ICS/OT cybersecurity — the discipline that secures industrial control systems running power grids, water utilities, refineries, manufacturing lines, and most of the physical-world infrastructure modern society quietly depends on — is one of the strangest career paths in security to break into. The job postings are sparse. The cert landscape is split between vendor-neutral practitioner credentials and engineering-society standards. The training catalog skews toward expensive multi-thousand-dollar SANS courses. The community is small enough that everyone knows everyone, which is intimidating from the outside and welcoming once you’re in.

It’s also one of the most durable bets in cybersecurity. Every nation-state cyber strategy of the last decade has named critical infrastructure as a top-priority target. CISA’s Volt Typhoon advisories have made “adversaries pre-positioning in U.S. OT networks” a board-level concern. Industrial cyber budgets have grown faster than the supply of qualified practitioners every year since 2020. If you can credibly do this work, the demand outlook is excellent.

This is the path that has worked for practitioners I’ve watched make the move — from college, from IT, from controls engineering, from offensive security. It is not the only path, but it is a defensible default. If you’re considering the move and looking for a place to start, this is where to spend your first twelve months.

For context on why this discipline differs from IT security in ways that matter operationally, the companion piece is OT security isn’t IT security in a hard hat — read it first if the IT/OT distinction isn’t already clear.

The foundation: what you need before specialized training

Almost every successful OT practitioner I’ve met has solid IT and networking fundamentals before they specialize. This sounds obvious; it gets skipped constantly because people in a hurry want to get to the “real” OT material. The foundation matters because the OT-specific knowledge composes on top of it, not in place of it.

Concretely, you need:

  • TCP/IP and network protocols.Subnetting, ARP, DNS, routing, switching, firewalls. Most OT problems present as network problems first. You can’t analyze a Modbus over TCP capture if you don’t know what a TCP capture looks like.
  • Operating systems. Windows fundamentals are unavoidable; many HMIs and engineering workstations run Windows. Linux fundamentals matter for the analysis-side tools (Wireshark, Zeek, the Dragos / Claroty platforms run on Linux collectors).
  • General cybersecurity literacy. The CIA triad, threat modeling, the basics of cryptography, common attack patterns. This is what CompTIA Security+ covers, and what most entry-level certs assume.
  • Some control systems literacy.Not full electrical engineering — just enough to understand what a PLC does, what an HMI does, what a sensor reading looks like, what “ladder logic” means. The Rockwell and Siemens YouTube channels have free intro material that takes a weekend.

If you’re starting from an IT background, you have the first three. The fourth — control systems literacy — is the gap most people skip and most people regret skipping. If you can find a way to walk a plant or shadow a controls engineer for a day, do it. The hardware-software interface clicks differently in person than on a slide.

The cert ladder

OT certifications fall into three tiers, and the order matters more than the count.

Tier 1 — Foundations (you need one): Security+ for the IT-side baseline. If you already have a CISSP, you can skip Security+, but most hiring managers in OT environments expect to see one of the two.

Tier 2 — OT entry (these signal competence):

  • ISA Cybersecurity Fundamentals Specialist.The entry tier of the ISA/IEC 62443 cert family. Vendor-neutral, internationally recognized, the standards-body answer to “does this person know the OT cybersecurity vocabulary?”
  • GICSP — GIAC Global Industrial Cyber Security Professional. The most widely-recognized practitioner cert in OT. Tied to SANS ICS410 (the foundational ICS course). Hiring managers frequently use “GICSP or equivalent experience” as a screening filter; if you don’t have plant experience, GICSP is the way to clear it.

Tier 3 — Specialization (pick one based on direction):

  • GRID (GIAC Response and Industrial Defense). For incident response and active defense in OT. Tied to SANS ICS515. The natural next step after GICSP if you’re going operational.
  • ISA Cybersecurity Risk Assessment Specialist (CRAS), Design Specialist (CDS), Maintenance Specialist (CMS), or Cybersecurity Expert. The mid-and-upper tiers of the ISA/IEC 62443 cert family. CRAS is the natural follow-on for architects; the Expert credential bundles all four.
  • SANS ICS456 + GCIP. Specifically for energy sector / NERC CIP work. Narrower audience but extremely well-paid in that audience.

Skip the certifications I haven’t named. There are dozens of OT certs in the wider catalog — vendor certifications from Dragos, Claroty, Nozomi, Fortinet, Palo Alto’s OT offering, plus a long tail of certifications-of-attendance from commercial training providers. They are mostly fine, mostly not worth the time at this stage. The vendor-specific ones become useful if you join a shop running that vendor’s gear; the rest add little signal.

Training beyond certs

Three categories of training matter:

SANS ICS curriculum. ICS410 (foundations, GICSP-aligned), ICS515 (visibility, detection, response, GRID-aligned), ICS456 (essentials for NERC CIP), ICS612 (cyber defense and the dissection course). They are expensive (mid-four-figures to mid-five-figures depending on tier and delivery), and they are the closest thing to a graduate program in OT cybersecurity. The course materials are dense, practitioner-focused, and current.[1] If your employer pays for one course a year, ICS410 first, then ICS515.

CISA ICS-CERT virtual learning portal. Free, federally-funded, currently underrated. Quality varies but the introductory modules and the protocol-specific deep dives (DNP3, Modbus, OPC) are genuinely good. Useful as a no-cost ramp before committing to SANS pricing.[2]

Vendor academies (free or low-cost).Dragos, Claroty, and Nozomi each maintain free training portals on their platforms’ concepts and protocol coverage. They are product-flavored but the underlying material is solid — especially the protocol-handling content, which you’d otherwise pay SANS for.

University and academic programs

OT-specific academic programs are rarer than IT-security ones, but several stand out:

  • Idaho National Laboratory (INL). A U.S. Department of Energy national lab focused heavily on ICS/OT research. INL runs the CIE (Consequence-Driven Cyber-Informed Engineering) methodology and partners with universities on OT-focused curriculum. Their DOE-funded internships are historically a strong pipeline.
  • Purdue University CERIAS.Where the Purdue Enterprise Reference Architecture (the “Purdue model”) comes from. The cybersecurity program has industrial-systems tracks and longstanding research relationships with control systems vendors.
  • Carnegie Mellon CyLab. Broader cybersecurity research center with notable industrial control work. Less OT-specific than INL or Purdue, but the systems-and-society framing is excellent.
  • SANS Technology Institute (SANS.edu).Master’s and graduate-cert programs that align with the SANS ICS course catalog. Industry-focused rather than research-focused.
  • University of Tulsa Center for Information Security. Long-running NSA Center of Academic Excellence with offensive ICS focus.

Conferences and trade shows

OT cybersecurity has its own conference circuit, partly separate from mainstream cyber. The single highest-leverage event is S4 (S4xWeek)in Miami every January — Dale Peterson’s conference is the dedicated practitioner gathering, and the program is consistently the most current view of the field.[3] If you can attend exactly one OT conference, attend S4.

Beyond S4, in roughly descending order of OT signal:

  • SANS ICS Security Summit. Practitioner-heavy, aligned with the SANS ICS curriculum. The talks land directly on operational work.
  • DEF CON ICS Village. The hands-on, village-style track at DEF CON. Less polished than S4 but excellent for hardware tinkering and CTF-style learning.
  • Hack the Capitol.Annual Washington DC event focused on the policy/practitioner intersection — CISA, Hill staffers, and OT practitioners in one room.
  • ARC Industry Forum. Industrial automation industry conference; security is one track among many. Useful for understanding the broader industrial market and meeting controls engineers.
  • Dragos World, Claroty xGlobal, Nozomi Networks Industry Summit.Vendor-hosted but with substantive practitioner content. Worth attending if you’re working on those platforms.
  • Hannover Messe (Germany), DistribuTECH (utilities), ENTELEC (oil/gas): trade shows where the actual industrial buyers gather. Less pure cybersecurity, more domain context.

Books and primary sources

Five books and standards form the canonical OT reading list:

  1. NIST SP 800-82 Rev. 3 — Guide to Operational Technology (OT) Security. Free, comprehensive, current as of 2023. The closest thing OT has to a single canonical textbook.[4]
  2. ISA/IEC 62443 series. The international standard for industrial automation and control systems security. Most relevant for architects; foundational vocabulary for everyone.
  3. Industrial Network Security (Knapp & Langill, 2nd or 3rd edition).The widely-recommended practitioner reference. Knapp is one of the field’s strongest writers.
  4. Sandworm (Andy Greenberg). Narrative-form journalism about Industroyer, NotPetya, and the Russian GRU unit behind them. Reads like a thriller; the technical detail is accurate.
  5. Hacking Exposed Industrial Control Systems (Bodungen et al.).The offensive-side counterpart to Knapp’s defensive reference. Less current than the others but still useful for threat modeling.

Communities

OT security is a small enough field that joining the community directly accelerates everything. The relationships pay off in job referrals, threat-intel sharing, and the kind of context that doesn’t make it into write-ups.

  • infosec.exchange (Mastodon).Many of the field’s most active practitioners post here. Free, open, high-signal.
  • LinkedIn ICS Cybersecurity groups. The professional networking layer. Less technical content than infosec.exchange; better for job-related context.
  • SANS ICS community Slack. Open to SANS alumni; serious conversation, sometimes incident-context intel.
  • ISA Cybersecurity Division.The standards-body community; matters most if you’re working in the IEC 62443 ecosystem.
  • CISA ICS-CERT mailing lists. Authoritative alerts and advisories. Sign up the day you start.

The 12-month path

Pulling all of this into a concrete sequence:

A 12-month path from interested to credible

One realistic sequence. Not the only one — but a defensible default if you’re starting from an IT background and haven’t worked in industrial environments before.

  • Months 1–3
    IT and networking foundations
    CompTIA Security+ if you don't have it. Network+ if your TCP/IP is shaky. Read NIST SP 800-82 Rev. 3 cover-to-cover (free PDF). If at all possible, walk a plant — even a sympathetic friend's manufacturing line — to see PLCs, HMIs, and an operator console in physical context.
  • Months 4–6
    OT-specific foundations
    ISA Cybersecurity Fundamentals Specialist (the entry-level ISA/IEC 62443 cert). Read Industrial Network Security by Knapp & Langill. Take the free CISA ICS-CERT virtual learning courses. Start following Dragos / Claroty / Nozomi public reports.
  • Months 7–9
    Practitioner training and the GICSP
    SANS ICS410 (the foundational ICS course) and the GICSP exam. By this stage you should be able to read a Purdue-model network diagram and explain why patching schedules don't work the same in OT. Begin networking — LinkedIn ICS community, infosec.exchange, the ISA mailing list.
  • Months 10–12
    Specialization and community
    Pick a specialization: incident response (target SANS ICS515 + GRID), defense engineering (ICS456 for energy/NERC CIP), or red-team-side (ICS612 if it returns to the catalog). Attend one in-person conference — S4xWeek if you can swing it, otherwise the SANS ICS Summit or Hack the Capitol. By month 12 you're a credible junior OT practitioner.
The biggest mistake here is trying to skip months 1–3. IT-trained engineers who arrive in OT with weak networking fundamentals get exposed in incident-response calls within weeks; nothing about the OT-specific knowledge compensates.

At the end of twelve months you should be able to: read a Purdue model network diagram, explain why patching schedules don’t work the same way in OT, recognize the major industrial protocols on a packet capture, name the major incidents and what they targeted, and have a small set of practitioners you’ve met in person. That’s a credible junior OT practitioner. From there the path branches based on which of incident response, defense engineering, architecture, or red-team-side specialization you want to follow.

Two pieces of meta-advice

Don’t over-cert.Beyond GICSP and one specialization, additional certifications produce diminishing returns. At some point you need plant time, incident reports you’ve actually written, or research you’ve actually published. Hiring managers in OT pattern-match heavily on real experience signal — pick the cert path that gets you to the door, then earn the experience.

Choose the side that matches your temperament early. OT security splits into roughly four practitioner paths: incident response (you’ll get paged at 3am during major events), defense engineering (you’ll spend years inside one or two sectors building monitoring and detection), architecture (you’ll write reference designs and review system architectures for a living), and red-team-side / consulting (you’ll travel constantly and work fixed-duration engagements). The skills are similar at the foundations; the day-to-day diverges fast. Most regrets come from picking a path whose temperament didn’t fit.

The takeaway

ICS/OT cybersecurity rewards practitioners who put in the time. Twelve months of sequenced foundations, certs, training, and community will get you to credible junior. The cert ladder matters less than people think and the plant time matters more than people think. The community is small and welcoming once you show up — show up.

For deeper background on the discipline you’re entering, the OT/ICS Security domain page on the SecProve Cyber Systems Model is a structured starting reference. The companion article OT security isn’t IT security in a hard hat covers the why-it’s-different part of the story this article skipped over.

References & further reading

  1. SANS Institute. ICS & SCADA Security Curriculum. Link. Course catalog. ICS410 is the foundational course; ICS515 the operational-defense follow-on; ICS456 the NERC-CIP-aligned course.
  2. CISA. ICS Training Available Through CISA. Link. Free virtual learning portal. The introductory courses and protocol-specific deep dives are the highest-value sections.
  3. S4 Events. S4xWeek — The premier ICS security event. Link. Held annually in Miami, hosted by Dale Peterson.
  4. NIST (2023). SP 800-82 Rev. 3: Guide to Operational Technology (OT) Security. Link. The closest thing to a single canonical reference.