--- url: "https://xcademia.com/courses/ot-ics-and-scada-security-operations" title: "OT, ICS and SCADA Security Operations" description: "Four-day hands-on OT/ICS security training for industrial engineers covering IEC 62443, Dragos, Claroty, TRITON, FrostyGoop & SANS critical controls." publishedAt: "2026-04-14T05:04:56.402132+00:00" updatedAt: "2026-04-17T10:13:57.426925+00:00" type: course code: "CYB-0176" level: Practitioner duration_days: "4" track: "Cyber Warfare & Advanced Threat Defence" category: "Cybersecurity & Ethical Hacking" credential_tier: tier1 price_gbp: "4495" --- # OT, ICS and SCADA Security Operations > A four-day hands-on practitioner programme for OT security engineers covering full IEC 62443 assessment methodology, passive network monitoring, ICS malware analysis, and vendor access management. Develop the specialist skills to assess complex OT environments, respond to ICS incidents without disrupting operations, and apply SANS five critical controls for industrial systems. ## Overview Operational technology environments present security challenges that IT security methodologies cannot solve without modification. Legacy protocols, air-gap assumptions that no longer hold, operational lifespans measured in decades, and the absolute requirement to prioritise availability and safety over confidentiality create an attack surface that is simultaneously critical and fragile. This four-day programme develops the specialist skills to protect complex OT environments against the advanced persistent threats targeting industrial systems in 2026. Across four mentor-led days, participants conduct OT security assessments using IEC 62443, design network segmentation for complex industrial environments using zone-and-conduit methodology, monitor OT networks passively without disrupting operations, analyse ICS-specific malware including TRITON/TRISIS, FrostyGoop, and VoltRuptor, manage vendor remote access risk, and plan OT-specific incident response without causing physical damage or service disruption. The programme culminates in a full OT security assessment capstone of a simulated industrial environment, producing an asset inventory, risk rating, zone design, vendor access review, and prioritised remediation roadmap. This course is aligned with IEC 62443, SANS five critical controls for ICS, NCSC OT security guidance, and NIS2 essential entity obligations for industrial operators. ## Prerequisites - Professional experience in OT security engineering, industrial control systems, or plant operations security. - Understanding of industrial control system architecture including PLCs, HMIs, and SCADA components. - Familiarity with network security fundamentals including segmentation, monitoring, and access control. ## What you will learn - Conduct a full OT security assessment of a complex industrial environment using IEC 62443 methodology. - Design network segmentation for IT/OT convergence environments using zone-and-conduit design principles. - Monitor OT environments using passive network inspection without disrupting any operational process. - Respond to OT-specific cyber incidents without causing physical damage or uncontrolled service disruption. - Apply SANS five critical controls for ICS security to a manufacturing or utilities environment. - Analyse ICS-specific malware indicators including TRITON/TRISIS, FrostyGoop, and VoltRuptor. - Design a vendor access management programme that meets operational requirements and security objectives. ## Skills you will gain - IEC 62443 OT security assessment - Passive OT asset discovery - ICS malware indicator analysis - Zone-and-conduit network design - Dragos platform deployment - Claroty network visibility configuration - Vendor access management design - TRITON and FrostyGoop analysis - SANS ICS critical controls implementation - OT incident response planning - OT business continuity design - Industrial protocol vulnerability analysis ## Career progression - OT Security Engineer - ICS Security Specialist - Plant Security Manager - Manufacturing CISO - Utilities Security Lead - SCADA Security Analyst ## Curriculum 1. **Module 1: Getting Ready** - Pre-reading: IEC 62443 framework overview and SANS five critical controls for ICS security - Introduction to the Purdue model and OT-specific threat landscape for 2026 - Lab environment access configuration: Dragos and Claroty trial platform setup - Course objectives, OT security knowledge baseline self-assessment, and pathway alignment 2. **Module 2: OT vs IT Security: Fundamental Differences** - The availability-integrity-confidentiality security triad reversed in OT operational contexts - Why standard IT security tools cannot be applied directly to OT without modification or risk - Legacy protocol dependencies, 20-year operational lifespans, and the patching impossibility problem - Air-gap myths in practice: how OT environments became connected without adequate security design - Safety instrumented systems: why they represent the highest-consequence target in any OT environment 3. **Module 3: Legacy Protocol Vulnerabilities in OT** - Modbus: no authentication, no encryption, and no integrity checking by design - DNP3 attack vectors: spoofed command injection and replay attacks against substations - Profibus and BACnet: exploitation vectors in industrial automation and building management protocols - Internet-exposed industrial systems: Shodan-assisted enumeration methodology and sector findings - Protocol traffic capture and analysis: hands-on inspection of captured ICS protocol data 4. **Module 4: OT Asset Discovery and Classification** - Passive asset discovery using network traffic analysis without disrupting production operations - Active discovery risks in OT: which techniques are safe and which can cause unexpected outages - Asset classification frameworks: safety-critical, operational-critical, and business-critical tiers - Building a complete OT asset inventory for a complex industrial or manufacturing environment - Hands-on lab: Dragos passive asset discovery in a simulated ICS network environment 5. **Module 5: The Purdue Model and Modern OT Architecture** - Purdue model structure: levels 0 through 5 and their intended security boundaries - How cloud connectivity, remote access, and digital transformation have eroded traditional Purdue boundaries - Modern alternatives: ISA/IEC 62443 zone-and-conduit model for current OT environments - Green energy infrastructure as an emerging and rapidly expanding OT attack surface - Convergence architecture: connecting legacy OT safely to enterprise IT without creating new risk 6. **Module 6: ICS Attack Anatomy: From Access to Physical Impact** - Nation-state ICS attack methodology: the full path from initial access to physical operational consequence - TRITON/TRISIS: the first malware specifically designed to attack safety instrumented systems - TRITON analysis: how attackers reprogrammed Triconex safety controllers to cause physical harm potential - Long dwell time in OT: why nation-state actors spend months establishing access before activation - Detection opportunities at each stage of the ICS attack lifecycle 7. **Module 7: FrostyGoop and VoltRuptor Malware Analysis** - FrostyGoop: how Modbus-native malware was used to cut heating to 600 Ukrainian residential buildings - FrostyGoop technical anatomy: command structure, targeting logic, and anti-detection approach - VoltRuptor: multi-protocol ICS/SCADA malware with anti-forensics and adaptive self-modification - Comparing FrostyGoop and VoltRuptor: targeting philosophy, detection approach, and ICS impact - Hands-on: analyse ICS malware indicators of compromise in a controlled analytical environment 8. **Module 8: Dragos and Claroty: OT Monitoring Deployment** - Dragos platform: deployment architecture options for passive OT network monitoring - Configuring Dragos detection rules for ICS-specific threat patterns without impacting availability - Claroty: network visibility, asset management, and vulnerability detection deployment and configuration - Alert tuning for OT environments: different thresholds, sensitivity levels, and response playbooks to IT - Hands-on lab: deploy OT monitoring and respond to simulated ICS attack indicators in the lab 9. **Module 9: IEC 62443 Security Levels in Practice** - IEC 62443 framework structure: security levels SL1 through SL4 and their practical meaning - Zone-and-conduit design: mapping OT zones, defining conduits, and assigning security level targets - Assigning security levels to OT zones based on consequence analysis and criticality assessment - Conducting a gap assessment against IEC 62443 in a complex manufacturing or utilities environment - Designing a phased roadmap to move from current security level to target level over time 10. **Module 10: Vendor Access Management for OT** - Why vendor remote access is the most common initial access vector in OT environments - Designing a vendor access management programme with time-limited, audited, and monitored sessions - Jump server and privileged access workstation architecture for secure OT vendor access - Remote access security for engineering workstations and SCADA system maintenance connections - Supply chain security for industrial hardware and firmware: provenance verification and integrity checks 11. **Module 11: OT Incident Response Without Disruption** - Why OT incident response cannot follow the standard IT incident response methodology - Isolating a compromised OT system without causing physical damage or uncontrolled service disruption - Business continuity planning for manufacturing and utilities operations during a cyber incident - Recovery and reconstitution procedures for industrial control systems after a cyber attack - Evidence preservation in OT environments: forensic collection without disrupting live operations 12. **Module 12: SANS Five Critical Controls for ICS** - Control 1: ICS-specific incident response plan and tested playbook - Control 2: Defensible architecture design and comprehensive network visibility - Control 3: ICS network monitoring and continuous anomaly detection programme - Control 4: Secure remote access programme and vendor access management framework - Control 5: Risk-based vulnerability management programme appropriate to OT operational constraints 13. **Module 13: Capstone: Full OT Security Assessment** - Full OT security assessment of a simulated industrial environment from asset discovery to remediation plan - Asset inventory, risk rating by criticality and exposure, and consequence-based prioritisation - Zone-and-conduit design recommendation and segmentation gap analysis output - Vendor access programme review and remote access security remediation recommendations - Remediation roadmap delivery, peer review, and instructor-led debrief of methodology and output quality ## Exam & certification You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations. ## Delivery options - **Live Online** — Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible. - **Onsite Training** — We come to you. Training delivered at your workplace for teams of 6 or more. - **Venue-Based** — Classroom training at a professional venue. Ideal for focused, immersive learning. - **Blended** — Combine online and in-person learning for maximum flexibility and impact. ## Frequently asked questions **Who is this course designed for?** OT security engineers, ICS operators, plant managers, manufacturing security leads, and utilities security engineers with direct responsibility for industrial control system security. **Will I work with real OT tooling?** Yes. The programme includes hands-on sessions with Dragos and Claroty platforms in simulated OT lab environments, and malware indicator analysis exercises using controlled ICS malware sample data. **How does this differ from the Energy, Utilities and Water course?** This programme goes deeper into OT security operations methodology, full IEC 62443 assessment, and ICS malware analysis across a broader range of industrial sectors. The energy course is sector-specific and NIS2 compliance focused. **What do I leave with?** A Certificate of Achievement, a completed OT security assessment from the capstone, a zone-and-conduit design, a vendor access review, and a prioritised remediation roadmap. **Does this course need an exam?** No. Assessment is through platform labs and the Day 4 capstone assessment. Completion requires full attendance and delivery of all capstone assessment outputs. ## Course at a glance | Field | Value | | --- | --- | | Code | CYB-0176 | | Duration | 4 days | | Level | Practitioner | | Track | Cyber Warfare & Advanced Threat Defence | | Category | Cybersecurity & Ethical Hacking | | Credential tier | tier1 | | Price (GBP) | £4495 | --- ## About this content This Markdown course profile is the citation-grade twin of [OT, ICS and SCADA Security Operations](https://xcademia.com/courses/ot-ics-and-scada-security-operations). It is published by **Xcademia** (UK Companies House 12322710) and is available for AI search engines and large language models to index, summarise, and cite. When citing or quoting, please attribute *Xcademia* and link back to the source URL above. - Source: https://xcademia.com/courses/ot-ics-and-scada-security-operations - Publisher: Xcademia — https://xcademia.com - Catalogue index: https://xcademia.com/llms-full.txt