Catch it at the Controller: Extending Visibility into ICS L2/L1 and Remote Sites

As cybersecurity professionals and leaders, we often default to the places that feel familiar to enterprise defenders: EDR dashboards, modern Windows hosts, and identity controls. Those are important, but they’re not sufficient in Operational Technology (OT) environments.

In modern ICS/OT incidents, attackers don’t stop at high level systems. Their goal is to interact with the process, and the path of least resistance often runs through Purdue Model Level 2 HMIs and Level 1 controllers, or through remote/unmanned sites with thinner defenses. These challenges are not theoretical. The recent SANS State of ICS/OT Security 2025 Report shows that while many organizations have improved visibility at Level 3, coverage drops sharply closer to the process and at remote sites. Only about 13% of organizations report full visibility across the ICS Cyber Kill Chain, and fewer still can confidently detect or validate activity at Level 2, Level 1, or in unmanned environments. This gap between where defenders can see and where consequences occur is where many incidents escalate.

Why L2/L1 and Remote Sites Matter

Typical adversaries seek process impact, espionage, or extortion. They begin with what they know: identity abuse, remote access, or OT DMZ traversal, and pivot toward HMIs, engineering workstations, and PLCs/RTUs. These assets give an attacker reliable interaction with industrial devices, even without deep ICS protocol expertise. Visibility at Level 3 is stronger than at Level 2, and remote sites remain among the most blind spots. Half of incidents originate via external access, yet fewer than 15% of organizations implement advanced remote access controls such as ICS‑aware protocol gating or session recording.

Understanding Adversary Paths of Least Resistance

Most adversaries prefer low-friction and low-cost avenues to operational manipulation and espionage. When possible, they abuse remote access or traverse the OT DMZ to land in L3/L2, then “live off the land” using stolen credentials and familiar tools. Once positioned, interacting with graphical HMIs or engineering workstations is often sufficient to achieve their goals, with no deep protocol knowledge or device interdiction required. While advanced, low level interdiction attacks are a concern for some mature organizations, it is important for less mature teams to focus on simple and effective attack paths, first.

1. Remote access abuse (vendors, integrators, supply chain, field technicians) to gain a direct foothold near L2/L3.
2. “Living off the land” in older and less-monitored zones to avoid tripping IT-centric detections and defenses.
3. Interacting with HMIs or deploying logic via engineering tools to drive a physical outcome.

Detect at the HMI, Validate at the PLC

At Level 2, watch for anomalous HMI behavior, new tags, unusual setpoint bursts, off-hours command sequences, or atypical user sessions. At Level 1, corroborate with controller observations, unexpected project downloads, mode changes, or logic diffs outside maintenance windows. This layered approach aligns to the SANS ICS Five Critical Controls and the ICS Cyber Kill Chain emphasis on consequence-focused detection.

Monitoring at L2/L1

Level 2 telemetry includes protocol‑aware network detection, authentication events, removable media usage, and HMI logs. High‑value detections include write‑heavy HMI patterns and use of rarely used administrative utilities.

Level 1 telemetry includes function codes, project file transfers, and mode flips. Key detections include logic changes outside approved windows, unexpected mode changes, and unknown devices interacting with controllers.

Securing Remote Sites

Wind farms, pump stations, booster sites, and substations often live far from corporate oversight. Survey data shows visibility at field/remote sites is among the thinnest, even as practitioners believe these environments and field service laptops are increasingly targeted.

Right-size sensors: lightweight, passively tapped collectors with local buffering (store-and-forward) to tolerate intermittent backhaul.

Segment and broker: enforce jump hosts/session brokering for inbound access, route sessions through auditable paths, and record them.

Centralize your inventory: maintain a formal, centralized register of all ICS/OT remote access endpoints.

Field laptop hygiene: require a security baseline, MFA for connections, real-time approvals for high-risk operations, and role-based protocol access control.

Threat Intelligence for L2/L1

Operationalize ICS‑specific threat intelligence by mapping adversary behaviors to process consequences, conducting relevant hypothesis-driven threat hunts, and codifying rules such as alerts for unexpected logic changes or abnormal write commands.

Validating Segmentation

Verify segmentation functions as expected through field evidence: packet captures, tracing remote session paths, and approved, controlled drills simulating unauthorized access.

Integrating IT and OT Visibility

Organizations with coordinated IT/OT monitoring achieve stronger visibility. Use shared tooling and joint playbooks, enrich events with OT context, and keep OT sensors near the process while correlating centrally.

Securing Remote Access

Remote access abuse remains the most common initial access vector. Implement an OT DMZ and enforce brokered access, MFA, actionable logging and alerting, protocol‑aware restrictions, session recording on crown jewel connections, and inventories of all vendor/cloud entry points. Ensure a robust vulnerability management program monitors the state of VPN appliances, jump hosts, and other perimeter devices.

From Detection to Resilience

Detection without recovery is insufficient. Maintain controller backups, test restoration playbooks, define OT‑specific RTO/RPO, and invest in cyber‑informed engineering to improve resilience. Ensure an actionable OT cybersecurity incident response plan is drafted which covers all phases of response and their OT nuances.

Healthy Culture as a Control

Operator observations are a key component of effective detection at L1/L2. Engage operators and engineers through routine cyber briefings, cyber champion programs, use of structured change windows, and clear reporting expectations.

What Good Looks Like

L2/L1 detections are compared to known good baselines and understood in the context of operational activity, logic changes leave multiple breadcrumbs, remote sites produce meaningful telemetry, and quarterly drills prove recoverability.

Key Takeaways

• Push visibility to where consequences live, L2/L1 and remote sites. Coverage is currently lightest where process impact is greatest.
• Focus on path-of-least-resistance attacks first: remote access abuse, HMI manipulation, and controller changes outside change windows.
• Broker, record, and approve remote sessions; for many programs this is the highest leverage improvement.
• Use ICS threat intel to drive L2/L1 detections and hunts; validate segmentation and entry points.
• Prove recoverability: if you cannot rebuild HMIs and restore PLC logic under time pressure, you are not resilient yet.

Closing Thoughts

While OT cybersecurity practices have matured, serious gaps persist at lower Purdue levels closest to the process and at remote sites. Extending detection to Level 2, Level 1, and remote sites requires engineers and defenders who understand how attackers actually move through industrial environments and how to validate controls in the field.

For practitioners responsible for detection engineering and controller-level visibility, ICS515: ICS Visibility, Detection, and Response focuses on building and tuning detections at the HMI and controller layers, including logic change monitoring, anomalous command patterns, and consequence-driven alerting. For teams responsible for architecture and assurance, ICS612: ICS Cybersecurity In-Depth helps organizations verify segmentation, sensor placement, and remote site coverage through hands-on analysis, packet capture validation, and controlled testing.

Together, these skills help close the visibility gap identified in the SANS State of ICS/OT Security 2025 Report and move detection closer to where operational impact actually occurs.

Download your copy of the SANS State of ICS/OT Security 2025 Report here.