From Intel to Action: Leveraging ICS Threat Intelligence for Industrial Defense

In the SANS State of ICS/OT Security 2025 Report, only 14 percent of organizations felt fully prepared for emerging or future cyber threats in their operational environments. That number is striking, especially considering most industrial organizations already have access to solid, ICS-specific intelligence about the risks they face. Across critical infrastructure sectors, many organizations consume high-quality ICS and OT threat intelligence, drawing from vendor reporting, peer sharing, and public disclosures. Yet, according to the SANS report, incidents still remain high and disruptive.

The disconnect is not a lack of awareness, but a lack of operational capability. Understanding the ICS threat landscape and being positioned to defend against it are far two different things. Oftentimes, security teams cannot say with confidence what is happening inside their OT networks, or whether they could detect and respond to a real intrusion. That gap between knowing the threat and acting on it is what ultimately determines whether industrial defenses hold or fail.  

It is important to remember that there is no single enterprise OT network. Each plant has its own architecture, maturity, and visibility needs. In this context, security posture is less about alert volume and more about the confidence that a site can confirm compromise, respond safely, and recover operations quickly.

The Real Failure Mode: Consumption, Not Collection 

At Dragos, 70 percent of the vulnerabilities analyzed in our 2025 OT Cybersecurity Year in Review Report were located deep within ICS networks, closer to the process itself rather than at the perimeter. In other words, many of the most consequential exposures exist in places where enterprise-centric IT monitoring provides little or no visibility. 

This reality explains a common failure mode in ICS security: organizations blur the line between intelligence generation and intelligence consumption. Many invest heavily in producing or acquiring intelligence. They collect reports, subscribe to feeds, and track adversary activity closely. Far fewer invest in the telemetry, monitoring, and data collection capabilities required to act on that intelligence inside OT environments. 

What tends to be missing is the operational footing needed to apply ICS intelligence across people, process, and technology. Visibility is uneven, data collection is incomplete, and security teams are forced to reason about industrial risk using signals from enterprise IT systems rather than direct observation of plant operations. As a result, the organization lacks a clear, defensible view of its OT environment. Findings from the SANS report reflected the same constraint. Only 13 percent of respondents reported full visibility across the ICS cyber kill chain, while more than 40 percent described their visibility as partial and fragmented, with major gaps.  

Under those conditions, intelligence cannot be applied evenly or operationalized. And when that is the case, the failure point is almost always the environment that intelligence is meant to inform, not the intelligence itself. Understanding why this gap exists and how it manifests operationally is key to building stronger industrial defenses. 

When Threat Intelligence Drives Decisions

When organizations do begin to close this gap, the change does not start with alerts or detections. It starts with risk prioritization. The first questions intelligence should inform are practical ones. Where should monitoring exist? Where should data be collected? Which assets are “high-value” to the organization? In OT environments, those decisions determine whether security effort produces meaningful outcomes or dissipates across systems that carry little real risk to operational safety and business continuity. 

Threat-informed decision-making also impacts the leadership level. Executives and operational leaders need to answer uncomfortable questions. Are we underinvesting or overinvesting? Are we actually prepared for threats already affecting our industry peers? Which sites could tell us if we were compromised, and which could not? Intelligence translates technical realities into terms leaders can make decisions on.  

In the SANS report, organizations using ICS-specific threat intelligence were far more likely to adjust defensive priorities based on what they learned. More than half reported changing monitoring coverage, and nearly half accelerated segmentation or architectural improvements as a direct result. This exemplifies intelligence doing what it should: informing decisions rather than generating noise. 

From Intelligence to Action: The Five ICS Cybersecurity Critical Controls

A consistent way to operationalize threat intelligence in industrial settings is to anchor it to the SANS’s Five ICS Cybersecurity Critical Controls. In practice, these controls serve as a backbone for translating adversary behavior into concrete decisions about visibility, detection, response, and resilience within OT environments.

The Five ICS Cybersecurity Critical Controls are the bridge between intelligence and execution. Real threat scenarios, drawn from peer incidents and known adversary behavior, are mapped to the controls required to withstand them. Each site is then assessed against those controls. Do we have the data needed for incident response? Do we have visibility where the threat actually operates? Can we detect failure early enough to respond safely? 

This approach produces a coverage view that matters. It shows which sites are viable and which are effectively blind. Operational leaders can use that view to justify investment, prioritize rollout, and avoid both gold-plating and undersizing controls. 

Ownership is what makes this work. Intel teams must be embedded in operations and own the translation from insight to action. In effective programs, intelligence analysts sit at the center and work directly with detection engineering, threat hunting, incident response, and red or purple teams. 

For executives, this framing is especially useful. Reporting tied to the five controls makes it possible to communicate readiness clearly without relying on alert counts or abstract risk scores. Coverage gaps, rollout status, and priorities can often be conveyed in one or two slides. This connection shows up clearly in practice. Just over half of organizations in the SANS report had an ICS/OT-specific incident response plan, yet that number rose to roughly 70 percent among organizations that actively use ICS-specific threat intelligence and operate under regulatory requirements. 

Validating Against Real-World Threats

Validating defenses against real-world, ICS-specific threats such as PIPEDREAM provide a useful benchmark because they are broad, cross-industry, and representative of real adversary capability. If an organization cannot detect, respond to, or contain something like PIPEDREAM, its program lacks grounding in reality. 

The consequences of discovering those gaps during an incident are significant. For example, in ransomware incidents Dragos responded to in 2024, one quarter resulted in a full OT shutdown, while the remaining cases caused partial operational disruption. This is why assumptions need to be tested before an adversary forces the lesson. 

Answering those questions requires validation inside OT environments, not just at network boundaries. Threat-driven hunting, red teaming, and purple teaming expose where assumptions about control coverage fail in practice, particularly around visibility, detection, and response, the same areas emphasized by the Five Critical Controls. 

Despite the value, validation remains uncommon. Per the SANS report, only about one in five organizations perform ICS/OT threat hunting or red and purple team exercises today. Organizations that describe themselves as fully prepared are far more likely to test their assumptions this way. It comes from a willingness to test what is believed to be true.

Measurement presents a similar challenge. Many organizations struggle to explain whether intelligence is improving resilience or simply producing more activity. More than one in five respondents of the SANS report had no defined measures for ICS/OT security success, and only a small minority track effectiveness using financial or outcome-based metrics. Without scenario-based measurement tied to real threats and mapped to the Five Critical Controls, even meaningful work becomes difficult to explain or defend. 

Turn Intel to Action with SANS ICS Training

Turning threat intelligence into operational defense is critical to mitigating accelerating threats against industrial environments. For those responsible for shaping how intelligence informs decisions, SANS ICS418: ICS Security Essentials for Leaders focuses on building an intel-to-action operating model for industrial environments, including how to assess readiness, align teams, and prioritize investment using real threat scenarios. For practitioners responsible for execution, SANS ICS515: ICS Visibility, Detection, and Response goes deeper into translating adversary behaviors and TTPs into validated detections, hunts, and response capability inside OT networks. 

Together, these courses are designed to help organizations move from knowing the threat to acting on it, without losing sight of operational safety or real-world constraints. 

Learn more about SANS’s ICS Security curriculum here.  

Download your copy of the SANS State of ICS/OT Security 2025 Report here.