ICS Assessments: The Good, the Bad, and the Ugly

Industrial Control Systems (ICS) and Operational Technology (OT) drive critical infrastructure, manufacturing, and global supply chains. For CISOs, executive boards, and advisory committees, securing these environments is paramount, often prioritizing safety and resiliency. While cybersecurity assessments and penetration testing are essential tools for managing risk, their efficacy depends on organizational maturity and risk mitigation approaches.

Threat reports over the past two years highlight an alarming escalation in adversary efficiency and targeting that focuses on vulnerabilities in network edge and remote access devices. To counter this acceleration and ensure resilience, OT stakeholders and leaders must pivot their assessment outcomes toward foundational, prioritized remediation actions, best framed by the SANS Five ICS Cybersecurity Critical Controls.

The Good: Intelligence-Driven Risk Management

A "good" ICS assessment is rooted in strategic risk management and disciplined execution, aiming to enhance the operational resilience of the ICS environment. This approach requires translating technical vulnerabilities into safety, operational, and business risks.

Foundational Principles for a Good Assessment:

• Mission and Asset Prioritization: A good assessment begins with a Crown Jewel Analysis (CJA) to identify the organization’s most critical assets. Crown jewels are the assets and data whose failure would degrade or interrupt critical operations. This prioritization is emphasized in SANS ICS Cybersecurity Critical Control #5: Risk-Based Vulnerability Management. This requires focusing vulnerability decisions not just on patching, but on mitigating flaws that actively drive risk to the organization’s service or product delivery.
• Structured Risk Assessment: Effective ICS risk assessment must be a collaborative effort involving OT cybersecurity teams, control system stakeholders, IT staff, operations, and management. Frameworks like ISA/IEC 62443 and NIST SP 800-82 provide structured approaches, moving beyond simple checklists to categorize systems based on potential physical and digital impact. Assessment results inform remediation plans.
• Adversary-Informed Testing: Testing and assessments should align with SANS ICS Cybersecurity Critical Control #1: ICS-Specific Incident Response Plan. This involves developing realistic attack scenarios based on real-world adversary Tactics, Techniques, and Procedures (TTPs), anticipating how an attacker might pivot from an IT compromise into OT. Testing methodologies should initially be passive and non-intrusive whenever possible due to the impacts on physical operations. Mature OT cybersecurity programs will quickly implement Top-Down (penetration) testing and Bottom-Up (operational) testing, as we teach in SANS ICS613 ICS/OT Penetration Testing and Assessment. These approaches focus assessments on identifying potential weaknesses in the reliability and resiliency of critical assets and data.

This proactive, intelligence-driven approach leverages assessment findings to build a defense that is resilient to compromise, rather than merely preventative.

The Bad: Mismatched Speed and Governance Gaps

"Bad" assessments typically stem from a lack of executive governance, failing to establish SANS ICS Cybersecurity Critical Control #2: Defensible Architecture or Control #3: ICS Network Visibility and Monitoring. They create a false sense of security by failing to capture the dynamic threat environment.

Symptoms of Poor Governance in Assessments:

• Inadequate Inventory (Asset Visibility): The fundamental failure to maintain an accurate, up-to-date inventory (physical and data) makes the performance of an effective and complete assessment nearly impossible. Organizations that "don't know what it has, what versions it has, where they are, what is required for operations, or what their critical data flows are" have a highly vulnerable posture. Visibility is consistently ranked as a top priority for facilities focused on security program improvement.
• Neglecting Patch Management Testing: Remediation timelines rarely match the speed of modern threat actors. Organizations often stabilize patching cycles around 30 to 60 days, or 15 days for critical vulnerabilities. However, the median time for CISA Known Exploited Vulnerabilities (KEV) to be first scanned by threat actors is only five days. An assessment is "bad" if it flags unpatched systems without considering the specialized, time-consuming regression testing required in OT environments. An additional consideration, often overlooked, is the reachability of a vulnerability (the ability of threat actors to exploit the vulnerability) by understanding attack vectors and considering threat intelligence.
• Misaligned Resources: Incidents detected internally often reveal deficiencies in enterprise logging and detection. Organizations that lack dedicated ICS network monitoring capabilities expose themselves to significant risk of undetected threats, making it difficult to spot unauthorized access or the more challenging problem of authenticated unauthorized access (where a compromised but valid user account is leveraged). Despite monitoring being key to detecting these intrusions, survey data indicates many organizations still have limited or no OT Security Operations Center (SOC) capabilities.

When organizations lack foundational OT cybersecurity governance controls, assessment findings become less reliable and offer limited protection for ICS/OT operations. This weakness contributed to the most common attack vector in 2024: compromises in IT that allowed threats to move into ICS/OT networks.

The Ugly: Exposed Edge, Remote Access Exploits, and Adversary Speed

The "ugly" reality of ICS cybersecurity occurs when poor governance, particularly concerning network edge and remote access devices, intersects with the accelerating speed and sophistication of external threats.

The Rise of Edge Device Exploitation (2023–2025)

Exploitation of vulnerabilities as the initial pathway to a breach witnessed substantial growth, tripling (200% increase) in the Verizon 2024 DBIR and growing further to 20% of initial access vectors in the 2025 DBIR. This surge is heavily supported by zero-day exploits targeting devices at the network periphery.

• Remote Access as the Target: The primary vector for these exploits is network edge and Virtual Private Network (VPN) devices. The percentage of VPN and edge devices targeted in exploitation of vulnerabilities grew more than sevenfold, rising from 3% in previous reports to 22% in the 2025 DBIR vector enumerations. Mandiant’s M-Trend’s reports indicate that three of the four most frequently exploited vulnerabilities in 2024 affected security devices typically placed at the edge of the network, including Ivanti Connect Secure VPN and Palo Alto Networks PAN-OS GlobalProtect.
• Adversary Objectives: Both financially motivated groups and espionage groups are leveraging zero-days in remote access capabilities. Financially motivated actors like FIN11/Cl0p focus on speed and efficiency using exploits like MOVEit Transfer (CVE-2023-34362). Espionage groups commonly deploy custom malware ecosystems tailored for edge devices to maintain long-term, stealthy persistence by targeting edge devices like the Barracuda ESG appliances. Threat groups like VOLTZITE / Volt Typhoon specifically exploit vulnerabilities in internet-facing VPN appliances or firewalls for initial access to OT environments to steal critical data, such as GIS data and network diagrams.

• Pace of Exploitation: The median time for a subset of critical edge device vulnerabilities to be mass exploited was zero days. These vulnerabilities were often added to the CISA KEV catalog the same day or earlier than their CVE publication. Furthermore, despite organizations working very hard to patch these flaws, only about 54% of edge vulnerabilities analyzed were fully remediated by defenders throughout the year (a slight increase over the previous year). This remediation rate reflects the success of organizations in resolving vulnerabilities on their assets, showing that nearly half remained partially or completely unmitigated. The failure to adequately address risks identified in assessments, such as exposed network edges, results in "ugly" outcomes like the German Steel Mill Attack (2014), where hackers manipulated control systems causing "massive" damage.

Assessments are "ugly" when they fail to evaluate SANS ICS Cybersecurity Critical Control #4: Secure Remote Access, which stresses eliminating shadow remote access, requiring MFA for external connections, and maintaining a complete inventory of access paths. Incidents like Colonial Pipeline, where initial access was gained through a legacy VPN path that was in the process of being decommissioned, demonstrate the grave consequences of ignoring secure remote access.

Guidance for Executives: The SANS 5 Critical Controls as a Metric Framework

For executive leaders, including CISOs and board members, assessment findings must be translated into tangible metrics aligned with the SANS 5 ICS Cybersecurity Critical Controls to ensure investments directly drive operational safety and risk reduction. These five controls establish the essential strategic framework that enables the CISO to use assessment outputs and cybersecurity program efforts to support communications and briefings with executive leadership, effectively demonstrating the approach, state, and direction of the OT cybersecurity program.

Ultimately, these controls allow the CISO to move beyond technical findings and report on program health and risk reduction trends—the strategic measures the board relies on to exercise effective governance. The following table provides examples of the tactical and strategic metrics that CISOs and OT leadership can use, directly supported by assessment outputs and cybersecurity program efforts:

The SANS Five ICS Cybersecurity Critical Controls provide a balanced approach, moving organizations beyond purely preventive measures toward the essential detective and responsive capabilities needed to survive modern geopolitical and financially motivated attacks. Assessments that focus solely on compliance or technical checklists, resulting in "bad" or "ugly" findings like exposed edge devices, highlight a critical lack of governance. By consistently using the "good" assessment process to drive and mature the cybersecurity program, specifically by improving secure remote access, defensible architecture, and monitoring, the CISO can assure the board that when an incident occurs, the OT team is positioned to exercise its recovery skills, knowing they are in control and can limit the adversary's actions. Maturing the program via this feedback loop turns assessment findings into sustained, quantifiable risk reduction.