Building an OT/ICS Security Training Program

Why OT Security Training Is Different from IT

In IT security, the primary concern is confidentiality — protecting data from unauthorized access. In OT security, the primary concern is availability and safety. A compromised PLC controlling a chemical process or a power grid relay does not just leak data; it can cause physical destruction, environmental damage, or loss of human life.

This fundamental difference means that IT security training methodologies cannot simply be transplanted into the OT domain. Penetration testing techniques that are routine on IT networks — port scanning, active exploitation, fuzzing — can crash safety-critical controllers, trigger emergency shutdowns, or cause permanent equipment damage when applied to OT systems.

OT security professionals need training environments that faithfully replicate industrial protocols, network architectures, and device behaviors without putting real infrastructure at risk. This is where purpose-built cyber ranges with digital twin capabilities become essential.

Understanding the Purdue Model

Any serious OT security training program must be grounded in the Purdue Enterprise Reference Architecture (PERA), the standard framework for segmenting industrial control system networks. The model defines six levels:

• Level 0 — Physical Process: Sensors, actuators, and the physical equipment being controlled (pumps, valves, motors)
• Level 1 — Basic Control: PLCs (Programmable Logic Controllers), RTUs (Remote Terminal Units), and safety instrumented systems that directly interact with Level 0 devices
• Level 2 — Area Supervisory: HMIs (Human-Machine Interfaces), SCADA servers, and engineering workstations that monitor and control Level 1 devices
• Level 3 — Site Operations: Historians, domain controllers, patch management, and operations management systems
• Level 3.5 — DMZ: The critical boundary between OT and IT networks, containing jump servers, data diodes, and firewalls
• Level 4/5 — Enterprise: Standard IT infrastructure — ERP, email, internet access

Training exercises must cover attacks that traverse these levels, not just operate within one. The most dangerous real-world OT attacks — Industroyer, TRITON, Pipedream — all involved lateral movement from IT networks down through the Purdue levels to reach safety-critical controllers.

Key Protocols Every OT Professional Must Know

OT environments use specialized industrial protocols that were designed decades ago for reliability and real-time performance — not security. Most have no authentication, no encryption, and no integrity checking. Understanding these protocols at the packet level is essential for OT security work.

Modbus TCP/RTU

The most widely deployed industrial protocol, used in everything from power plants to water treatment facilities. Modbus has zero built-in security — no authentication, no encryption. Any device on the network can read or write coils and registers. Training must cover: register enumeration, function code abuse, replay attacks, and man-in-the-middle scenarios.

DNP3 (Distributed Network Protocol)

The backbone protocol for electric utilities and water systems. DNP3 Secure Authentication (SA) adds challenge-response authentication but is rarely deployed. Training should cover: unsolicited response spoofing, broadcast storm attacks, cold restart commands, and the differences between authenticated and unauthenticated deployments.

IEC 60870-5-104

Widely used in European and Asian power grids for telecontrol communication between substations and control centers. Training must include: ASDU (Application Service Data Unit) manipulation, interrogation command injection, and clock synchronization attacks that can desynchronize protective relays.

OPC UA, EtherNet/IP, and BACnet

Other critical protocols include OPC UA (the modern standard for industrial interoperability, with its own certificate-based security model), EtherNet/IP with CIP (used extensively in manufacturing), and BACnet (building automation). A comprehensive training program covers at least six to eight protocols across multiple industry verticals.

Building a Curriculum: Beginner to Advanced

An effective OT security training program should follow a structured progression that builds competency layer by layer:

Foundation (Weeks 1–4)

• OT vs IT fundamentals and the Purdue model
• Introduction to industrial protocols (Modbus, DNP3 packet structure)
• PLC programming basics (ladder logic, function block diagrams)
• Safety instrumented systems (SIS) and their role in preventing physical harm
• Network architecture review: identifying OT assets on a network diagram

Intermediate (Weeks 5–10)

• Passive OT network monitoring and asset discovery (without active scanning)
• Protocol-level analysis: capturing and decoding Modbus/DNP3 traffic in Wireshark
• Vulnerability assessment techniques safe for OT environments
• Firewall and DMZ configuration for OT/IT segmentation
• Incident detection: identifying anomalous commands in SCADA traffic

Advanced (Weeks 11–16)

• Full attack chain execution: IT entry to OT impact (in digital twin environments only)
• Analysing real-world OT malware: Industroyer, TRITON/TRISIS, Pipedream/INCONTROLLER
• Writing and deploying Snort/Suricata rules for OT protocol anomalies
• Incident response in OT: containment without disrupting physical processes
• Red team vs blue team exercises on full-scale digital twin environments

The Digital Twin Approach

The single most important capability for OT security training is the ability to create high-fidelity digital twins of industrial environments. A digital twin replicates the complete OT network stack — from the physical process simulation through PLCs and HMIs up to the historian and SCADA servers — in a virtualized environment where trainees can safely execute attacks and practice defenses.

“You cannot train OT defenders on IT-only ranges. If there is no simulated physical process responding to PLC commands, the training lacks the consequence awareness that defines OT security.”

Effective digital twins must include process simulation: when a trainee sends a malicious Modbus write command to a PLC, the simulated physical process (water level, turbine speed, chemical mixture) must respond realistically. This consequence visibility is what transforms theoretical knowledge into operational competence.

Compliance: IEC 62443 and Beyond

IEC 62443 is the international standard for industrial automation and control system security. It defines security levels (SL-1 through SL-4), foundational requirements, and competency requirements for personnel. A well-designed training program should map its curriculum directly to IEC 62443 competency requirements.

Beyond IEC 62443, OT security training programs should also address:

• NERC CIP — Mandatory for North American electric utilities
• NIST SP 800-82 — Guide to ICS security (Rev 3, 2023)
• CEA cybersecurity guidelines — India’s Central Electricity Authority regulations for power sector
• NCIIPC guidelines — India’s National Critical Information Infrastructure Protection Centre directives

Training programs that map exercises to compliance frameworks allow organizations to demonstrate regulatory readiness through verifiable training records.

How Critical Range Supports OT Training

Critical Range provides purpose-built OT/ICS training capabilities that go beyond what generic cyber ranges offer:

• 280+ exercises spanning 10 industrial protocols including Modbus TCP/RTU, DNP3, IEC 60870-5-104, OPC UA, BACnet, EtherNet/IP, PROFINET, S7comm, HART-IP, and MQTT
• Full Purdue model environments with simulated process physics, PLCs, HMIs, historians, and engineering workstations deployed as digital twins
• Pre-built industry verticals — power grid, water treatment, oil and gas, manufacturing, and building automation scenarios ready for immediate deployment
• Safe attack execution — Trainees can safely execute Industroyer-style attacks, manipulate PLCs, and observe physical process impacts without any risk to real infrastructure
• IEC 62443 mapping — Every exercise maps to specific IEC 62443 competency requirements with automated compliance reporting
• Sovereign deployment — The entire platform runs on your infrastructure, ensuring that sensitive OT network topologies and training data never leave your premises

Whether you are building an OT security team from scratch or upskilling existing IT security professionals for OT responsibilities, a structured training program built on realistic digital twin environments is the most effective path to operational readiness.