Industrial Control System Security

Reviewed by Fully Compliance editorial team

Industrial control systems face escalating cyber threats because PLCs, SCADA systems, and field devices were engineered for decades-long reliability, not security — many run default credentials, transmit data unencrypted, and cannot be patched. Securing ICS requires network segmentation replacing pure air-gapping, passive anomaly detection based on operational baselines, coordinated IT-OT incident response, and acceptance that some vulnerabilities will persist for the life of the equipment.

Your manufacturing facility's production capability depends on systems engineered to run for decades with minimal modification. Those same systems are now targets for attackers who understand that disrupting critical infrastructure — including manufacturing — creates cascading effects across supply chains and economies. Industrial control systems are increasingly under attack, and they're not well-defended because the engineers who built them were optimizing for reliability and uptime, not security.

Industrial control systems are fundamentally different from IT systems running your business network. They're more fragile, more difficult to monitor, more exposed to vendor dependencies, and less capable of incorporating modern security controls. But they're also more critical — their compromise doesn't just mean losing data, it means losing production, damaging expensive equipment, or creating safety hazards.

How ICS Architecture Creates Security Challenges

CISA reported a 300% increase in ransomware attacks targeting industrial control systems between 2020 and 2023, with manufacturing the most-targeted sector. ICS architecture consists of several layers, starting with field devices — sensors measuring temperature, pressure, and flow rates, plus actuators opening valves, adjusting speeds, or triggering switches. These field devices communicate upward through protocols that are often proprietary and designed for reliability over security.

Above field devices sits the programmable logic controller (PLC), the brain of the operation. A PLC takes input from sensors, runs logic, and sends commands to actuators. PLCs are industrial-grade computers built to run the same code continuously for years without reboot, tolerate wide temperature ranges, and have extremely deterministic behavior.

SCADA systems layer on top, aggregating data from multiple PLCs across a facility or distributed network. SCADA provides operator visibility, enables higher-level automation, triggers alerts when parameters fall outside acceptable ranges, and accepts operator commands. The top layer consists of historians and analytics systems — databases recording time-series data, enabling trend analysis and feeding machine learning models. This is where industrial control connects to the IT world, and where the security model starts breaking down.

PLCs and SCADA Systems Are Inherently Vulnerable

PLCs and SCADA systems were engineered when network security wasn't a concern. Many support default credentials that can't be changed, have minimal authentication, use protocols transmitting data in clear text, or have no authentication at all. Some PLCs are directly accessible from the network with no credentials — you connect, you can read and modify.

Firmware updates for PLCs are uncommon and proprietary to specific hardware models. A vulnerability discovered in your PLC isn't patchable without vendor support, a service window, and a technician. For end-of-life systems, there is no vendor support and no path to patching. The vulnerability exists and will continue to exist for as long as the hardware is in service.

Many older SCADA systems don't support encryption. Data flowing from field devices to SCADA to historians is transmitted in the clear. An attacker with network access sees every sensor reading, every command, every piece of operational data. More concerning, they inject false data or commands into that stream.

The combination of minimal authentication, no encryption, and long operational lifespans creates an environment where network access is tantamount to control.

Safety and Security Pull in Different Directions

Manufacturing has been managing safety for decades with extensive safety systems — mechanical interlocks, alarm systems, emergency stops, failsafes. These safety systems are well-engineered but sometimes at odds with security. A safety system designed to be accessible — so any operator can trigger an emergency stop — is good for safety and terrible for security. An attacker who can access what a technician can access can cause the damage safety systems are meant to prevent.

Remote access for vendor maintenance is valuable for troubleshooting but creates additional attack surface. The reality is you can't perfectly optimize for both. Most facilities accept that safety comes first and security comes second, implementing security controls that don't compromise safety but accepting that some vulnerabilities can't be eliminated.

Network Segmentation Replaces Air-Gapping

The traditional security model was air-gapping — physically isolating the ICS network from all external connections. Air-gapping works but costs real-time visibility, ERP integration, remote diagnostics, and modern supply chain communication.

Most organizations now use network segmentation — isolating the ICS network but providing carefully controlled bridges. Data diodes allow data to flow from ICS to IT but never the reverse. Firewalls enforce strict traffic rules between zones. Application-level gateways validate data before passing between zones. Every connection between zones is a potential attack vector, so segmentation requires ongoing enforcement.

Monitoring, Vendor Support, and Incident Response

Defending ICS requires understanding normal operation well enough to detect anomalies. A SCADA system sending 100 temperature readings per minute that suddenly sends 50 — that's an anomaly. A production cycle taking 40 seconds instead of 30 — potentially significant. The challenge is that implementing monitoring on ICS systems is difficult because older systems can't export data in standard formats, don't have APIs, and attaching monitoring tools introduces latency.

ICS vendors release patches every few years, or not at all. Many organizations face known vulnerabilities in PLCs or SCADA systems where patching isn't an option — the vendor is out of business, the system is end-of-life, or downtime is intolerable. The control strategy becomes compensating controls at the network boundary rather than fixing the vulnerability itself.

When something goes wrong in an ICS, incident response priorities differ from IT. In IT, you take a system offline for forensics. In ICS, you keep running because downtime costs money and creates safety risks. ICS incident response requires coordination between security teams (wanting to isolate and investigate) and operations teams (wanting to keep the plant running). ICS forensics is also harder — PLCs don't log every command, sensor readings are sparse, and attacker actions are indistinguishable from legitimate operator actions.

Security improvements must be tested before going live, but you can't disrupt production for testing. This requires test environments mirroring production ICS — expensive and difficult to maintain. The alternative is incremental change in production, carefully monitored, with rapid rollback plans.

Industrial control systems will remain a security challenge because their fundamental characteristics — long lifespans, minimal patchability, vendor dependencies, safety-first design — are unlikely to change. Building a security posture means accepting that some vulnerabilities can't be eliminated and focusing investments on controls providing the most meaningful protection given your constraints.

Frequently Asked Questions

What is the most common attack vector for industrial control systems?
Spearphishing targeting IT systems that have network connectivity to OT environments is the most common initial access vector, followed by exploitation of internet-exposed remote access services (VPNs, RDP). The 2021 Oldsmar water treatment attack and numerous manufacturing ransomware incidents followed this pattern — attackers compromise IT first, then pivot to OT through network connections.

Can industrial control systems be protected by standard IT security tools?
Not directly. Standard IT security tools (endpoint agents, vulnerability scanners, active network probes) can disrupt ICS operations by consuming processing resources, introducing latency, or triggering unexpected behavior. ICS-specific security tools use passive network monitoring, industrial protocol analysis, and asset discovery methods designed for operational environments. Deploy IT security tools only in the IT zone, and use purpose-built OT security tools in the industrial zone.

How do you patch an ICS that can't tolerate downtime?
You implement compensating controls — network segmentation restricting access to the vulnerable system, enhanced monitoring watching for exploitation attempts, access restrictions limiting who can reach the system, and documented risk acceptance acknowledging the residual risk. When maintenance windows are available (scheduled shutdowns, seasonal slowdowns), apply accumulated patches in a planned, tested sequence.

What ICS security frameworks should manufacturers follow?
NIST SP 800-82 (Guide to ICS Security) is the primary U.S. framework. IEC 62443 is the international standard specifically for industrial automation security. CISA provides sector-specific guidance through its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). If you're in the defense supply chain, CMMC requirements also apply to OT systems handling CUI.

How do you build an ICS security team when the skills are scarce?
Start with your existing OT engineers — they understand the systems and can learn security fundamentals faster than security professionals can learn OT. Supplement with specialized ICS security consultants for architecture design and initial assessments. Cross-train IT security staff on ICS fundamentals using resources from SANS ICS courses and CISA training. The long-term solution is building hybrid IT-OT security capability internally.