DEV Community

Mike Anderson
Mike Anderson

Posted on

Securing State-Owned ICS (Part 2): National Risk, Threat Landscape, and the First 30 Days

Previous Series: Part 1: Executive Briefing

State-owned Industrial Control Systems are not just technology assets.

They are national life-support systems.

A power grid keeps hospitals alive. A water treatment system protects public health. A railway control system keeps people moving. A port supports food, fuel, medicine, and trade. A national refinery, pipeline, telecom facility, or defense-linked manufacturing plant can affect the stability of an entire country.

That is why ICS cybersecurity must be designed differently from normal enterprise cybersecurity.

In enterprise IT, a cyber incident can disrupt email, billing, HR, customer portals, or data processing.

In ICS, the same level of compromise can affect:

  • electricity generation and transmission
  • water pressure and chemical dosing
  • substations and protection systems
  • transport signaling
  • refinery and pipeline safety
  • manufacturing continuity
  • environmental controls
  • worker safety
  • national confidence

This series is written for CISOs, security architects, SOC teams, OT engineers, regulators, government leaders, and non-technical executives across South Asia, Southeast Asia, and any nation operating critical infrastructure.

The goal is not to sell fear.

The goal is to provide a serious, implementable blueprint.

One important correction before we begin:

No credible security architect should promise a "hackproof" ICS system.

The realistic target is stronger and more honest:

Consequence-resilient ICS security: make compromise difficult, detect abnormal behavior early, prevent cyber activity from becoming unsafe physical impact, and recover essential services under pressure.

This is how a nation protects the systems that keep society running.


Executive summary for non-technical leaders

A state-owned ICS security program should answer seven questions.

  1. What national services must never fail?
  2. Which systems control those services?
  3. Who can access those systems?
  4. Which IT, vendor, cloud, and remote paths can reach OT?
  5. How would we detect unauthorized control activity?
  6. How would we contain an attack without harming the physical process?
  7. Can we restore critical control functions from trusted backups?

If leadership cannot get clear answers to those questions, the program is not mature.

The first objective is not to buy more tools.

The first objective is to establish ownership, asset truth, safe architecture, controlled access, monitoring, response, and recovery.


1. Why state-owned ICS is different

Industrial Control Systems include the hardware, software, networks, and procedures used to monitor or control physical processes.

Examples include:

  • SCADA systems
  • Energy Management Systems
  • Distribution Management Systems
  • substations and protection relays
  • PLCs and RTUs
  • HMIs and operator stations
  • engineering workstations
  • historians
  • industrial network devices
  • safety systems
  • field sensors and actuators

The difference between IT and OT is simple.

IT protects data, users, and business services.

OT protects physical processes.

That changes the security model.

In IT

You can often isolate a compromised laptop quickly.

You can patch aggressively.

You can force password resets across large groups.

You can rebuild standard systems from images.

You can tolerate some business disruption.

In OT

You may not be able to isolate a device without understanding what it controls.

You may not be able to patch without vendor validation and a maintenance window.

You may not be able to force password changes during a live operational event.

You may not be able to reboot an HMI that operators need for visibility.

You may not be able to scan controllers without risk.

The rule is:

Protect safety and control first. Reduce cyber risk through planned, tested, reversible controls.

That is not an excuse for weak security.

It is the engineering discipline required to secure physical infrastructure.


2. The national threat landscape

Modern ICS threats are not one-dimensional.

They combine identity compromise, remote access abuse, supply chain exposure, IT/OT convergence, cloud dependency, insecure legacy protocols, ransomware, and nation-state pre-positioning.

Nation-state campaigns

Nation-state actors may seek espionage, strategic access, disruption capability, or coercive leverage.

For critical infrastructure, the most dangerous behavior is often quiet pre-positioning.

The attacker may not immediately disrupt anything.

They may:

  • compromise an IT account
  • reach a vendor portal
  • map the OT environment
  • collect engineering project files
  • observe operator behavior
  • learn backup and recovery processes
  • identify weak substations, plants, or remote sites
  • prepare access for a future geopolitical crisis

The danger is not only the initial breach.

The danger is that the attacker learns how the system operates.

Ransomware and criminal groups

Ransomware can create national disruption even if PLCs are not directly encrypted.

An attacker can affect operations by encrypting or disabling:

  • domain controllers
  • engineering workstations
  • HMI servers
  • historians
  • file shares
  • backup systems
  • dispatch systems
  • billing and market systems
  • remote access infrastructure
  • maintenance documentation

For a power utility, losing enterprise IT may still affect outage management, crew dispatch, procurement, communications, market settlement, and reporting.

For a water utility, losing billing may be tolerable for a few days. Losing HMI visibility, chemical dosing records, or engineering backups is a different class of risk.

Hacktivists

Hacktivists often seek visibility and political impact.

Their attacks may include:

  • DDoS
  • website defacement
  • credential leaks
  • exposed camera or HMI access
  • abuse of publicly reachable OT devices
  • social media amplification

Even unsophisticated attacks can create public panic if the target is a national utility.

Insider and contractor risk

Insider risk is not always malicious.

Common real-world patterns include:

  • an engineer using a shared password because work is urgent
  • a vendor leaving a remote support tunnel enabled
  • a contractor connecting an unmanaged laptop
  • a plant team bypassing change control to restore service quickly
  • a temporary firewall rule becoming permanent
  • a cellular modem installed for convenience and forgotten

In ICS, convenience often becomes the attack path.

Supply chain compromise

ICS environments depend on vendors and integrators.

The supply chain includes:

  • PLC and RTU vendors
  • relay vendors
  • SCADA and HMI software providers
  • engineering workstation tools
  • remote access vendors
  • system integrators
  • patch sources
  • firmware packages
  • cloud analytics platforms
  • managed service providers
  • maintenance contractors

A weak supplier can become the entry point into a strong facility.

Secure procurement is therefore not a back-office activity.

It is a frontline security control.


3. The most common national ICS failure modes

Most state-owned ICS environments are not weak because people are careless.

They are weak because the environment evolved over decades, production stability was prioritized, and cybersecurity was added later.

Failure mode 1: the air-gap myth

Many organizations still believe the OT network is isolated.

In practice, OT often has more connections than leadership realizes:

  • historian replication to enterprise IT
  • vendor VPN
  • dual-homed engineering workstation
  • cellular modem
  • temporary project link
  • remote support tool
  • shared Active Directory
  • cloud reporting connector
  • USB transfer process
  • contractor laptop
  • unmanaged wireless bridge

A network is only isolated when every data path is known, controlled, monitored, and tested.

If nobody can prove isolation, assume there is a path.

Failure mode 2: flat OT networks

Flat networks allow one compromised device to reach many others.

A flat OT network can allow an attacker to move from:

corporate workstation
-> historian
-> HMI
-> engineering workstation
-> PLC or relay network
Enter fullscreen mode Exit fullscreen mode

That path should not exist.

Segmentation must reduce blast radius by process, site, function, and consequence.

Failure mode 3: unmanaged remote access

Remote access is usually one of the highest-risk OT paths.

Common weaknesses:

  • shared vendor accounts
  • no MFA
  • VPN landing directly into OT
  • no session recording
  • no approval window
  • no asset-specific targeting
  • no source restriction
  • access left enabled after support contract ends
  • vendor laptop health unknown
  • jump host bypass

Remote access should be treated as a privileged operational event, not a convenience feature.

Failure mode 4: weak identity boundaries

If corporate identity compromise gives an attacker OT access, the architecture is too tightly coupled.

IT and OT identity can integrate, but the integration must be controlled.

A compromised email account should not become a controller access path.

Failure mode 5: no asset truth

If a utility does not know its assets, it cannot manage vulnerability, patching, monitoring, incident response, procurement, or recovery.

The inventory must cover:

  • asset name
  • location
  • process served
  • vendor and model
  • firmware or software version
  • IP address or communication identity
  • Purdue level or security zone
  • owner
  • support status
  • criticality
  • backup status
  • remote access dependency
  • known vulnerabilities
  • communication flows

Passive discovery helps, but engineering validation is still required.

Failure mode 6: IT incident response applied blindly to OT

Traditional incident response often says:

isolate first.

In OT, that can be unsafe.

The better rule is:

isolate the attacker without destabilizing the process.

That requires pre-approved containment options, OT engineers on the bridge, process-aware severity, and safety-led decision making.


4. Where to start: the first 30 days

Do not start with a large transformation program.

Start with control of the basics.

Day 1 decision: appoint the accountable owner

A national ICS security program needs clear ownership.

At minimum:

  • executive sponsor
  • CISO or national cyber lead
  • OT operations owner
  • plant or site owner
  • safety owner
  • engineering owner
  • SOC owner
  • vendor management owner
  • legal and regulatory contact
  • communications owner

If nobody owns the risk, nobody owns the remediation.

Days 1-7: identify critical processes

Start with consequences.

Ask:

  • Which services must continue during national crisis?
  • Which process failures can harm people?
  • Which assets support hospitals, defense, telecom, ports, finance, or emergency services?
  • Which sites would create national impact if unavailable?
  • Which control functions are needed for black-start, safe shutdown, manual operation, or restoration?

Output:

  • critical process list
  • top national service dependencies
  • crown-jewel OT assets
  • responsible owners

Days 7-15: build the first asset truth

Start with the highest-consequence sites.

Collect:

  • network diagrams
  • firewall exports
  • switch MAC tables
  • passive discovery output
  • engineering workstation project files
  • vendor asset lists
  • backup inventories
  • controller lists
  • historian connection lists
  • remote access records

Validate through plant walkdowns.

Output:

  • critical asset inventory
  • unknown asset list
  • unsupported asset list
  • remote access dependency list

Days 15-21: map all IT/OT and vendor paths

Document:

  • enterprise-to-OT flows
  • OT-to-enterprise flows
  • vendor access paths
  • cloud or analytics connections
  • historian replication
  • patch flows
  • file transfer processes
  • logging flows
  • backup flows
  • identity dependencies
  • emergency access paths
  • wireless and cellular links

Every flow needs:

  • source
  • destination
  • protocol
  • direction
  • purpose
  • owner
  • approval
  • logging
  • review frequency

Output:

  • IT/OT connectivity map
  • unauthorized or unexplained path list
  • emergency block options

Days 21-30: remove unacceptable risk

Start with the risks that should never exist.

Priority removals:

  • direct internet access to controllers, HMIs, VNC, RDP, SSH, or engineering services
  • direct enterprise access to Level 1 controller networks
  • shared vendor accounts
  • always-on vendor VPN
  • dual-homed engineering workstation bridging IT and OT
  • default credentials on critical assets
  • broad "any-to-any" firewall rules between IT and OT
  • unsupported remote access tools
  • unapproved cellular modems
  • backups that cannot be restored

Output:

  • first remediation backlog
  • emergency exceptions
  • named owners
  • 30-day leadership briefing

5. National governance model

State-owned ICS security cannot be solved only at plant level.

It needs national, enterprise, and facility governance.

National or regulator level

Responsibilities:

  • classify critical infrastructure
  • define minimum OT cybersecurity baseline
  • require incident reporting
  • create or strengthen national OT-CERT capability
  • coordinate sector threat intelligence
  • define secure procurement expectations
  • run national exercises
  • support workforce development
  • coordinate cross-border dependencies where relevant

Enterprise or utility level

Responsibilities:

  • fund and operate the ICS security program
  • approve architecture
  • maintain risk register
  • run SOC capability
  • manage vendors
  • enforce standards
  • report to board, ministry, or regulator
  • own incident response and recovery

Facility or plant level

Responsibilities:

  • maintain safe operations
  • approve operationally sensitive changes
  • validate asset inventory
  • support monitoring
  • own local containment decisions
  • maintain backups
  • participate in exercises
  • report gaps and exceptions

The governance model must respect a simple truth:

Cybersecurity cannot override process safety.

Process safety cannot ignore cybersecurity.

They must operate together.


6. Standards that should anchor the program

Use standards to drive implementation, not paperwork.

Recommended anchors:

  • NIST SP 800-82 Rev. 3 for OT security guidance.
  • ISA/IEC 62443 for zones, conduits, security levels, and IACS security lifecycle.
  • CISA Cross-Sector Cybersecurity Performance Goals for baseline critical infrastructure practices.
  • MITRE ATT&CK for ICS for adversary behavior, threat modeling, detection, and exercises.
  • ISO 27001 where a formal information security management system is required.
  • National sector regulations where applicable.
  • NERC CIP principles for power-sector organizations where relevant or used as a benchmark outside North America.

The key is mapping standards to enforcement points.

Example:

Requirement: control remote access
Enforcement: MFA, PAM, jump host, session recording, approval workflow, time-bound access
Evidence: access logs, session recordings, monthly vendor review, approved tickets
Enter fullscreen mode Exit fullscreen mode

If a standard does not map to an enforcement point and evidence artifact, it becomes paperwork.


7. First maturity score

Use this quick maturity view.

Level 1: Reactive

  • incomplete asset inventory
  • flat network
  • always-on vendor access
  • weak logging
  • no OT-specific incident playbooks
  • backups not tested
  • change control inconsistent

Level 2: Basic control

  • critical assets identified
  • IT/OT firewall exists
  • some remote access control
  • basic logging from jump hosts and servers
  • backups exist and some restores tested
  • vulnerability tracking started

Level 3: Managed

  • zones and conduits documented
  • vendor access MFA-protected and recorded
  • passive monitoring in critical zones
  • firewall rules reviewed quarterly
  • OT incident playbooks exercised
  • critical backups tested
  • vulnerabilities prioritized by consequence

Level 4: Resilient

  • critical services have tested recovery plans
  • unauthorized control behavior is detectable
  • engineering changes require approval and evidence
  • threat modeling drives investment
  • SOC, OT, engineering, safety, and leadership operate together
  • national CERT or sector sharing is integrated

Level 5: Adaptive

  • detections continuously validated
  • purple team exercises test realistic attack paths
  • AI assists triage and reporting under governance
  • procurement enforces secure-by-design requirements
  • resilience metrics are reported to national leadership
  • organization can operate safely under degraded cyber conditions

Most organizations should target Level 3 first.

Level 4 is the right ambition for critical national services.

Level 5 is a strategic national capability.


8. What good looks like after 30 days

After 30 days, leadership should be able to say:

We know our highest-consequence services.
We know the critical assets that support them.
We know the major IT/OT and vendor access paths.
We have removed or contained the most dangerous access paths.
We have a named owner for each major risk.
We have started passive visibility in the highest-criticality environment.
We have an OT incident contact roster.
We know whether critical backups exist and whether they have been tested.
Enter fullscreen mode Exit fullscreen mode

That is not the end state.

It is the first serious control point.


Takeaway

State-owned ICS cybersecurity is a national resilience mission.

Start with consequence.

Build asset truth.

Control access.

Segment critical paths.

Monitor behavior.

Prepare safe response.

Test recovery.

Govern vendors.

Measure progress.

The strongest national infrastructure programs are not the ones claiming to be hackproof.

They are the ones that can keep essential services running when pressure is highest.

Now Let's move to Part-3:Securing State-Owned ICS: Target Architecture for IT, OT, Cloud, and Power Grid Environments


Top comments (0)