Chapter 21: OT/ICS/SCADA Security¶
Overview¶
Operational Technology (OT) and Industrial Control Systems (ICS) represent the convergence of the digital and physical worlds — systems that control power grids, water treatment plants, oil pipelines, manufacturing facilities, and hospital life-support equipment. Unlike IT systems where the worst-case outcome is data loss, ICS compromise can cause physical harm, environmental disasters, and loss of life. This chapter covers ICS architecture, the Purdue Model, attack methodologies from Stuxnet through TRITON, detection strategies unique to industrial environments, and the frameworks governing OT cybersecurity.
Learning Objectives¶
By the end of this chapter, students SHALL be able to:
- Describe the Purdue Enterprise Reference Architecture and its security zones
- Identify the unique threat landscape facing OT/ICS environments
- Analyze real-world ICS attacks including Stuxnet, CRASHOVERRIDE, and TRITON
- Apply the ICS ATT&CK matrix to threat modeling and detection
- Design network segmentation and monitoring solutions for OT environments
- Develop OT-specific incident response procedures that prioritize safety over security
Prerequisites¶
- Basic understanding of industrial control system concepts (PLC, HMI, SCADA)
- Familiarity with IT networking (TCP/IP, VLAN, firewalls)
- Understanding of the IT/OT convergence challenge
Why This Matters
In February 2021, an attacker gained remote access to the water treatment plant in Oldsmar, Florida, and attempted to increase sodium hydroxide (lye) levels to 111 times normal — a lethal concentration. The attack was caught only because an operator was watching the screen in real time. In 2022, Industroyer2 was deployed against Ukrainian power substations, causing blackouts. ICS attacks are no longer theoretical — they are active and escalating. Every critical infrastructure operator needs personnel who understand both IT security and OT safety.
21.1 ICS Architecture and the Purdue Model¶
The Purdue Enterprise Reference Architecture (PERA) defines a hierarchical model for industrial control networks, separating business, operational, and field levels.
graph TB
subgraph "Level 5: Enterprise Network"
ERP[ERP / SAP\nBusiness Systems]
CORP[Corporate IT\nEmail, AD, Web]
end
subgraph "Level 4: Site Business Planning"
MES[MES\nManufacturing Execution]
HIST[PI Historian\nData Aggregation]
end
subgraph "DMZ: IT/OT Boundary"
DMZ[Demilitarized Zone\nData Diodes, Firewalls]
JUMP[Jump Server\nControlled OT Access]
end
subgraph "Level 3: Site Operations"
SCADA[SCADA Server\nSupervisory Control]
HMI[Engineering\nWorkstation / HMI]
end
subgraph "Level 2: Area Control"
DCS[DCS\nDistributed Control]
PLC[PLC Controllers]
end
subgraph "Level 1: Basic Control"
RTU[RTUs\nRemote Terminal Units]
IED[IEDs\nIntelligent Electronic Devices]
end
subgraph "Level 0: Physical Process"
SENS[Sensors\nActuators\nMotors\nValves]
end
ERP --> MES
CORP --> DMZ
MES --> DMZ
DMZ --> SCADA
SCADA --> DCS
DCS --> PLC
PLC --> RTU
RTU --> IED
IED --> SENS
style DMZ fill:#e63946,color:#fff
style SENS fill:#2d6a4f,color:#fff
style ERP fill:#1d3557,color:#fff21.1.1 Key ICS Components¶
| Component | Function | Common Vendors |
|---|---|---|
| PLC (Programmable Logic Controller) | Execute control logic in real time, interface with field devices | Siemens S7, Allen-Bradley, Schneider Modicon |
| RTU (Remote Terminal Unit) | Remote monitoring and control over wide areas (pipelines, substations) | ABB, GE, Emerson |
| DCS (Distributed Control System) | Process control for continuous manufacturing (refinery, chemical plant) | Honeywell, ABB, Siemens |
| HMI (Human-Machine Interface) | Operator displays and control panels | Wonderware, FactoryTalk, WinCC |
| SCADA | Supervisory control across distributed geographies | OSIsoft PI, Ignition, GE CIMPLICITY |
| Historian | Long-term time-series data storage | OSIsoft PI, Honeywell PHD |
| IED (Intelligent Electronic Device) | Digital relays in power systems | SEL, GE MultiLink |
21.2 ICS-Specific Threats¶
21.2.1 The IT/OT Difference¶
| Aspect | IT | OT |
|---|---|---|
| Priority | Confidentiality > Integrity > Availability | Safety > Availability > Integrity > Confidentiality |
| Patch cycle | Monthly or faster | Yearly or never (vendor certification required) |
| Protocols | TCP/IP standards | Modbus, DNP3, IEC 61850, EtherNet/IP, PROFINET |
| System lifetime | 3–5 years | 20–30 years |
| Downtime tolerance | Minutes–hours | Zero (safety-critical processes) |
| Security tools | Standard EDR/AV | Many endpoints unsupported (XP, embedded) |
| Authentication | Passwords, MFA, PKI | Often none (Modbus has no authentication) |
21.2.2 ICS Attack Lifecycle¶
flowchart LR
A[IT Network\nInitial Access] --> B[IT/OT Lateral\nMovement]
B --> C[OT Network\nEstablishment]
C --> D[ICS Protocol\nLearning / Mapping]
D --> E[Stage\nPayload]
E --> F[Execute\nAttack]
F --> G[Physical\nImpact]
style G fill:#e63946,color:#fff
style F fill:#780000,color:#fff
style E fill:#e63946,color:#fffThis lifecycle is demonstrated in all major ICS attacks: Stuxnet (2010), CRASHOVERRIDE (2016), TRITON (2017), Industroyer2 (2022).
21.3 Landmark ICS Attacks¶
21.3.1 Stuxnet (2010)¶
Target: Iranian nuclear centrifuges (Natanz enrichment facility) Attribution: NSA/Unit 8200 (USA/Israel joint operation) Impact: Physically destroyed ~1,000 IR-1 centrifuges
Technical Details: - Spread via USB, Windows shares, Step 7 project files, print spooler vulnerability - Used 4 zero-days simultaneously (unprecedented) - Fingerprinted specific Siemens S7-315 PLCs connected to frequency converter drives from specific vendors - Manipulated centrifuge rotor speeds while reporting normal values to operators (first known rootkit for PLCs) - Intercepted and replayed safe process values to HMI — operators saw nothing wrong
Lessons: Air gaps alone are insufficient; supply chain and USB vectors bypass air gaps; PLC firmware can be manipulated to cause physical destruction.
21.3.2 CRASHOVERRIDE/Industroyer (2016)¶
Target: Ukrainian power grid (Kyiv district) — December 17, 2016 Attribution: Sandworm (GRU Unit 74455) Impact: Blackout affecting approximately 230,000 customers for 1–6 hours
Technical Details: - Framework with loadable payload modules for different industrial protocols: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, OPC DA - Issued OPEN commands to protective relays, tripping circuit breakers across substations - Denial of Service component targeted serial ports to prevent operator recovery - Wiper module destroyed master boot records of Windows workstations
Lessons: ICS attacks now use modular frameworks designed for specific protocols; attacks specifically degrade operator visibility to prevent recovery.
21.3.3 TRITON/TRISIS (2017)¶
Target: Petro Rabigh petrochemical facility, Saudi Arabia Attribution: Sandworm (later attributed) / XENOTIME Impact: Safety Instrumented System (SIS) compromise — could have triggered explosion
Technical Details: - First known attack specifically targeting Safety Instrumented Systems (Triconex SIS) - SIS is the last line of defense — if process goes out of safe range, SIS shuts everything down to prevent explosion - Attackers reprogrammed SIS controllers to remain silent while enabling unsafe conditions - Attack failed (accidentally triggered safe state) — investigation revealed compromise
MITRE ATT&CK for ICS Mapping: - T0804: Block Reporting Message - T0816: Device Restart/Shutdown - T0836: Modify Parameter - T0857: System Firmware (SIS firmware modification)
21.3.4 Colonial Pipeline (2021)¶
Target: Colonial Pipeline (largest US refined products pipeline) Attribution: DarkSide ransomware affiliate Impact: 5,500 miles of pipeline shut down; ~45% of East Coast fuel supply disrupted
Key Details: - IT network ransomware (DarkSide RaaS) — OT systems not directly compromised - Company shut down OT as precautionary measure — IT/OT not properly segmented - $4.4M ransom paid (partially recovered by DOJ) - Demonstrated that IT ransomware can cause OT shutdown even without directly attacking ICS
21.4 ICS ATT&CK Framework¶
MITRE ATT&CK for ICS extends the enterprise framework with ICS-specific tactics and techniques.
21.4.1 ICS ATT&CK Tactics¶
| Tactic | ID | Description |
|---|---|---|
| Initial Access | TA0108 | Drive-by compromise, external remote services, spearphishing |
| Execution | TA0104 | Native API, scripting, change operating mode |
| Persistence | TA0110 | Hooking, module firmware, valid accounts |
| Evasion | TA0103 | Block reporting message, spoof reporting message, rootkit |
| Discovery | TA0102 | Network sniffing, remote system information, I/O module discovery |
| Lateral Movement | TA0109 | Default credentials, remote services, valid accounts |
| Collection | TA0100 | Automated collection, monitor process state, point and tag identification |
| Command and Control | TA0101 | Connection proxy, standard application layer protocol |
| Inhibit Response Function | TA0107 | Activate firmware update mode, block command message, denial of view |
| Impair Process Control | TA0106 | Brute force I/O, change parameter, unauthorized command message |
| Impact | TA0105 | Damage to property, denial of control, loss of safety, manipulation of control |
21.5 OT Network Security¶
21.5.1 Network Segmentation¶
Proper segmentation implements the Purdue model with security controls at each boundary:
IT Network → [Firewall] → DMZ → [Data Diode/Firewall] → OT Network
DMZ contains:
- Historian proxy (data aggregation without direct IT→OT connection)
- Remote access jump server (monitored, time-limited, no persistent sessions)
- Patch management server for approved OT patches
- Antivirus update server
Data Diode (hardware-enforced one-way communication):
- Allows data from OT→IT only (telemetry, historian)
- Physically impossible for data to flow IT→OT
- Products: Waterfall Security, OWL Cybersecurity, BAE Systems
21.5.2 OT Network Monitoring¶
Traditional EDR/SIEM cannot be deployed on PLCs and RTUs. OT-specific passive monitoring solutions parse industrial protocols and detect anomalies:
| Product | Approach | Detection Capabilities |
|---|---|---|
| Claroty | Passive tap + protocol DPI | Modbus/DNP3/EtherNet-IP baseline, anomaly detection |
| Dragos | Passive + active (limited) | ICS-specific threat intelligence, Neighborhood Keeper |
| Nozomi Networks | AI-based OT/IoT monitoring | Vulnerability assessment, behavioral baseline |
| Tenable.OT | Asset inventory + vulnerability | Passive + selective active scanning |
| Fortinet FortiSIEM | IT/OT convergence SIEM | Unified visibility |
| Cisco Cyber Vision | Network traffic analysis | Embedded in network switches |
# Zeek/Bro — parse ICS protocols
# Install ICS analysis packages
zkg install zeek/mitchellkrogza/zeek-bricata-modbus
zeek -i eth0 modbus.zeek
# Snort/Suricata ICS rules
# Emerging Threats ICS ruleset
suricata -r capture.pcap -l /tmp/logs -S /etc/suricata/rules/ics.rules
21.5.3 OT-Safe Security Controls¶
Because patching and deploying security tools on OT systems can cause outages:
| IT Control | OT Equivalent | Caveat |
|---|---|---|
| EDR on endpoint | Passive network monitoring | Cannot install agents on PLCs |
| Patch management | Compensating controls | Patch only after vendor validation, in maintenance window |
| Vulnerability scanning | Passive asset discovery | Active scanning can crash PLCs |
| Password policy | Out-of-band management + key rotation | Many OT protocols have no auth |
| Encryption in transit | Encrypted tunnels at network boundary | OT protocols often cleartext |
| MFA | Jump server MFA | Can't enforce on PLC console |
21.6 OT Incident Response¶
OT IR differs fundamentally from IT IR: safety comes first.
21.6.1 OT IR Decision Framework¶
flowchart TD
A[ICS Incident Detected] --> B{Immediate Safety\nRisk?}
B -->|YES| C[Execute Safety Procedure\nEmergency Shutdown\nNotify Operations]
B -->|NO| D{Can Process\nContinue Safely?}
C --> E[Safety First\nThen Investigate]
D -->|YES| F[Monitor and Collect\nDo NOT Isolate Yet]
D -->|NO| G[Controlled Shutdown\nFollowing SOP]
F --> H[Engage OT IR Team\n+ Safety Engineer]
G --> H
H --> I[ICS Forensics\nNetwork capture\nHMI logs\nHistorian data]
I --> J[IT IR Integration\nTrace to IT compromise]
J --> K[Recovery\nVendor-assisted if needed]
style C fill:#e63946,color:#fff
style E fill:#e63946,color:#fffCritical Rule: Never isolate a running process without coordination with operations and safety engineers. Cutting a network cable to a PLC controlling a chemical reaction could result in uncontrolled conditions.
21.6.2 OT Evidence Sources¶
Data Historian (OSIsoft PI, Honeywell PHD):
- Process values at time of incident (pumps, temperatures, flows, pressures)
- Can show manipulation of setpoints
HMI / SCADA Logs:
- Operator commands, alarm acknowledgments, screen captures
Engineering Workstation Logs:
- Project file modifications (PLC ladder logic changes)
- Vendor software activity (Step 7, Studio 5000)
Network Captures:
- Industrial protocol commands (Modbus FC16=write, FC03=read)
- Anomalous write commands to PLC holding registers
Firewall/Historian Proxy Logs:
- IT→OT connection attempts
- Unusual data volume or timing
21.7 Regulatory Frameworks for OT Security¶
| Framework | Sector | Mandated By |
|---|---|---|
| NERC CIP | Electric utilities (North America) | FERC (mandatory) |
| NIST SP 800-82 | General ICS | NIST (guidance) |
| IEC 62443 | Industrial automation | International standard |
| AWIA 2018 | Water utilities (US) | America's Water Infrastructure Act |
| TSA Security Directives | Pipelines, aviation | DHS/TSA (mandatory) |
| NIS2 Directive | Critical infrastructure (EU) | EU (mandatory from 2024) |
| ISA/IEC 62443 | Any industrial sector | International (voluntary) |
21.8 Benchmark Controls¶
| Control ID | Title | Requirement |
|---|---|---|
| Nexus SecOps-OT-01 | IT/OT Network Segmentation | Purdue Model zones implemented with DMZ; data diode preferred for IT→OT |
| Nexus SecOps-OT-02 | OT Asset Inventory | Complete inventory of all PLCs, RTUs, HMIs, engineering workstations |
| Nexus SecOps-OT-03 | OT Network Monitoring | Passive protocol-aware monitoring deployed on OT network |
| Nexus SecOps-OT-04 | Remote Access Control | MFA on jump server; session recording; no persistent VPN tunnels into OT |
| Nexus SecOps-OT-05 | OT IR Capability | Dedicated OT IR procedure; safety engineer in IR team; annual tabletop |
| Nexus SecOps-OT-06 | Regulatory Compliance | NERC CIP (electric), AWIA (water), TSA directives (pipeline) as applicable |
Exam Prep & Certifications¶
Relevant Certifications
The topics in this chapter align with the following certifications:
- GIAC GICSP — Domains: ICS Security, SCADA Systems, OT Network Architecture
- GIAC GRID — Domains: OT Incident Response, Industrial Defense, ICS Threat Detection
Key Terms¶
DCS (Distributed Control System) — A control system for continuous manufacturing processes (oil refinery, chemical plant) using distributed controllers and centralized monitoring.
Defense-in-Depth (OT) — Layered security controls in OT environments: physical security → network segmentation → protocol monitoring → endpoint hardening → detective controls.
DNP3 (Distributed Network Protocol 3) — A protocol used in SCADA systems for communication between control centers and remote sites. Has no native authentication in older versions.
IEC 62443 — A series of international standards for industrial cybersecurity, covering security levels (SL-1 through SL-4) for products, systems, and operations.
Modbus — A serial communication protocol (1979) used extensively in PLCs. Has no authentication or encryption — any device on the network can send commands.
NERC CIP — North American Electric Reliability Corporation Critical Infrastructure Protection — mandatory cybersecurity standards for the bulk electric system in North America.
Safety Instrumented System (SIS) — An independent system that monitors process safety parameters and automatically takes action (emergency shutdown, alarm) if values exceed safe limits.
TRITON/TRISIS — The first known malware designed to target Safety Instrumented Systems, discovered at a Saudi petrochemical facility in 2017.