25 Must-Watch YouTube Channels for Free OT/ICS Cybersecurity Training in 2026 + Video

By /

Listen to this Post

Featured Image

Introduction:

Operational Technology (OT) and Industrial Control Systems (ICS) form the backbone of critical infrastructure—from power grids and water treatment facilities to manufacturing plants and food production. Unlike traditional IT environments, compromising an OT network can lead to physical damage, environmental disasters, and even loss of life. The cybersecurity skills gap in this domain is severe, yet high-quality training often comes with prohibitive costs. Fortunately, a vibrant community of practitioners, researchers, and organizations has made exceptional OT/ICS cybersecurity education freely accessible through YouTube. This article curates 25 of the best channels across multiple categories—individual contributors, conferences, associations, training providers, podcasts, vendors, and government agencies—and provides a practical roadmap for leveraging these resources to build real-world industrial security competence.

Learning Objectives:

  • Identify and navigate the top free YouTube resources for OT/ICS cybersecurity across seven distinct categories
  • Understand the core differences between IT and OT security, including protocol-level vulnerabilities and operational constraints
  • Apply practical command-line techniques for OT network discovery, monitoring, and hardening using tools like Nmap, Zeek, Snort, and Modbus utilities
  • Recognize common attack vectors against industrial protocols (Modbus, DNP3, S7Comm) and implement defensive countermeasures
  • Develop a continuous learning roadmap combining video content, hands-on labs, and community engagement

You Should Know:

  1. Individual Contributors – Learning from the Front Lines

The most immediate way to start your OT/ICS cybersecurity journey is by following practitioners who share their expertise directly. @UtilSec (Mike Holcomb’s channel) serves as an entry point for beginners, offering structured guidance on getting started in the field. @RickCenOT dives into hardware hacking and penetration testing—essential skills for understanding how physical devices can be compromised. @ZakharBernhardt hosts Labshock, a virtual OT/ICS lab environment where you can safely practice attacks and defenses without risking real infrastructure. @icsotsecurity, run by Manjunath, delivers ISA/IEC 62443-focused content, helping you align your learning with the global standard for industrial cybersecurity.

Step-by-Step Guide to Getting Started:

  1. Subscribe and Curate: Subscribe to all four individual contributor channels. Create a dedicated playlist for each to organize content by topic (e.g., “Protocol Basics,” “Hardware Hacking,” “Lab Exercises”).
  2. Set a Weekly Learning Cadence: Commit to watching at least two videos per week. Start with @UtilSec’s introductory series, then progress to @RickCenOT’s hardware demonstrations.
  3. Follow Along with Labs: When @ZakharBernhardt releases a Labshock tutorial, spin up your own virtual environment. Use VirtualBox or VMware to run a Kali Linux VM and target an OpenPLC or GRASSMarlin instance.
  4. Take Notes on Key Commands: Document every command demonstrated. For example, when scanning for OT devices, use:
 Discover Modbus devices on a network segment
nmap -p 502 --open -sV <target_IP_range>

Identify S7Comm devices (Siemens PLCs)
nmap -p 102 --open -sV <target_IP_range>

Scan for BACnet building automation systems
nmap -p 47808 --open -sV <target_IP_range>
  1. Join the Community: Engage in the comment sections and follow these creators on LinkedIn. Ask questions about specific techniques you’re struggling to implement.

2. Conferences – Accessing World-Class Talks

Conference proceedings are goldmines for cutting-edge research and real-world case studies. @S4Events hosts recordings from the annual S4 conference, renowned for deep technical dives into OT security. @ICSVillage covers everything from the Hack the Planet podcast to conference presentations, offering a blend of technical and cultural insights into the ICS security community. @HoustonSecurityConference includes OT.SEC.CON presentations, expanding your exposure to regional and international perspectives.

Step-by-Step Guide to Leveraging Conference Content:

  1. Create a “Conference Deep Dive” Playlist: Add all three conference channels and sort videos by date. Watch the most recent talks first to stay current with emerging threats.
  2. Focus on Incident Post-Mortems: Prioritize videos that analyze real-world attacks (e.g., TRITON, Industroyer, Colonial Pipeline). Take detailed notes on attack chains, indicators of compromise (IoCs), and lessons learned.
  3. Implement Detection Rules: When a talk mentions specific Snort or Suricata rules, add them to your lab’s IDS/IPS configuration:
 Example Snort rule for Modbus function code 90 (unsolicited message)
alert tcp any any -> any 502 (msg:"MODBUS unsolicited message"; 
content:"|5a|"; depth:1; content:"|00 5a|"; within:2; 
reference:url,modbus.org; sid:1000001; rev:1;)
  1. Simulate Discussed Attacks: Using your lab environment, attempt to replicate the attack techniques described in the talks. Document what worked, what failed, and why.
  2. Share Summaries: Write brief LinkedIn posts summarizing each talk you watch. This reinforces your learning and builds your professional network.

3. Associations – Structured Knowledge from Professional Bodies

Professional associations provide curated, standards-aligned content. @CS2AI (Control System Cyber Security Association International) offers recordings of their events, covering governance, risk, and compliance alongside technical topics. @OTSecurityProfessionals delivers community-driven content, including panel discussions and Q&A sessions with industry veterans.

Step-by-Step Guide to Association Resources:

  1. Understand the Standards Framework: Watch CS2AI videos that explain the ISA/IEC 62443 series. Focus on the foundational standards: 62443-1-1 (terminology), 62443-2-1 (security program requirements), and 62443-3-3 (system security requirements).
  2. Map Learning to Certification: If you’re pursuing ISA/IEC 62443 certification, use these videos to supplement official course materials. Create a matrix mapping each video to specific exam objectives.
  3. Participate in Live Events: Many associations host live webinars with Q&A. Register for these to ask questions directly to experts.
  4. Apply Governance Concepts: For each video, write a one-page summary of how the governance principle discussed would apply to a hypothetical manufacturing plant or power utility.
  5. Network with Peers: Join the association’s LinkedIn group or Discord server. Introduce yourself and ask about others’ experiences implementing the standards discussed.

  6. Training Companies – Structured Curricula at No Cost

While SANS and OPSWAT are primarily commercial training providers, their YouTube channels offer substantial free content. @SANSICSSecurity features snippets from their renowned courses, including the ICS410 and ICS515 curricula. @OPSWATAcademy provides modular content on critical infrastructure protection, often focusing on file security and device compliance.

Step-by-Step Guide to Training Company Content:

  1. Build a “Mini-Curriculum”: Organize SANS ICS videos by topic—network defense, incident response, threat hunting, and architecture. Watch them in that order to simulate a course progression.
  2. Practice SANS-Style Techniques: When a SANS instructor demonstrates a packet capture analysis, replicate it using Wireshark:
 Capture OT traffic on a specific interface
sudo tcpdump -i eth0 -w ot_traffic.pcap -s 65535

Filter for Modbus traffic in Wireshark
 Apply display filter: modbus

Analyze DNP3 traffic
 Apply display filter: dnp3
  1. Explore OPSWAT’s Focus Areas: Watch OPSWAT Academy videos on CDR (Content Disarm and Reconstruction) and device compliance. Implement their recommendations in your lab by configuring file upload scanners and USB device controls.
  2. Take Notes on Frameworks: Both SANS and OPSWAT emphasize structured frameworks (Purdue Model, Defense-in-Depth). Create diagrams showing how each layer maps to specific security controls.
  3. Test Your Knowledge: After each video, write 5-10 multiple-choice questions as if you were creating a quiz. Answer them without referring back to the video.

5. Podcasts – Learning on the Go

Podcasts are ideal for passive learning during commutes or exercise. @PrOTectITAll with Aaron Crow features interviews with industry leaders, covering both technical and strategic topics. @ICSArabiaPodcast by Sulaiman Alhasawi offers content in both English and Arabic, broadening accessibility. @BitesandBytesPodcast with Kristin Demoranville focuses on food and agriculture—a critical but often overlooked sector. @LMTX with Lukasz Malinowski touches on IoT, IIoT, and OT, bridging the gap between consumer and industrial security.

Step-by-Step Guide to Podcast Integration:

  1. Create a Weekly Podcast Rotation: Assign one podcast episode per day. For example, Monday: PrOTectITAll, Tuesday: ICS Arabia, Wednesday: Bites and Bytes, Thursday: LMTX, Friday: a conference recording.
  2. Take “Audio Notes”: Keep a voice memo app handy. When a guest mentions a specific tool, technique, or resource, record a 30-second note. Transcribe these into your study journal later.
  3. Follow Up on References: If a guest mentions a specific CVE, research it immediately. For example, if they discuss Modbus vulnerabilities, look up CVE-2023-1234 (hypothetical) and understand the exploit mechanics.
  4. Implement Suggested Defenses: When a guest recommends a specific monitoring configuration, implement it in your lab. For instance:
 Configure Zeek to monitor Modbus traffic
 In zeekctl.cfg, ensure Modbus analyzer is enabled
@load protocols/modbus

Run Zeek on a captured pcap
zeek -r ot_traffic.pcap protocols/modbus

Review generated modbus.log for anomalies
cat modbus.log | zeek-cut ts uid id.orig_h id.resp_h func
  1. Engage with Podcast Hosts: Many podcast hosts are active on LinkedIn. Send a thoughtful message about a specific episode—this can lead to valuable mentoring relationships.

6. Vendors – Research-Grade Content

Vendors like Dragos, Claroty, Nozomi Networks, and Waterfall Security produce some of the highest-quality OT security research. @DragosInc delivers threat intelligence and adversary behavior analysis from one of the most respected teams in the industry. @WaterfallSecuritySolutions offers both technical content and Andrew’s podcast, focusing on unidirectional gateways and secure architecture. @Claroty20 provides insights into protocol analysis and vulnerability research. @xIoTSecurity (Phosphorous) covers IoT and OT convergence. @NozomiNetworks shares content on network visibility and threat detection. @InsaneCyberInc with Dan Gunter rounds out the vendor list with practical guidance.

Step-by-Step Guide to Vendor Content:

  1. Focus on Threat Intelligence: Dragos’s videos on adversary groups (e.g., XENOTIME, ELECTRUM) are essential. Create a threat actor matrix with columns: Group Name, Target Sector, TTPs, and Detected Campaigns.
  2. Implement Vendor-Specific Tools: Many vendors offer free community editions of their tools. For example, Nozomi’s Guardian is available for lab use. Install and configure it:
 Example: Deploy Nozomi Guardian in a Docker container
docker pull nozominetworks/guardian:latest
docker run -d --1ame guardian -p 443:443 nozominetworks/guardian:latest
  1. Study Protocol Deep Dives: Claroty and Nozomi frequently release videos dissecting specific protocols. Watch their Modbus, DNP3, and S7Comm deep dives. Take notes on packet structures, function codes, and common attack vectors.
  2. Review Vulnerability Advisories: When vendors disclose a new vulnerability, watch their explanatory videos. Understand the root cause, exploitability, and mitigation steps.
  3. Configure Unidirectional Gateways: Waterfall’s content on unidirectional security is unique. Set up a simulated unidirectional gateway using iptables or a hardware-based solution in your lab to understand data diode concepts.

  4. Other Essential Resources – Government, Community, and Safety

@CISAgov provides free training courses and alerts, making it an indispensable resource for defenders. @SimplyCyber recently added OT/ICS content with Don W. and Tom V., offering a fresh perspective. @PancakesCon with Lesley Carhart is a unique annual conference with a community-focused twist. Finally, @USCSB (U.S. Chemical Safety Board) produces detailed videos on industrial accidents—a sobering reminder of why OT security matters.

Step-by-Step Guide to Government and Safety Resources:

  1. Complete CISA’s Free Courses: CISA offers a range of OT cybersecurity courses through their website. Complete at least one per month. Document your progress and share certificates on LinkedIn.
  2. Subscribe to CISA Alerts: Set up email alerts for CISA’s ICS advisories. When an advisory is released, cross-reference it with vendor content to understand the full context.
  3. Analyze USCSB Videos: Watch USCSB’s accident reconstructions with a security lens. For each video, identify: (a) the technical failure, (b) the human factors, (c) the security controls that could have prevented or mitigated the incident.
  4. Participate in PancakesCon: Even if you can’t attend in person, watch the recorded talks. Engage with the community on social media during the event.
  5. Integrate SimplyCyber’s Content: Don W. and Tom V. bring an IT security background to OT. Watch their content to understand the convergence and divergence between IT and OT security paradigms.

What Undercode Say:

  • Key Takeaway 1: The OT/ICS cybersecurity learning ecosystem is rich and diverse, but it requires deliberate curation. The 25 channels listed provide a complete curriculum—from foundational concepts to advanced threat hunting—at zero cost. The key is to consume content across all categories: individual contributors for practical skills, conferences for cutting-edge research, associations for standards alignment, training companies for structured knowledge, podcasts for passive learning, vendors for threat intelligence, and government resources for authoritative guidance.

  • Key Takeaway 2: Hands-on practice is non-1egotiable. Watching videos alone will not build competence. Every command demonstrated, every packet analyzed, and every lab exercise completed reinforces learning. The virtual labs provided by channels like @ZakharBernhardt’s Labshock are essential sandboxes for safe experimentation. Moreover, the community aspect—engaging with creators, asking questions, and sharing insights—transforms passive viewing into active learning. The professionals who succeed in OT/ICS cybersecurity are those who combine continuous education with relentless hands-on practice and community engagement.

Analysis: The curated list reflects a maturing OT/ICS cybersecurity community. Five years ago, such a comprehensive free learning ecosystem did not exist. Today, practitioners can access world-class content without financial barriers. However, this abundance creates a new challenge: information overload. Learners must resist the urge to binge-watch and instead adopt a structured, deliberate approach. The most effective strategy is to treat these channels as a personalized curriculum—selecting specific playlists, setting weekly goals, and consistently applying what you learn in lab environments. Additionally, the inclusion of vendor content is noteworthy; while vendors have commercial interests, their research and threat intelligence are often unparalleled. Learners should approach vendor content with a critical eye but recognize its immense educational value. Finally, the USCSB’s presence on the list is a powerful reminder that OT security is not just about bits and bytes—it’s about protecting people, the environment, and critical infrastructure.

Prediction:

  • +1 The democratization of OT/ICS cybersecurity education will accelerate over the next three years. As more professionals gain free access to high-quality training, the talent pool will expand, reducing the critical skills gap that currently plagues the industry. This will lead to more resilient critical infrastructure and fewer successful attacks.

  • +1 The convergence of IT and OT security knowledge will deepen. Professionals who cross-train in both domains will be in high demand, and resources like those listed will facilitate this cross-pollination. Expect to see more hybrid roles and integrated security teams.

  • -1 The increase in accessible training will also lower the barrier to entry for malicious actors. As defensive techniques are taught openly, attackers will adapt and evolve their tactics. The security community must remain vigilant, continuously developing new detection and prevention methods.

  • -1 Vendor consolidation in the OT security space may reduce the diversity of free content. If major vendors are acquired or shift focus, some of the channels listed could become inactive or less frequent. Learners should download and archive critical content while it remains available.

  • +1 Community-driven initiatives like PancakesCon and ICS Village will grow in influence, fostering a culture of collaboration and knowledge sharing that transcends corporate and national boundaries. This grassroots movement will be essential for addressing emerging threats that no single organization can tackle alone.

▶️ Related Video (86% Match):

https://www.youtube.com/watch?v=2l7GS4rsrMI

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Mikeholcomb 25 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: