Roadmap

OT / ICS Security Engineer

The specialist who secures Operational Technology (OT) and Industrial Control Systems (ICS). Protects SCADA systems, PLCs, RTUs, DCS, and industrial networks in environments like power plants, water treatment facilities, oil and gas pipelines, manufacturing plants, and transportation systems, where a security failure can cause physical damage, environmental harm, or risk to human life.

OPTIMISTIC 4–6 yearsREALISTIC 5–8 years

Stage 00

IT Security and Networking Foundation

OT security adds to IT security knowledge. IT security fundamentals are the prerequisite, not a parallel track.

IT Security Foundation Required

Network security — TCP/IP, firewalls, VLANs, intrusion detection, traffic analysis (Wireshark)
Operating systems security — Windows Server, Linux hardening, Active Directory
Security monitoring — SIEM basics; log analysis; alert triage
Vulnerability management — scanning, CVSS scoring, patch management concepts
Incident response — the IR lifecycle; basic forensics; evidence preservation
CompTIA Security+ at minimum — baseline credential

Network Engineering Depth

Routing and switching — OSPF, BGP, VLAN design; critical for IT/OT segmentation design
Firewall architecture — zone-based firewalls; security zones concept; DMZ design
VPN and remote access — how vendor remote access is typically implemented in OT environments
Network traffic analysis — Wireshark; reading protocol dissections; TCP stream analysis
Wireless security — WiFi in industrial settings; WPA3; Purdue model wireless considerations

IT/OT Convergence Context

Why IT and OT were separate historically — air gaps; safety by isolation; different design goals
Why convergence is happening — cost reduction, remote monitoring, business intelligence from OT data
Why convergence creates risk — IT attack vectors now reach safety-critical systems
The challenge for practitioners — IT security tools and practices often cannot be applied directly to OT without modification

Resources

CompTIA Security+ materials (Professor Messer, free)
Wireshark documentation (free)
"Network Security Assessment" by Chris McNab (book)

Stage 01

OT/ICS Architecture and Industrial Processes

Understanding what you are protecting is the foundation. OT security practitioners who do not understand industrial processes cannot make good security decisions.

Industrial Control System Architecture — System Types

Monitors and controls geographically distributed systems
Examples: power transmission grids, water distribution networks, oil and gas pipelines
Components: field devices (sensors, actuators) → RTUs/PLCs → communication network → HMI/historian
Communication protocols: typically proprietary or older industrial protocols; radio, cellular, serial
Continuous process control; tightly integrated
Examples: oil refineries, chemical plants, power generation
More integrated than SCADA; operator and control in close proximity
Vendors: Honeywell, ABB, Emerson, Yokogawa, Siemens
Industrial digital computer; executing ladder logic or function block programs
Controls discrete manufacturing processes — conveyor belts, assembly lines, packaging
Vendors: Rockwell/Allen-Bradley, Siemens, Mitsubishi, Schneider Electric, Omron
PLC programming languages: Ladder Diagram (LD), Function Block Diagram (FBD), Structured Text (ST), Instruction List (IL), Sequential Function Chart (SFC) — IEC 61131-3 standard
Monitoring and controlling remote field devices
Found in oil and gas, utility, water/wastewater
Similar to PLC but designed for remote environments; harsher conditions; serial communications
Operator interface for monitoring and controlling processes
Software running on Windows or dedicated hardware
Shows process data; allows operator to make changes; alarm management
Common HMI vendors: Wonderware (AVEVA), Ignition, FactoryTalk, GE iFIX
Used to program and configure PLCs and other field devices
Often has direct connections to PLCs; high-value target
Windows-based; often running outdated OS versions for compatibility
Industrial time-series database for operational data
OSISoft PI (now AVEVA PI) is the industry standard
Often connected to both OT and business networks — a critical security boundary

Safety Systems

Separate from the basic process control system
Brings process to safe state when unsafe conditions detected
Triton/TRISIS malware (2017) specifically targeted Schneider Electric Triconex SIS, demonstrating the severity of SIS compromise
IEC 61511 — safety standard for SIS; defines SIL (Safety Integrity Level) requirements
Critical: SIS must be treated as the most protected layer; changes require rigorous management of change process

ICS Reference Architectures

Level 0: Field level — physical process; sensors, actuators, physical plant
Level 1: Control level — PLCs, RTUs, controllers; direct process control
Level 2: Supervisory level — SCADA, DCS, HMI; human operators; alarm management
Level 3: Manufacturing operations level — MES (Manufacturing Execution System); production management
Level 3.5: DMZ — the critical boundary between OT and IT; data diodes, firewalls, jump servers
Level 4: Business planning level — ERP, business systems; corporate IT
Level 5: Enterprise/cloud — corporate IT, internet
Significance: defines the segmentation model for ICS; security controls at each boundary
Cloud-connected OT — historian data flowing to cloud analytics; new attack vector
IIoT (Industrial Internet of Things) — sensors with direct internet connectivity; bypassing Purdue model
Remote access evolution — VPN → ZTNA for OT remote access; vendor remote access management
Edge computing — processing at Level 1/2; reduces cloud latency dependency

Industrial Protocols — Critical Knowledge

Oldest; most common; designed in 1979
No authentication; no encryption; integrity checks only (RTU CRC)
Function codes: Read Coils (01), Read Holding Registers (03), Write Single Register (06), Write Multiple Registers (16)
Attack relevance: unauthenticated writes to coils and registers can manipulate process; Modbus TCP on port 502
Designed for utility environments; SCADA communications
Authentication optional (DNP3 SAv6 — Secure Authentication v6); often not enabled
More reliable than Modbus; supports unsolicited reporting; timestamps
Common in electric utilities, water/wastewater, oil and gas
Telecontrol standard; European origin; power industry
IEC 60870-5-104 — TCP/IP variant; similar to DNP3 in function
Modern substation automation standard; electric utilities
GOOSE (Generic Object Oriented Substation Event) — fast peer-to-peer messaging; no authentication
MMS (Manufacturing Message Specification) — for control; some security options
Rockwell Automation / ODVA standard; modern industrial Ethernet
Built on TCP/IP; uses CIP (Common Industrial Protocol)
More networkable than Modbus; some security features
Siemens standard; widely used in manufacturing
Real-time Ethernet; PROFINET Security Class 1/2/3
Modern data exchange standard; security-by-design (TLS, authentication, authorization)
Becoming standard for IT/OT integration; historian data, MES integration
OPC UA security profiles — None, Basic256Sha256, etc.
Building automation and control protocol
HVAC, lighting, access control; used in facilities
Limited security; attack surface in commercial buildings

Industrial Network Traffic Analysis

Zeek with industrial protocol parsers — Modbus, DNP3, EtherNet/IP dissectors
Wireshark with industrial protocol dissectors — analyzing protocol traffic
Reading Modbus traffic: function code, register address, value; detecting unauthorized writes
Detecting Triton-like attacks: unusual access to SIS systems from unexpected sources

Resources

"Industrial Cybersecurity" by Pascal Ackerman (book, comprehensive)
CISA ICS advisories (free)
Idaho National Laboratory ICS-CERT courses (free online)
SANS ICS curriculum overview (free)

Stage 02

ICS Security Standards and Frameworks

OT security is governed by a distinct set of standards, not the IT security standards used elsewhere in this roadmap.

IEC 62443 — The Primary ICS Security Standard

Global standard for Industrial Automation and Control Systems (IACS) security
IEC 62443-1: General — terminology, concepts, models
IEC 62443-2: Policies and procedures — security management, patch management, service provider requirements
IEC 62443-3: System requirements — security risk assessment, system security requirements
IEC 62443-4: Component requirements — product development, technical security requirements for components
SL 1: Protection against casual or coincidental violation
SL 2: Protection against intentional violation by simple means with low motivation
SL 3: Protection against sophisticated attacks by skilled adversaries with moderate motivation
SL 4: Protection against sophisticated attacks with extended means and high motivation
Zone — grouping of logical or physical assets that share common security requirements
Conduit — communication channel between zones; protected according to the highest SL zone it connects
Zone definition and protection design is the primary security architecture activity in IEC 62443
IACS Security Management System (ISMS) — IEC 62443-2-1; similar to ISO 27001 but ICS-specific

NERC CIP

Mandatory regulatory standard for the North American bulk electric system (BES)
Applies to: bulk electric system owners, operators, and users
CIP-002: BES Cyber System Categorization — identifying Critical Cyber Assets and High/Medium/Low impact systems
CIP-003: Security Management Controls — security policies and leadership
CIP-004: Personnel and Training — background checks; security awareness training
CIP-005: Electronic Security Perimeters (ESPs) — defining and protecting the network boundary around BES cyber systems
CIP-006: Physical Security of BES Cyber Systems — physical access controls; monitoring
CIP-007: System Security Management — ports and services; security patches; malicious code prevention; logging
CIP-008: Incident Reporting and Response Planning — IR plan for BES Cyber Security Incidents
CIP-009: Recovery Plans — BES Cyber System recovery; testing
CIP-010: Configuration Change Management and Vulnerability Management
CIP-011: Information Protection — BES Cyber System Information protection
CIP-013: Supply Chain Risk Management — vendor risk management for BES Cyber Systems
NERC CIP enforcement — FERC (Federal Energy Regulatory Commission) oversight; civil penalties up to $1M/day/violation
GIAC GCIP certification — validates NERC CIP knowledge; required for some utility OT security roles

NIST SP 800-82 — Guide to ICS Security

NIST's ICS security guidance document; updated to Rev 3 (2023)
ICS security program components — overview, risk management, security architecture, security controls
ICS-specific control baselines — adapted from NIST SP 800-53 for OT environments
Acknowledges operational constraints — availability requirements; legacy systems; long lifecycle

CISA Resources

ICS security advisories — specific vulnerability advisories for ICS products; critical reading
Free training programs — 100 and 200 series; 301 (onsite)
ICS cybersecurity assessments — free assessments for critical infrastructure operators
CISA KEV (Known Exploited Vulnerabilities) — ICS-specific CVEs appear here; monitor for rapid response

ICS Attack History — Must Know

Stuxnet (2010): First cyber weapon; targeted Siemens PLCs controlling Iranian nuclear centrifuges; modified PLC code while showing normal values to operators; set back Iran's nuclear program; demonstrated nation-state ICS attacks are real
Ukraine power grid attacks (2015, 2016): BlackEnergy and Industroyer malware; disrupted power to hundreds of thousands of customers; demonstrated OT attack kill chain from IT to OT
Triton/TRISIS (2017): Targeted Schneider Electric Triconex SIS at a Middle Eastern petrochemical plant; attempted to disable safety systems enabling physical catastrophe; only attack known to specifically target safety systems
Colonial Pipeline (2021): IT-side ransomware (DarkSide) caused OT shutdown out of precaution; no OT compromise but IT/OT dependency exposed; $5M ransom; national fuel shortage
Oldsmar Water Plant (2021): Attacker remotely increased sodium hydroxide to dangerous levels via HMI; operator caught and reversed; demonstrated real-world consequence of HMI exposure

Resources

IEC 62443 standard overview (free summaries)
NERC CIP standards (free at nerc.com)
NIST SP 800-82 Rev 3 (free)
CISA ICS training (free)
Idaho National Laboratory ICS security courses (free)

Stage 03

OT Network Security and Architecture

Designing and implementing security controls in OT environments requires different thinking than IT environments.

The OT Security Challenge

Availability is the top priority — unlike IT where CIA applies equally, OT prioritizes Availability first
A patched PLC that is unavailable costs the plant money and may create safety hazards
Decisions always balance security improvement against operational continuity risk
Long system lifecycles — PLCs and SCADA systems run for 15–25 years; security features not available
No patching windows — continuous processes cannot be stopped for maintenance windows in the same way IT systems can
Proprietary and legacy protocols — security controls designed for TCP/IP networks don't apply to Modbus, DNP3
Vendor support restrictions — vendors often restrict modifications to maintain support contracts
Safety system constraints — changes to SIS require rigorous management of change; safety certification may be voided

IT/OT Network Segmentation

Firewall(s) between Level 3.5 (DMZ) and Level 4 (IT)
Data diodes for unidirectional data flow from OT to IT (historian to business intelligence)
Jump server / secure workstation in DMZ for controlled access
Historian proxy in DMZ to avoid direct OT-IT historian connectivity
No direct communication from IT to OT without going through DMZ
Application whitelisting in DMZ — only specific approved connections
Separate authentication — OT credentials distinct from IT credentials
Time-limited access — IT systems in DMZ don't have persistent sessions to OT
Hardware-enforced unidirectional communication — physically impossible for data to flow from IT to OT
Waterfall Security, Owl Cyber Defense — common vendors
Used for: historian replication to business network; security event forwarding to IT SIEM
Cell/zone segmentation — grouping devices by function and security requirement
Industrial switches with access control lists
Unidirectional data flows within OT where process logic allows

Vendor Remote Access Management

Vendor access to OT is the most common initial access vector in OT incidents
No direct connections — vendor accesses through a managed access platform
PAM integration — privileged sessions for vendor access recorded and monitored
Scheduled access windows — access only when plant personnel are present to supervise
Session recording — every vendor session recorded; reviewed when anomalies detected
MFA requirement — vendors must authenticate with MFA before accessing OT
Platforms: CyberArk SIA, BeyondTrust Privileged Remote Access, Claroty xDome Secure Access
Contractual requirements — vendor access agreements specifying security requirements

OT Asset Inventory

Active network scanning can crash PLCs and RTUs — must use passive discovery
Many devices have no agent support
Some devices only communicate during specific operational conditions
Claroty — passive OT network monitoring; asset discovery; anomaly detection
Dragos — OT-specific threat detection platform; industrial protocol visibility
Nozomi Networks — asset visibility; vulnerability management; threat detection
Microsoft Defender for IoT — passive monitoring; IT/OT convergence focus
Tenable OT (formerly Indegy) — OT asset management
NetworkMiner — passive network sniffer; device identification
Device make/model/firmware version
Communication protocols used
Network connections and communication patterns
Known vulnerabilities (correlating with vendor advisories)
Last seen timestamp

OT Patching and Vulnerability Management

Vendor qualification — patches must be validated by vendors before applying; no rolling out untested patches
Change management process — OT changes require extensive testing and management of change
Limited maintenance windows — many continuous processes have annual maintenance windows only
Long-term support — PLCs may run software from 2005 on Windows XP embedded; no patches available
Network isolation — ensuring unpatched devices cannot be reached except by necessary systems
Enhanced monitoring — increased monitoring around known-vulnerable devices
Virtual patching — IPS signatures blocking specific exploits for unpatched systems
Firmware update scheduling — bundling firmware updates into planned maintenance shutdowns

OT-Specific SIEM and Monitoring

Passive monitoring tools — Dragos, Claroty, Nozomi; analyzing protocol traffic without active scanning
Detecting unauthorized Modbus write commands
Detecting unexpected PLC program changes
Detecting new devices appearing on OT network
Detecting communication from IT to Level 1/2 without DMZ
PLC event logs — change tracking; I/O events
Historian data — process values; out-of-range values can indicate attack or malfunction
SCADA alarm logs — unexpected alarms can indicate manipulation
Engineering workstation access logs — who accessed what devices when
Integrating OT events into IT SIEM — unidirectional forwarding via DMZ; OT-specific parsers

Stage 04

OT Incident Response

Responding to OT incidents is fundamentally different from IT incident response. Safety comes first, and containment actions that disrupt production may be as harmful as the attack itself.

OT Incident Response Principles

Safety first — before any technical response, assess whether the physical process is safe; coordinate with operations
Operational continuity priority — containment actions that disrupt industrial processes may be more damaging than the attack
Specialized OT IR team — IT IR teams often lack OT knowledge; OT engineers often lack IR knowledge; OT IR requires both
Communication with operations — IR actions must be communicated to plant operators who maintain process oversight

OT-Specific Incident Response Process

Detection — passive monitoring alerts; operator anomaly reports; supplier notifications; external threat intelligence
Is the physical process safe? Has the attack affected safety systems?
What is the scope of compromise? IT only, IT/OT interface, or OT itself?
Can operations continue safely?
What is the business impact of shutdown vs continued operation with compromise?
Isolating compromised IT systems without affecting OT (if IT/OT boundary intact)
Isolating OT segments without disrupting safety systems
Vendor notification — some OT incidents require immediate vendor engagement (SIS incidents)
Operations decision — operations management must approve any OT containment that affects process
PLC memory capture — specialized tools; not standard forensic tools
Network packet captures from industrial networks
Historian data — operational data during and before incident
Firewall and network device logs

Historical Attack Analysis — Learning from Real Incidents

Stuxnet forensics — how the malware spread via Windows file shares; how it modified PLC programs; why it was stealthy for years
Ukraine power grid attack methodology — IT spearphishing → pivot to OT network → manipulate SCADA → disrupt grid → destroy HMI to delay recovery
Triton/TRISIS response — Dragos and FireEye incident response; how the attack was discovered; why the attackers failed
Colonial Pipeline decision-making — why an IT ransomware event caused an OT shutdown; the IT/OT dependency problem

Resources

Dragos Year in Review (free annual report)
"Industrial Cyber Threat Intelligence" (Claroty blog, free)
CISA ICS incident response guide (free)

Stage 05

Hands-On Practice & Portfolio

Lab Setup for OT Security

GRFICSv2 — free OT security lab environment; simulated industrial process; Modbus traffic; attack scenarios
OpenPLC — open-source PLC runtime for Windows/Linux; install and experiment with Modbus
Modbus protocol simulators — pyModbus; simulate PLC traffic; analyze with Wireshark
HMI simulation — Ignition trial; build a basic HMI; experience the operator perspective
Snort/Suricata with industrial protocol rules — ICS-specific detection rules from CISA

Training and Certification Path

CISA free ICS training (100 and 200 series) — foundational OT security; available online
Idaho National Laboratory ICS courses (free) — deeper technical content
SANS ICS Summit (annual) — premier OT security event; academic talks and vendor content
S4 Conference — annual OT security conference; cutting-edge research
GICSP exam preparation — SANS ICS410 course prepares for GICSP

What to Document on LabList

GRFICSv2 lab exercises — documented attack scenarios and defensive responses
ICS protocol analysis write-ups — Wireshark captures of Modbus/DNP3 analyzed
OT network architecture designs — segmentation diagrams for hypothetical industrial environments
Incident response tabletop documentation — IR scenario responses showing OT-specific decision-making
Cert progression — GICSP with context; NERC CIP awareness if electric utility focused

FAQ

Common questions

How long does it take to become an OT/ICS Security Engineer?

4–6 years optimistic, 5–8 years realistic. OT security is one of the most specialized cybersecurity paths because the underlying engineering is genuinely different — ICS systems prioritize availability and physical safety over confidentiality. Most OT security engineers come from controls engineering, instrumentation, or industrial automation backgrounds with documented IT security progression. Pure IT security backgrounds without OT exposure struggle.

Which certifications matter for OT/ICS security?

GICSP (Global Industrial Cyber Security Professional) is the canonical cert. NERC CIP for North American electric utilities. ISA/IEC 62443 certifications for international ICS contexts. GRID for industrial defenders. SANS ICS courses (ICS410, ICS515) are the gold standard. Security clearance significantly expands the job market because federal critical infrastructure roles dominate.

Do I need an engineering degree?

Helpful but not required. Many OT security engineers come from controls engineering, electrical engineering, or instrumentation backgrounds. Self-taught paths exist for IT security professionals who develop ICS protocol depth (Modbus, DNP3, EtherNet/IP, OPC UA), but the learning curve is steep. The market is small but high-paying — ICS security market expected to reach $23.7 billion by 2027.

What separates a hired OT/ICS Security Engineer?

Documented OT/ICS protocol depth. Modbus and DNP3 packet analysis, ICS-specific threat modeling (Stuxnet, Triton, Industroyer), and hands-on familiarity with PLCs (Siemens S7, Allen-Bradley ControlLogix) are differentiators. CISA, NSA, and FBI joint advisories about nation-state ICS attacks have driven sustained demand. Other signals: NERC CIP audit experience, IEC 62443 implementation projects, and OT network segmentation design work.

OT / ICS Security Engineer

Common questions

Related roles