incorrectly on engineering-specific devices can directly negatively impact safety, reliability, and operations. Can you perform penetration testing on ICS/OT environments? Yes. However, ICS penetration testing at any level shouldn’t be anywhere near the first security initiative to be performed in the ICS security program if high ROI and maintaining safety is desired.

Strategic Move

First, cover the basics. Thoroughly complete all Five ICS Critical Cybersecurity Controls. When mature enough, facilities prioritize safety and engineering operations. That is, they know it’s best for safety that engineering teams make the decisions in this area.

Tactical Move

Emulate real-world attack scenarios. When approved by the business, start IT network penetration testing in Level 4 to test initial access and related detection capabilities of lateral movement across IT. Then, with engineering approval, attempt to move into the ICS network DMZ. In all cases, IT and/or ICS staff should always question why a penetration test is selected over safer options such as vulnerability assessments or passive analysis. Exercise caution on all production systems and be extra cautious if testing is on any system that could impact engineering, regardless of if that system(s) is on the IT and/or ICS network(s). Always get prior approval before executing such tests.

Professional Development and Practical Defense

ICS613: ICS Penetration Testing and Assessments meets this challenge head-on to help students understand how to perform such tests and emulate real-world adversary tactics, techniques, and procedures (TTPs) safely.

Finding #4

22% of ICS facilities are using MITRE ATT&CK ICS

Only 22% of ICS facilities are using MITRE ATT&CK ICS to understand modern ICS-specific threat detection capabilities. This framework can drive a proactive ICS cybersecurity program.

Strategic Move

Many more facilities can take advantage of the MITRE ATT&CK industry framework for proactive ICS defense rather than being behind the curve and reactive only. Leverage threat intelligence in your sector to understand active adversary capabilities. Empower your team to leverage technical tools and technical analysis to prepare for proactive tasks such as identifying key ICS data sources, related tools, and mitigation techniques.

Tactical Move

Learn how to use the MITRE ATT&CK Navigator for ICS. Map active adversary TTPs to a heatmap in the Navigator and identify data sources for ICS SIEM rules and places to start ICS threat hunting.

Professional Development and Practical Defense

ICS515: ICS Visibility, Detection, and Response covers ICS threat hunting as it reviews the MITRE ATT&CK for ICS and walks students through a practical model for threat hunting in control systems.

Finding #5

Ranked #1 in importance to ICS Organizations

Respondents ranked ICS/OT-specific network visibility the number one most important must-have capability to be deployed in your control system network and that ICS trained defenders should leverage daily.

Achieving proper ICS/OT-specific network visibility provides details on assets, vulnerability information, and is an extensive data source to observe prep-attack techniques, including modern “living off the land” attacks. Additionally, it provides network traffic data for industrial incident response efforts and more. Most common solutions in this space provide this data by passively observing network traffic or utilizing native protocols in the ICS network to perform active queryingrather than a less safe option of active scanning.

However, the placement of such a solution in industrial network(s) is critical. Once the placement of the solution (either low or no cost or professional tools) is complete, it requires dedicated resources trained specifically in IT and ICS security, while prioritizing safety, to operate.

Strategic Move

As a leader in ICS cyber risk management, position your team to be recognized as enabling engineering tasks and supporting operations staff. ICS/OT network visibility is not just about ICS security and industrial incident response. Ensure all the benefits of ICS/OT network-specific visibility are known, communicated to the teams, and support a budget for this type of technology.

Tactical Move

Work with engineering staff leading the way to obtain both ICS network perimeter visibility (North/South) and internal ICS network visibility (East/West). Align to the Purdue Model to help identify edge firewalls, internal firewalls, and internal fully managed switches or traffic access points (TAPs) to obtain the traffic captures.

Professional Development and Practical Defense

ICS418: ICS Security Essentials for Managers helps build critical infrastructure teams and leaders. This course empowers those stepping into an ICS leadership role for the first time, those leading IT security now also tasked with ICS security, and those stepping up to take the charge to manage cybersecurity risk from inside engineering departments. ICS515 teaches how to set up, deploy, and maintain ICS-specific network visibility from a tactical perspective.


It’s critical for critical infrastructure owners and operators at the board level to understand what makes an organization critical. It is their industrial control systems, i.e., ICS/OT, engineering, and operations.

While each of these above finding is concerning, in this ICS blog, we reviewed several strategic and tactical moves as well as training and development options to realize that protecting our critical infrastructure is doable (and needed to protect our way of life) with realistic actions.

Further details on these and other statistics can be found in the 2023 SANS ICS/OT Cybersecurity Survey.

Thank you for taking your time on this important topic. I look forward to seeing you all at the SANS ICS Security Summit & Training 2024!