ICS/OT Network Visibility: Start Protecting the Top Targeted and Most Critical Assets First

The SANS Five ICS Cybersecurity Critical Controls emphasize monitoring industrial network communications internally, which holds both cyber defense benefits and direct engineering benefits. Without internal network visibility into how critical engineering assets communicate, many organizations early in their ICS/OT maturity journey “may be making security decisions with limited engineering context.” In the field, through my ICS Defense Force assessments and tabletop exercises, one of the most consistent gaps I see is a lack of visibility into the communications between the very assets that are both most targeted by adversaries and most critical to the environments that make, move, and power our world.

Adversaries Exploiting Visibility Gaps in ICS/OT Environments

From an adversary perspective, the lack of visibility between critical engineering and OT assets creates attack opportunities that traditional security defenses are often not designed to detect. Many ICS/OT attacks do not rely on malware, as they abuse trusted systems and native ICS network protocols (Living off the Land). Without dedicated ICS/OT protocol-aware visibility into east-west communications inside the control environment, these activities can appear legitimate and may go undetected while resulting in serious safety consequences. This is why ICS/OT Network Visibility should be prioritized early, focusing first on the most targeted and critical assets, so facilities can safely understand, monitor, and defend the systems that directly impact operations.

Prioritizing Critical ICS/OT Assets and Network Visibility

The 2025 ICS/OT survey illustrates that more than one in five organizations experienced an ICS/OT incident, with 40% resulting in operational disruption and nearly 20% taking more than a month to recover. More than half of compromises originate from IT or external networks and then pivot into OT environments. Once inside, attackers commonly move toward a small set of high-value assets that provide control over key engineering physical processes. Prioritizing these targeted and critical assets is the most practical starting point for reducing risk in the ICS/OT threat landscape.

The Assets That Matter Most

Four asset types consistently emerge as primary targets: programmable logic controllers (PLCs), engineering workstations (EWS), human machine interfaces (HMIs), and data historians.

• PLCs sit at the heart of the physical process, executing specific engineering logic that directly affects equipment and safety. In water and wastewater, a PLC controls pumps, valves, and chemical dosing systems such as chlorine injection based on flow and sensor readings. If that logic is manipulated, it can result in unsafe water conditions or equipment damage driven entirely by changes to control logic.
• Engineering Workstations (EWS) are designed to program and configure PLCs and inherently possess trust and authority across the environment. When compromised, attackers can use legitimate engineering programming tools and libraries to make malicious engineering setpoint and logic changes without triggering traditional controls, as the activity appears like normal engineering network traffic and engineering software execution.
• Human Machine Interfaces (HMIs) provide operators with on-screen visibility and control, making them valuable targets for both manipulation and deception. Attackers have been observed issuing valid commands from HMIs that appear as legitimate operator activity while masking nefarious process conditions, creating scenarios such as denial of view or misuse of system control for physical consequences.
• Data Historians are frequently targeted as well. They store operational data and are commonly integrated with IT networks, making them a bridge for lateral movement between IT and ICS/OT networks, and a hotspot for data exfiltration.

Where ICS/OT Network Visibility Should Start

Many organizations begin their ICS/OT network visibility journey at the IT/OT boundary, focusing on north-south traffic. While useful, this alone may not capture the activity that ultimately impacts operations at lower levels in the Purdue model.

Some of the most critical visibility exists inside the control environment, specifically east-west communications between those engineering workstations, HMIs, and PLCs. This is where legitimate commands are issued, logic is modified, and lateral movement generally occurs. Without this internal visibility, facilities may miss the actions that matter most for proactive industrial threat detection.

Since advanced attack techniques can move laterally between internal devices, and since ICS/OT attack vectors are not always through IT into ICS/IT networks, monitoring the north-south IT/OT boundary may provide limited operational security value without corresponding visibility inside the control environment. An effective strategy can be to prioritize internal ICS/OT network visibility first, then expand outward, trusting that their IT/OT boundary has appropriate best practice access control lists.

Make This Practical and Hands-On with Your Own PLC Kit in ICS515

For practical guidance on deploying ICS/OT Network Visibility—including how to safely build an engineering asset inventory through passive analysis (avoiding risky active scanning), and how to prioritize east-west versus north-south visibility across the OT assets that matter most—join me for ICS515 at Network Security in Las Vegas in September. In class, I walk through this using real field experience and prepare you for the GRID certification exam. You’ll build, attack, and defend your own ICS515 PLC kit to detect real-world activity, then take it home to continue applying what you’ve learned! Looking forward to seeing you in class and in the field.

Best!

Dean