--- url: "https://xcademia.com/courses/critical-infrastructure-defence-energy-utilities-and-water" title: "Critical Infrastructure Defence: Energy, Utilities and Water" description: "Three-day OT security training for energy, utilities, and water. Covers ICS malware, NIS2, NCSC CAF, Dragos, and Claroty. Practitioner-led and hands-on." publishedAt: "2026-04-13T09:20:21.16357+00:00" updatedAt: "2026-04-29T06:02:13.43947+00:00" type: course code: "CYB-0162" level: Practitioner duration_days: "3" track: "Cyber Warfare & Advanced Threat Defence" category: "Cybersecurity & Ethical Hacking" credential_tier: tier1 price_gbp: "3495" --- # Critical Infrastructure Defence: Energy, Utilities and Water > A practitioner programme for security professionals defending energy, utilities, and water infrastructure against nation-state targeting, ICS-specific malware, and NIS2 regulatory obligations. Develop the OT security assessment, network segmentation, and compliance skills to protect critical infrastructure from advanced persistent threats including Sandworm and Volt Typhoon. ## Overview Energy infrastructure experienced close to 40% of all critical infrastructure cyberattacks in 2025. Nation-state actors, particularly Sandworm and Volt Typhoon, have demonstrated the capability and willingness to attack power grids, water treatment facilities, and industrial control systems. The unique constraints of operational technology environments, where availability and safety must never be compromised, demand a fundamentally different security approach to standard IT defence. Over three mentor-led days, participants assess and harden OT and ICS environments against nation-state attack vectors, analyse ICS-specific malware including FrostyGoop and VoltRuptor, design network segmentation using the Purdue model, apply NCSC CAF and NIS2 controls to energy sector environments, and conduct hands-on practicals using Dragos and Claroty tooling. The programme culminates with a capstone security assessment of a simulated energy control environment, producing a risk remediation plan aligned to NIS2 reporting obligations. This course is aligned with NCSC CAF, NIS2, IEC 62443, and NERC CIP awareness requirements for critical infrastructure security professionals. ## Prerequisites - Professional experience in OT security, ICS operations, energy sector IT, or operational technology security engineering. - Basic understanding of industrial control system architecture including PLCs, HMIs, and SCADA systems. - Familiarity with cybersecurity fundamentals including network segmentation and vulnerability management. ## What you will learn - Assess and harden OT and ICS environments against nation-state attack vectors specific to energy, utilities, and water. - Apply NCSC CAF and NIS2 controls to energy sector operational environments with practical precision. - Detect and analyse ICS-specific malware indicators including FrostyGoop, VoltRuptor, and related tooling. - Design network segmentation for IT/OT convergence environments using the Purdue model and IEC 62443. - Conduct an OT asset inventory and exposure assessment without disrupting operational processes. - Produce a NIS2-aligned risk remediation plan for an energy sector operational environment. - Implement OT-specific continuous monitoring using Dragos and Claroty platforms. ## Skills you will gain - OT asset discovery and inventory - ICS malware indicator analysis - Purdue model network segmentation - IEC 62443 zone-and-conduit design - NIS2 compliance gap assessment - NCSC CAF energy sector mapping - Dragos platform deployment and operation - Claroty network visibility configuration - OT incident response planning - IT/OT convergence security architecture ## Career progression - OT Security Engineer - SCADA Security Analyst - NIS2 Compliance Lead - Energy Security Manager - IT/OT Convergence Specialist - Critical Infrastructure CISO ## Curriculum 1. **Module 1: Getting Ready** - Pre-reading: NCSC CAF overview and NIS2 essential entity obligations for energy sector organisations - Introduction to the Purdue model and IEC 62443 security level concepts - Lab environment access configuration: Dragos and Claroty trial platform setup - Course objectives, OT security knowledge baseline self-assessment, and pathway alignment 2. **Module 2: Why Energy is the Primary Target** - Energy sector: approximately 40% of all critical infrastructure cyberattacks in 2025 - Nation-state targeting doctrine for energy: Sandworm, Volt Typhoon, and IRGC-linked actors - Strategic leverage, conflict escalation, and economic disruption as attack objectives - Distinction between disruptive attacks and long-term pre-positioning for conflict activation - Current exposure mapping: which energy sub-sectors face the highest risk in 2026 3. **Module 3: OT and ICS Attack Vectors** - Exposed industrial protocols: Modbus, DNP3, Profinet, and BACnet attack surfaces in energy environments - Default credentials on internet-facing PLCs and HMIs: Shodan-assisted discovery and exploitation - Remote access abuse: VPN and vendor portal compromise as the primary IT-to-OT pivot - Engineering workstation targeting: the entry point from corporate IT to operational networks - Wireless and cellular connectivity in modern energy OT: new attack surfaces introduced by digitalisation 4. **Module 4: OT Asset Discovery and Inventory** - Passive asset discovery techniques that do not disrupt operational processes or production - Active discovery risks in energy OT environments and when their use is acceptable - Asset classification frameworks: safety-critical, operational-critical, and business-critical tiers - Exposure assessment: identifying internet-facing OT assets across the estate using passive methods - Hands-on lab: Dragos passive asset discovery in a simulated energy ICS environment 5. **Module 5: ICS-Specific Malware: FrostyGoop and VoltRuptor** - FrostyGoop: anatomy of the Modbus-native malware that cut heating to 600 Ukrainian buildings - FrostyGoop detection signatures, indicators of compromise, and MITRE ATT&CK ICS mapping - VoltRuptor: multi-protocol ICS/SCADA malware with anti-forensics and self-modification capability - Comparing FrostyGoop and VoltRuptor: targeting approach, detection methodology, and evasion - Malware indicator analysis methodology for OT environments that preserves operational availability 6. **Module 6: Sandworm Pre-Positioning Doctrine** - How Sandworm establishes long-term access inside energy infrastructure before activating capabilities - Pre-positioning detection indicators: what to look for across IT and OT telemetry - Timeline between initial access and destructive activation in documented energy sector attacks - Detecting pre-positioned nation-state actors using OT-specific passive monitoring approaches - Response strategy options when pre-positioning is discovered before destructive action is initiated 7. **Module 7: Network Segmentation for IT/OT Convergence** - The Purdue model applied to modern connected energy environments and its current limitations - Unidirectional data flows: design and implementation using hardware data diodes - Zone-and-conduit design for legacy OT infrastructure using IEC 62443 methodology - Demilitarised zone design for safe IT-to-OT data exchange without protocol bridging risk - Hands-on lab: Claroty network visibility and segmentation gap identification exercise 8. **Module 8: NIS2 and NCSC CAF for Energy Sector** - NIS2 essential entity obligations specific to energy sector organisations - NCSC CAF outcomes mapped to energy sector operational and technical requirements - NERC CIP awareness and alignment with NIS2 for organisations with dual-framework exposure - NIS2 incident reporting obligations: timelines, notification content, and responsible authorities - Conducting a NIS2 gap assessment for a real-world energy sector operational environment 9. **Module 9: Dragos and Claroty: OT Monitoring Hands-On** - Dragos platform architecture and deployment options for passive energy OT network monitoring - Configuring Dragos detection rules for ICS-specific threats without impacting operational availability - Claroty continuous threat detection and asset management hands-on session - Alert tuning for OT environments: different thresholds, response playbooks, and escalation paths - Integrating OT monitoring platform outputs with enterprise SOC and SIEM for unified visibility 10. **Module 10: OT Incident Response in Energy Environments** - Why OT incident response cannot follow the standard IT incident response playbook - Isolating a compromised OT system without causing physical damage or service disruption to consumers - Business continuity planning for energy generation and distribution during a cyber incident - Recovery and reconstitution procedures for industrial control systems after an attack - Evidence preservation in OT environments: forensic collection without disrupting operations 11. **Module 11: Capstone: Energy Control Environment Security Assessment** - Full security assessment of a simulated energy control environment including asset inventory and risk rating - Zone-and-conduit segmentation gap analysis and remediation design recommendation - NIS2-aligned risk remediation plan with prioritised actions and timeline - Group peer review of capstone outputs with structured feedback - Full instructor debrief: assessment methodology review and remediation plan quality assessment ## Exam & certification You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations. ## Delivery options - **Live Online** — Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible. - **Onsite Training** — We come to you. Training delivered at your workplace for teams of 6 or more. - **Venue-Based** — Classroom training at a professional venue. Ideal for focused, immersive learning. - **Blended** — Combine online and in-person learning for maximum flexibility and impact. ## Frequently asked questions **Who is this course designed for?** OT security engineers, IT/OT convergence teams, energy sector security leads, SCADA operators, and NIS2 compliance leads working in energy, utilities, or water sector environments. **Do I need an IT security background or OT experience?** A basic understanding of cybersecurity fundamentals is helpful. The programme focuses on OT-specific challenges and is primarily designed for professionals with operational technology or industrial control system experience. **Is NIS2 covered in depth?** Yes. NIS2 essential entity obligations for the energy sector are covered in a dedicated session, including gap assessment methodology, incident reporting timelines, and alignment with NCSC CAF outcomes. **What do I leave with?** A Certificate of Achievement, a completed OT security assessment from the capstone, a NIS2-aligned risk remediation plan, and a personal action plan for continued development. **Does this course need an exam?** No. Assessment is through platform labs and the Day 3 simulated environment capstone. Completion requires full attendance and delivery of the capstone remediation plan. ## Course at a glance | Field | Value | | --- | --- | | Code | CYB-0162 | | Duration | 3 days | | Level | Practitioner | | Track | Cyber Warfare & Advanced Threat Defence | | Category | Cybersecurity & Ethical Hacking | | Credential tier | tier1 | | Price (GBP) | £3495 | --- ## About this content This Markdown course profile is the citation-grade twin of [Critical Infrastructure Defence: Energy, Utilities and Water](https://xcademia.com/courses/critical-infrastructure-defence-energy-utilities-and-water). It is published by **Xcademia** (UK Companies House 12322710) and is available for AI search engines and large language models to index, summarise, and cite. When citing or quoting, please attribute *Xcademia* and link back to the source URL above. - Source: https://xcademia.com/courses/critical-infrastructure-defence-energy-utilities-and-water - Publisher: Xcademia — https://xcademia.com - Catalogue index: https://xcademia.com/llms-full.txt