OT/SCADA Security: ICS Protocols, Air-Gapped Networks, and the Purdue Model

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Operational Technology (OT) security protects the systems that control physical processes — power grids, water treatment, manufacturing lines, oil refineries. A compromise here does not just leak data; it can cause physical damage, environmental harm, or endanger human lives. The priorities in OT are different from IT: availability and safety come first, confidentiality second.

ICS Protocols

Industrial Control System protocols were designed for reliability in isolated networks, not security on connected ones. Most lack authentication and encryption by default.

Modbus (TCP port 502) is one of the oldest and most widely deployed. It has no authentication, no encryption, and no integrity checking. Any device on the network can read/write registers on any Modbus device. Attackers who reach the Modbus network can directly manipulate process values.

DNP3 (Distributed Network Protocol) is used in power and water utilities. DNP3 Secure Authentication (SA) adds challenge-response authentication, but adoption is slow and many deployments run without it.

OPC UA (Unified Architecture) is the modern replacement for OPC Classic. It supports X.509 certificate-based authentication, encryption, and signing. Use Security Mode SignAndEncrypt and reject connections that request None. OPC UA is the strongest option, but legacy OPC Classic (DCOM-based) remains widespread and carries Windows RPC attack surface.

EtherNet/IP and PROFINET run over standard Ethernet. They are vulnerable to ARP spoofing, man-in-the-middle attacks, and network-level manipulation. Segment these protocols on dedicated VLANs with strict firewall rules.

Monitor protocol traffic with tools like Wireshark (with protocol dissectors), Zeek with ICS protocol analyzers, or dedicated OT monitoring platforms like Claroty, Dragos, or Nozomi Networks.

The Purdue Model

The Purdue Enterprise Reference Architecture defines network segmentation levels for industrial environments:

• Level 0: Physical process — sensors, actuators
• Level 1: Basic control — PLCs, RTUs, safety systems
• Level 2: Area supervisory — HMIs, engineering workstations
• Level 3: Site operations — historians, OT domain servers
• DMZ: Demilitarized zone between OT and IT
• Level 4-5: Enterprise IT network and external connections

The key principle: data flows through the DMZ, never directly between IT and OT. The DMZ hosts data diodes, jump servers, and replication services that allow information sharing without direct connectivity. Never place IT systems on OT networks or allow remote desktop connections from IT directly to Level 1-2 systems.

In practice, Purdue model violations are common. Engineering laptops that connect to both corporate WiFi and PLC networks bridge the segmentation. Remote access solutions that bypass the DMZ create paths that attackers exploit. Audit your environment for these crossover points.

Air-Gapped Networks

True air gaps — networks with zero connectivity to external networks — are rare. Most “air-gapped” OT networks have some connection: a data historian that replicates to IT, a remote access solution for vendor support, or USB drives used for patch transfers.

For networks that are genuinely isolated, the primary threat vectors are USB devices, laptops brought in for maintenance, and supply chain compromise of equipment before installation. Implement USB device whitelisting, scan all media before connecting it to OT systems, and maintain a software baseline that you can verify against.

Safety Systems

Safety Instrumented Systems (SIS) like Triconex and HIMA controllers are the last line of defense against physical harm. The TRITON/TRISIS malware (2017) demonstrated that attackers specifically target safety systems to remove protections before causing physical damage.

Safety systems should be on a separate network from the process control network. Never use safety controllers as general-purpose PLCs. Restrict physical and logical access to safety system engineering workstations.

Related Career Paths

OT security expertise maps to the SCADA Security Specialist career path. This is a niche specialization with strong demand in energy, utilities, and manufacturing sectors.

Next Steps

• Evaluate your OT security knowledge with the skills assessment
• Browse the skills library for industrial and critical infrastructure security topics
• Check the salary calculator for OT security compensation benchmarks

Related Guides in This Series

• IoT Security: Firmware Analysis, Protocols, and Hardware Hacking — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.