Home > Resources > Blog

OT Security Education Is Framework-Heavy and Reality-Light

Henry Kogan

How Dense is Your OT-Training Binder? 

Walk into almost any OT cybersecurity training course today and you will see the same opening slides. NIST CSF. IEC 62443. Let’s not forget the Purdue Model, redrawn in the same layered diagram that has appeared in vendor decks for two decades. By lunchtime, attendees have been introduced to zones, conduits, security levels, and a tidy hierarchy of controls.  

By the end of the day, they leave with a thick binder of frameworks and a vague sense that OT security is a matter of mapping assets to the right layer and applying the right control to the right zone. 

Framework Theory Overload 

The frameworks are not the problem. They are, on the whole, good frameworks. The problem is that the education built around them has drifted from the reality of the plants, substations, and pipelines the frameworks are meant to protect.  

A curriculum heavy on taxonomy and light on operational context produces graduates who can recite Target Security Level (SL-T) definitions but have never watched an engineer bypass a safety interlock to keep a batch running, never argued with a vendor technician about whether a patch window is worth the production loss, and never tried to explain to a plant manager why an IDS alert on Modbus traffic might or might not matter. 

2015 Ukraine Power Attack a Classic Example 

Consider what the 2015 attack on three Ukrainian regional electricity distributors actually required of the defenders. The attackers, later attributed to the Sandworm group, had been inside corporate networks for roughly six months before the outage. They arrived through a spear-phishing email with a malicious Excel attachment, pivoted from IT to OT, harvested credentials, and studied the environment for months before triggering the event.  

On December 23, 2015 they used legitimate HMI software to open breakers at roughly thirty substations, locked operators out of their own consoles by changing passwords, wiped workstations with the KillDisk malware, bricked serial-to-Ethernet converters at substations so remote recovery would be impossible, and flooded the call center with fake traffic so customers could not report the outage. Roughly 230,000 people lost power for up to six hours. 

The Need for Defenders with Operational Know-How 

Every step in that Ukraine power plant attack chain maps cleanly onto a framework. Spear-phishing? Covered. The theft of operator credentials harvested through weaponized Office documents — also covered. Segmentation between corporate IT networks and the operational technology environments running the breakers and substations falls squarely within standard guidance, as does the integrity of firmware on the serial-to-Ethernet converters that ultimately got bricked during the attack. And yet three regional utilities, each running broadly similar control environments and each presumably aligned with at least one recognized standard, were penetrated within roughly thirty minutes of one another. All three ended up in the same place: dispatchers driving out to substations and throwing breakers by hand to restore power to nearly a quarter-million customers. 

The defenders who stopped the blackout from lasting days were not the ones who had mapped the most zones. They were the ones who still knew how to run the grid without the SCADA system, because they had come up through operations and never lost that muscle memory. 

We’re Not Discrediting the Importance of Frameworks, But…  

The ability to accelerate muscle-memory is what framework-heavy education tends to miss. It teaches the architecture of defense without teaching the texture of operations. A practitioner who has only ever seen a Purdue diagram on a slide can tell you that Level 2 should be isolated from Level 3. 

 What that practitioner often cannot tell you is why the historian at one of their sites is dual-homed, why the engineer down the hall insists on keeping it that way, what the historian is actually used for on a Tuesday morning, and what breaks if you pull the second NIC. Those answers do not live in IEC 62443. They live in the plant. 

A Petrochemical Attack in Saudi Arabia  

The TRITON intrusion at a Saudi petrochemical facility in 2017 makes the same point from a different angle. Mandiant’s forensic timeline showed the attackers had been inside the corporate network for close to a year before they reached the safety instrumented system. When they finally pushed their payload to the Triconex SIS controllers, the attack failed. It failed not because a framework saved the plant, but because the attackers’ code had a flaw that caused the SIS to fault into a safe state and trip the process. 

 Investigators later noted that antivirus alerts had been generated and ignored, and that the physical key switch on the Triconex had been left in PROGRAM mode, which is precisely the condition the malware needed to deliver its payload. The framework had a control for that. The operating reality did not enforce it. 

Yes, You Can Teach Judgment 

None of this is an argument against frameworks. IEC 62443 in particular has become a common language the industry badly needed, and CSF gives executives a way to talk about risk that does not collapse into jargon. The argument is narrower. Frameworks describe the shape of a good program. They do not teach the judgment required to run one.  

Judgment comes from exposure to real systems, real incidents, real trade-offs, and real failures, and that exposure is what most OT security curricula are structured to avoid, because it is hard to standardize, hard to certify, and hard to fit into a two-day course 

Moving Beyond Frameworks for OT Training 

This is the gap CyberEd.io is built to close. Our ICS/OT programs pair the foundational frameworks with hands-on tabletop simulations that put learners inside scenarios drawn from incidents like Ukraine 2015 and TRITON, with Red Team and Blue Team roles that reveal what the diagrams leave out. The goal is not to replace IEC 62443 or NIST CSF. It is to teach practitioners the judgment required to apply them when the plant, the people, and the pressure are real. The remaining seven posts in this series look at specific places where the framework-reality gap shows up most often, and at what a training program has to do differently to close each one. 

Learn more about our OT training programs.  

 

References: SANS and E-ISAC, Analysis of the Cyber Attack on the Ukrainian Power Grid (2016); CISA, IR-ALERT-H-16-056-01; Mandiant/FireEye, Attackers Deploy New ICS Attack Framework ‘TRITON’ (2017); Dragos, TRISIS Malware Analysis (2017); ISA, Lessons Learned From a Forensic Analysis of the Ukrainian Power Grid Cyberattack (2017). 

OT Security skill development

Related Content

Secure-by-Design in OT: Why Training Still Focuses on Retrofits

Regulators, asset owners, and vendors are moving OT security from a retrofit discipline to a secure-by-design discipline. CISA's Secure by Design pledge, the European NIS2 directive, and the TSA's pipeline security directives all point in the same direction. Security should be a property of the product and the project from the beginning, not a layer added to a deployed system after a consultant's gap assessment. 

Read more

Why Are OT Security Myths Still Being Taught?

There are ideas in OT security education that have been displaced by real-world consequences yet are still being taught without the necessary nuance and grounding. The most durable of these is the air gap. Close behind is the idea that vendor remote access is safe because the vendor is trusted. 

Read more

The Cultural Divide Between Security Teams and Control Engineers

Every OT security program eventually collides with the same problem. The security team and the control engineers do not trust each other. They do not share a vocabulary. They optimize for different outcomes. They report to different leaders, often on opposite sides of the organization.

Read more
View More