Why OT/ICS Cybersecurity Might Be The ‘Coolest’ Job You Never Considered – And How To Get Started + Video

By /

Listen to this Post

Featured Image

Introduction:

The cybersecurity field is buzzing with opinions on which role earns the “coolest” title – from threat hunting to penetration testing. But as Mike Holcomb and other experts highlight, the real impact lies in protecting critical infrastructure: power grids, water systems, and food supply chains. Operational Technology (OT) and Industrial Control Systems (ICS) security combines traditional IT skills with physical-world consequences, making it one of the most intellectually challenging and mission-critical domains today.

Learning Objectives:

  • Understand the unique threats, protocols, and risk profiles of OT/ICS environments compared to traditional IT.
  • Apply hands-on techniques for network monitoring, vulnerability assessment, and incident response in industrial networks.
  • Build a personal OT/ICS security lab and execute practical exercises using Linux/Windows tools and open-source frameworks.

You Should Know:

  1. Setting Up an OT/ICS Security Lab for Safe Testing

Start by isolating a virtual or physical lab to avoid disrupting real operations. Use virtualization (VMware, VirtualBox) with lightweight Linux distributions (Ubuntu Server, Kali Linux) and emulate PLCs using tools like OpenPLC or Conpot (a low-interaction ICS honeypot).

Step‑by‑step guide:

  1. Install Ubuntu 22.04 on a VM with host‑only or isolated NAT network.

2. Install OpenPLC:

sudo apt update && sudo apt install git python3-pip
git clone https://github.com/thiagoralves/OpenPLC_v3.git
cd OpenPLC_v3
./install.sh

3. Run Conpot honeypot for Modbus simulation:

sudo pip3 install conpot
conpot --template default

4. From a Windows machine, use Modbus Poll (free trial) or command‑line `mbpoll` (Linux) to query the simulated PLC: 

mbpoll -a 1 -t 3 -r 100 -c 5 192.168.56.102 502

5. Capture traffic with Wireshark using filter `modbus` or `tcp.port == 502` to analyze read/write commands.

This lab lets you safely practice discovery, exploitation, and monitoring of industrial protocols without risking live infrastructure.

2. Network Security Monitoring (NSM) for Industrial Networks

Traditional IT NSM tools must adapt to OT protocols (Modbus, DNP3, IEC 60870-5-104, S7comm). Focus on anomaly detection – unexpected function codes, malformed packets, or unusual coil writes.

Step‑by‑step guide:

  1. Install Zeek (formerly Bro) for deep protocol inspection: 
    sudo apt install zeek

2. Enable Modbus and DNP3 analyzers in `$ZEEK_HOME/share/zeek/site/local.zeek`:

@load protocols/modbus
@load protocols/dnp3

3. Run Zeek on a SPAN port or pcap: 

zeek -r industrial_traffic.pcap

4. Use RITA (Real Intelligence Threat Analytics) to hunt for beaconing: 

rita import -- whitelist /opt/rita/whitelist.txt industrial_traffic.pcap

5. On Windows, deploy Sysmon and forward logs to a SIEM (e.g., Wazuh). Create custom rules for suspicious process creations (e.g., `winword.exe` launching `cmd.exe` on an HMI).

Look for Modbus function code 5 (write single coil) or 15 (write multiple coils) from non‑engineering workstations – a classic indicator of compromise.

3. Vulnerability Management with Legacy OT Assets

OT environments run outdated software (Windows XP, unsupported firmware) that can’t be patched frequently. Use passive vulnerability detection and compensating controls instead of active scanning that could crash controllers.

Step‑by‑step guide:

  1. Use Nmap with safe scripts (avoid aggressive scans): 
    nmap -sS -p 502,20000,44818 --script modbus-discover --script-args='modbus-discover.function_code=1' 10.0.0.0/24
  2. Deploy GRASSMARLIN (NSA’s ICS network mapping tool) on Windows:

– Download from NSA’s GitHub.
– Run as administrator, import a pcap, and generate a network topology graph highlighting unsegmented devices.
3. For vulnerability correlation, use ics‑vulnerable‑repo (list of CVE affecti​​ng known PLCs): 

git clone https://github.com/darkmentor/ics-vulnerable-repo
grep "Siemens S7" ics-vulnerable-repo/README.md

4. Implement virtual patching via Snort or Suricata to drop malicious packets targeting known CVEs (e.g., CVE‑2019‑10945 for Modicon M580). Example Suricata rule: 

drop tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"Modbus Write Coil Exploit"; content:"|FF 05|"; depth:2; sid:1000001;)

5. Document exceptions in a risk register and enforce strict network segmentation using VLANs or unidirectional gateways (data diodes).

4. Penetration Testing Industrial Control Systems

Pen testing OT requires safety precautions: never send destructive payloads (e.g., `stop` commands to a real PLC). Use read‑only or simulation modes. Key tools include Metasploit with ICS modules and ISF (Industrial Exploitation Framework).

Step‑by‑step guide:

  1. Install Metasploit on Kali Linux: `sudo apt install metasploit-framework`

2. Load Modbus auxiliary scanner:

msf6 > use auxiliary/scanner/scada/modbus_findunitid
msf6 > set RHOSTS 192.168.1.0/24
msf6 > run

3. For S7‑1200/1500 PLCs, use the `s7_1200_1500_plc_control` module:

use auxiliary/admin/scada/s7_1200_1500_plc_control
set ACTION STOP

Never run this on production.

  1. On Windows, use PLCSim (Siemens simulation) with TIA Portal to test exploit impacts.
  2. Perform credential harvesting via responder (Linux) on unsegmented OT networks: 
    sudo responder -I eth0 -A
  3. Post‑engagement, generate a report with risk ratings based on IEC 62443‑3‑3: identify if an attack could cause loss of view, control, or availability.

5. Incident Response in Air‑Gapped OT Networks

Air gaps are often bridged by removable media (USB drives) or rogue maintenance laptops. Build an offline response kit with portable tools and a write‑blocker.

Step‑by‑step guide:

1. Create a Windows Forensics USB with:

  • KAPE (Kroll Artifact Parser) – run `kape.exe –target !SANS_Triage –module !MFTECmd`
  • Autoruns to check persistence
  • Process Hacker to spot injected processes on HMI machines
  1. For Linux‑based HMIs, collect evidence with `dd` and `guymager` (imaging tool): 
    sudo dd if=/dev/sda of=/mnt/evidence/plc_image.dd bs=4M status=progress
  2. Analyze network logs for unusual Modbus function code 8 (diagnostic) or function code 43 (encapsulated interface transport). Use tshark: 
    tshark -r capture.pcap -Y "modbus.func_code == 8"
  3. Deploy a portable GRR server (remote live forensics) only after isolating the affected zone.
  4. Write a containment plan: disable unused switch ports, change default PLC passwords, and physically inspect serial connections.

  5. Threat Hunting in OT Environments Using Open‑Source Analytics

Hunt for adversary tactics from the MITRE ATT&CK for ICS framework, specifically T0800 (External Remote Services), T0858 (Man‑in‑the‑Middle), and T0819 (Module Firmware).

Step‑by‑step guide:

  1. Install Elastic Stack (ELK) on a Linux server: 
    wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt install elasticsearch kibana logstash
  2. Ingest Zeek Modbus logs via Logstash with custom grok patterns for Modbus function codes.

3. Create Kibana visualizations for:

  • Frequency of writes to coil 0 (often used as a kill switch)
  • Unusual function code distribution (e.g., high ratio of function code 5 to 3)
  1. Use EQL (Event Query Language) to detect sequences: 
    sequence by host.name
[network where event.action == "modbus_write" and modbus.function == 15]
[file where event.action == "creation" and file.path : ".dll"]
  2. Hunt for “green to gray” activity – engineering laptops (green zone) beaconing to external IPs. Run this using RITA: `rita show-beacons` after importing long‑term pcap.
  3. Document findings in a threat intelligence report and feed indicators into MISP for sharing.

  4. Building a Defense‑in‑Depth OT Program with Training Resources

Leverage free training from Mike Holcomb’s OT/ICS cybersecurity video series (URL extracted: https://lnkd.in/eif9fkVg) and newsletter (https://lnkd.in/ePTx-Rfw). Combine with certifications like GICSP or IEC 62443 foundation.

Step‑by‑step guide:

  1. Watch the free OT/ICS security fundamentals videos – focus on Purdue Model and zone conduits.
  2. Enroll in INE’s eJPT (low‑cost) to solidify penetration testing basics, then apply to OT.

3. Practice with OT‑Warrior (dockerized challenges):

docker run -it --rm --1etwork host otwarrior/challenge1

4. Implement Security Content Automation Protocol (SCAP) for Windows‑based HMIs: 

 Windows: Run SCAP scan against a hardened baseline
Invoke-Scan.ps1 -Profile "IEC_62443_4_2" -Target "192.168.1.10"

5. Set up a weekly lab exercise: every Tuesday, simulate a new attack (e.g., Rogue Engineering Station) and practice detection using the tools above.

What Undercode Say:

  • Key Takeaway 1: The “coolest” cybersecurity job isn’t about the title – it’s about the alignment between technical passion and real‑world impact. Protecting water, power, and food trumps trendy roles.
  • Key Takeaway 2: OT/ICS security demands a hybrid mindset: IT networking + industrial safety + risk management. The skills gap is huge, making this a high‑growth, high‑purpose career path.

Analysis: The LinkedIn discussion led by Mike Holcomb and responses from Ameen Munaf Subhan, Leslie Babel, and Zoran Savic reveal a consensus: career coolness is subjective, but purpose‑driven work wins. While penetration testing and incident response get glamour, OT/ICS security offers tangible outcomes – keeping lights on and water clean. This domain forces professionals to master legacy protocols, air‑gap challenges, and safety constraints, creating deep intellectual satisfaction. Moreover, the scarcity of qualified OT security engineers means early adopters can shape industry standards. Training resources like Holcomb’s free video series lower entry barriers, yet hands‑on lab practice (as outlined above) remains irreplaceable. The “coolest” job, therefore, is the one where you wake up knowing your work directly prevents catastrophe – and OT/ICS security delivers that daily.

Prediction:

  • +1 Over the next 3 years, demand for OT/ICS security roles will outpace traditional IT security by 2:1 as nation‑state attacks on critical infrastructure rise (e.g., Colonial Pipeline, Ukraine power grid).
  • +1 Open‑source tools for OT monitoring (Zeek, GRASSMARLIN, OpenPLC) will mature into enterprise‑grade solutions, lowering the entry barrier for smaller utilities.
  • -1 AI‑driven automated pen testing will flood IT security roles first, but OT’s safety constraints will delay automation, creating a temporary shortage of human experts.
  • +1 Regulatory frameworks like NERC CIP and IEC 62443 will mandate certified OT security staff, driving salary premiums and formal training pipelines.
  • -1 Many organizations will continue to neglect OT security until a major breach causes physical damage – forcing reactive, painful adoption rather than proactive coolness.

▶️ Related Video (74% Match):

https://www.youtube.com/watch?v=2A5ygCKCsmc

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Mikeholcomb Which – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: