Industrial Control System (ICS) Cybersecurity: How to Protect OT Without Disrupting Operations

What Is an Industrial Control System?

An industrial control system (ICS) is the combination of hardware, software, and network infrastructure that monitors and operates physical processes across sectors such as energy, water treatment, manufacturing, and transportation. These systems control equipment that directly affects public safety, production output, and critical services.

ICS cybersecurity refers to the practice of protecting these physical systems from unauthorized access, disruption, and manipulation. It secures the protocols, controllers, and operator interfaces that power industrial environments.

How ICS Security Works

ICS cybersecurity prioritizes keeping physical processes running safely through a combination of network visibility, strict segmentation, and passive monitoring. 

Security teams implement these controls to detect unauthorized access and protocol manipulation without interrupting the physical processes that the system controls. This approach allows organizations to spot threat actors moving through the network before they can alter machinery commands or force a facility shutdown.

Key components and industrial protocols

Every ICS environment is built from a small set of core components designed for specific operational functions.

These components communicate over industrial protocols such as Modbus TCP, DNP3, OPC UA, and S7comm. Most of these protocols were designed for reliability and speed, not security. They lack built-in authentication and encryption, which makes them highly exploitable once an attacker reaches the OT network.

Critical Differences Between IT and OT/ICS Security

IT and OT environments have different security priorities. IT security usually emphasizes confidentiality, integrity, and availability, while OT prioritizes safety first, then availability, integrity, and confidentiality. OT cybersecurity is part of broader safety and reliability programs for industrial operations.

These different priorities influence how security teams manage each environment in practice.

The risks increase when organizations bridge the gap between two very different environments. Modern engineering workstations operate on standard Windows systems and connect to both types of networks. This integration could allow attackers to steal credentials from the IT environment and gain easy access to the OT network. 

Security teams cannot apply standard IT security measures to newly connected OT assets without accounting for the unique challenges involved. According to the Siemens True Cost of Downtime 2024 report, unplanned downtime costs the world’s 500 largest manufacturers approximately $1.4 trillion annually, which accounts for around 11% of their total revenue. 

In automotive production lines, the cost of downtime can reach up to $2.3 million per hour. These figures highlight why shutting down critical machinery to conduct antivirus scans or patch vulnerabilities is often not a viable option.

How Attackers Breach Industrial Control Systems

Threat actors targeting ICS environments have shifted from passive reconnaissance to active disruption. They gain initial access via IT or an exposed remote connection, then move laterally into the OT network and use native protocols to manipulate or disable control systems.

The attack surface expands every time a facility connects new Industrial Internet of Things (IIoT) sensors to legacy control networks. State-sponsored actors and financially motivated cybercriminals both actively scan for these vulnerable new connections. They use these poorly secured IIoT devices to bypass perimeter defenses and reach the critical physical processes inside.

Remote access and flat networks

The January 2024 attack on a municipal energy company in Lviv, Ukraine, demonstrates how these weaknesses compound into a single breach.

The attackers gained initial access through an unsecured MikroTik router that served as the network gateway. They stole credentials and created a Layer 2 tunnel into the OT network, enabled by the lack of a DMZ or significant segmentation between the IT and process control domains. Once inside, they sent rogue Modbus TCP commands directly to ENCO heating controllers.

The consequences were immediate. Over 600 apartment buildings went without heat for two freezing days. The attackers did not install malware on a single OT device. They exploited the network’s native protocols and issued commands that the controllers accepted as valid because Modbus has no authentication mechanism.

This single event demonstrates the three most prevalent ICS security failures:

• Unmanaged remote access points with no monitoring or session controls.
• Flat network architecture with no zone separation between IT and OT.
• Lateral movement is enabled by unprotected industrial protocols.

Ransomware and ICS-specific malware threats

The majority of OT disruptions start with ransomware that enters via IT and spills over into control system networks. Incident response teams often misidentify workstations and HMIs running Windows as IT assets. This confusion delays containment and allows the infection to spread deeper into operational zones.

A more precise threat is ICS-specific malware. Attackers write this code to interface directly with industrial protocols and devices. Security researchers had detected only nine such malware samples in the history of ICS as of mid-2024. 

These include the Modbus-targeting strain used in the Lviv attack and the discovery of Fuxnet. Fuxnet destroys sensor gateways and wipes device firmware by flooding Meter-Bus communications in utility networks.

Every new strain demonstrates tradecraft that other actors can adopt. Organizations gain an operational advantage by using real-time threat intelligence to monitor attacker tactics, techniques, and procedures (TTPs). This intelligence allows teams to prioritize detection based on how real adversaries behave in OT environments rather than relying on a generic threat model.

Building a Non-Disruptive ICS Security Program

Organizations need visibility into what exists on the network, segmentation to contain lateral movement, and monitoring to detect in-progress threats. Each control must work passively and non-disruptively. This requirement is a critical difference from IT security, where active scanning and automated patching are standard practice.

Network visibility and strict segmentation

The first challenge in any OT environment is knowing what exists. Standard IT network scans that probe for active hosts can crash PLCs, initiate safety faults, or stop running processes. The safe baseline for OT asset inventory is passive network discovery. Sensors listen to traffic instead of actively probing fragile devices.

Sensors capable of reading industrial protocols can recognize controllers, firmware versions, and communication patterns without sending a single packet to the network. Security teams deploy these sensors in transparent bridge mode at Layer 2. They sit outside the control system and remain invisible to it while painting an end-to-end picture of device communications.

Segmentation becomes the highest-impact architectural control once visibility is established. The Purdue Model separates enterprise IT from physical processes using layered zones. The minimum baseline for any organization is to separate IT from OT networks with a DMZ in between and to enforce least-privileged access on all remote connections.

Passive monitoring and vulnerability management

Protocol-aware monitoring allows security teams to distinguish between a legitimate Modbus write from an operator console and an unauthorized command from an unknown IP address. Baseline deviation detection examines communication patterns, newly formed device pairs, and unusual protocol usage.

Security analysts can reduce alert fatigue by correlating these OT-native alerts with tailored threat intelligence. This solution ensures analysts spend their time investigating activity that matches real-world attack behavior.

IT patch cycles cannot be reasonably applied to vulnerability management in OT. Equipment may operate for years without a maintenance window. Approval for vendor-certified firmware updates can take months. Where patching is unviable, compensating controls bridge the gap:

• Virtual patching at the network perimeter.
• Firmware integrity verification on controllers.
• Network isolation for devices that cannot be updated.

Standard vulnerability scores often misrepresent OT risk by ignoring the process context. A vulnerability in a controller managing a safety system carries entirely different physical consequences than the same vulnerability in a non-critical temperature sensor.

Implementing a Scalable ICS Security Strategy

Security leaders in industrial organizations often struggle with where to begin. The recommended approach is deliberately small in scope. Organizations should pilot at a single site, establish a baseline covering essential controls, and then scale with governance and measurable outcomes in place.

Establish a pilot site and baseline

Select the pilot based on three factors: the risk profile of the site, leadership buy-in from IT and plant operations, and how representative it is of other facilities in the organization. A site that mirrors the broader environment makes it easier to standardize findings later.

The minimum viable baseline consists of four areas aligned with the SANS Five ICS Cybersecurity Critical Controls:

• A complete asset inventory built through passive discovery.
• Network segmentation between IT and OT zones.
• Locked-down remote access with session logging.
• Protocol-aware monitoring on the OT network.

Make incident readiness part of the baseline from day 0. Every OT containment decision carries an operational cost that IT incidents rarely do. Isolating a network segment might bring a production line to a halt or disable a safety system.

Security teams need to develop playbooks in advance. These documents should specify when to isolate a segment and when to keep it operational during a confirmed compromise. They outline the communication process between the security operations center and the plant operators. 

Additionally, they provide guidelines for collecting forensic data from systems that cannot be taken offline. Making high-pressure decisions without a playbook often results in operational mistakes.

Scale defenses and measure progress

Standardize policies across all sites once the pilot validates the baseline. Fold OT security into existing change management processes. Network adjustments, firmware updates, and access modifications must all go through the same approval workflows as any other operational change.

Security leaders can report progress to the board based on the following metrics:

• Map risk reduction to specific production processes rather than abstract scores. Report concrete achievements, such as segmenting the blast furnace control network from the corporate LAN.
• Track Mean-Time-to-Detect and contain OT-impacting events, benchmarked against the SANS 2024 State of ICS/OT Cybersecurity report to ensure your program trajectory aligns with industry improvements.
• Measure segmentation coverage as a percentage of critical zones with actively enforced network boundaries.

Defend Your OT Environment with Group-IB

Protecting industrial control systems requires a shift from IT-centric security priorities to an OT model centered on safety, availability, integrity, and reliable operations. 

The convergence of corporate IT networks and plant floors creates new vulnerabilities that attackers actively exploit. Security teams cannot rely on disruptive IT patching cycles or active network scanning to stop these threats. Effective OT defense depends entirely on passive network visibility, strict zone segmentation, and protocol-aware monitoring.

Industrial environments require security tools engineered specifically for fragile control systems rather than repurposed IT software. These purpose-built defenses eliminate the risks associated with unmanaged remote access, flat networks, and protocol-level threats by securing the environment without actively interfering with operations.

Group-IB’s solutions for OT/ICS cybersecurity are designed to address these industrial challenges through advanced Network Detection and Response (NDR) capabilities. Our NDR solution provides purely passive OT network monitoring. It supports complex protocols such as Modbus, S7comm, OPC UA, IEC 104, and DNP3. 

Whenever a detection occurs, it’s automatically enhanced with advanced threat intelligence. These insights provide a deeper understanding of attackers’ motivations, tactics, and infrastructure, enabling quicker and more informed decisions on how to respond.

This focus on industrial environments means we offer visibility that many vendors miss, integrating both IT and operational technology networks into a single view. Group-IB’s wide NDR functionality and unique integration capabilities are backed by Managed XDR services, offering round-the-clock monitoring by expert analysts with over 21 years of experience in incident response and digital forensics. This includes evidence collection from systems that cannot be taken offline in OT environments.

Talk to our experts today to see how Group-IB’s security ecosystem provides comprehensive protection for your industrial control systems today.