**ICS (Industrial Control Systems)** is an umbrella term covering all types of computer systems controlling physical processes in industry, critical infrastructure, buildings, and transportation. Main ICS categories: (1) **SCADA (Supervisory Control And Data Acquisition)** — supervisory systems for geographically distributed operations (water utilities, gas pipelines, power grids). (2) **DCS (Distributed Control System)** — continuous control systems for single-facility operations (refineries, chemical plants, power generation); high-fidelity, redundant, tightly coupled. (3) **PLC (Programmable Logic Controllers)** — discrete devices executing control logic; building blocks for SCADA and DCS. (4) **RTU (Remote Terminal Units)** — telemetry devices for geographically distributed assets. (5) **IED (Intelligent Electronic Devices)** — protective relays in substations, smart meters; often in IEC 61850 environments. (6) **SIS (Safety Instrumented System)** — independent safety-of-last-resort systems (Schneider Triconex, Siemens SIMATIC Safety, Honeywell Safety Manager); legally required in some industries. (7) **HMI (Human-Machine Interface)** — operator screens. (8) **Historian** — long-term process data storage (OSIsoft PI System, AVEVA Wonderware Historian). **Sectors using ICS**: energy (power generation/transmission/distribution), oil&gas (drilling, pipelines, refineries), water&wastewater, chemical/petrochemical, manufacturing (automotive, food&beverage, pharma), transportation (rail, airports, traffic management), building automation (HVAC, lighting, security), defense, mining.

Five key differences with major practical implications: (1) **Security priority** — IT uses CIA (Confidentiality > Integrity > Availability); ICS inverts: AIC (Availability > Integrity > Confidentiality); stopping a production line costs $100K-$10M/h. (2) **Equipment lifecycle** — IT 3-5 years, ICS 15-30 years; PLCs from 1995 still in use with unsupported OS (Windows XP/7), unpatched firmware. (3) **Patch management** — IT 30-day cycles; ICS requires shutdown windows (annual outages), validation in test environment, sometimes **never** patches (vendor EOL); virtual patching (IPS rules) as workaround. (4) **Protocols** — IT: TCP/IP, HTTPS, modern auth; ICS: Modbus, PROFINET, EtherNet/IP, DNP3, OPC, BACnet — often **without encryption and without authentication**. (5) **Personnel** — IT: CISO/SOC; ICS: operations engineering / plant manager (mechanical, electrical, control engineers — not cyber experts). **Practical consequences**: in ICS 'install antivirus' may crash PLC; active nmap scanning may freeze HMI; standard IT EDR causes false positives on legitimate PLC traffic. **Rule of one**: never make changes to production ICS without operations engineer approval and planned rollback. **Rule of never**: never connect ICS directly to internet — use DMZ + jump servers + data diodes.

**Purdue Enterprise Reference Architecture (PERA)** — reference 6-level network segmentation model for ICS, **de facto standard** in OT cybersecurity: (0) **Level 0 — Process** — sensors, actuators, physical devices. (1) **Level 1 — Basic Control** — PLCs, RTUs, DCS controllers. (2) **Level 2 — Area Supervisory Control** — HMIs, SCADA workstations, area-level supervisors. (3) **Level 3 — Site Manufacturing Operations** — MES, historian databases, batch management, site-wide supervisors. (3.5) **DMZ (Industrial Demilitarized Zone)** — critical zone between OT and IT; jump servers, patch management servers, anti-virus update mirrors, data diodes (one-way data flow). (4) **Level 4 — Site Business Planning & Logistics** — ERP, scheduling, email, normal enterprise IT. (5) **Level 5 — Enterprise Network** — corporate IT, internet. **Segmentation rules**: (a) traffic flows only between adjacent levels through defined paths in DMZ; (b) **no direct Level 5 → Level 1**; (c) data diodes (Waterfall, Owl Cyber Defense) for one-way data export from OT to IT (prevents bidirectional attacks); (d) firewalls with protocol-aware DPI (Tofino, Bayshore); (e) zone-based segmentation within level (e.g., 'turbine zone' vs 'boiler zone' in power plant); (f) jump servers in DMZ with MFA and session recording for all engineering connections; (g) anti-virus update server in DMZ as proxy (instead of every OT host downloading updates from internet). **IEC 62443-3-2** extends Purdue with Zones (groups of assets with similar risk profile) and Conduits (controlled communication paths) concepts.

Eight landmark ICS attacks: (1) **Stuxnet (2010)** — first cyber-weapon against ICS; Siemens S7 PLCs in Iran Natanz; destroyed 1000+ centrifuges; set back Iran's nuclear program 2-3 years. **Lesson**: even air-gapped systems vulnerable (USB drives, supply chain). (2) **Havex / Energetic Bear (2013-2014)** — APT against energy sector in US/EU; OPC server enumeration; attributed to Russia. (3) **BlackEnergy 3 / Ukraine 2015** — first cyber-induced power outage; 230K residents without power 6h; Ukrenergo. (4) **Industroyer / CrashOverride (2016)** — first purpose-built ICS malware; modular framework for IEC protocols. (5) **TRITON / TRISIS (2017)** — attack on Schneider Triconex SIS in Saudi petrochemical; **TARGETED SAFETY SYSTEM** — catastrophic potential (explosion, fatalities); failed by mistake. (6) **Industroyer2 (2022)** — variant against Ukraine post-invasion; combined with CaddyWiper. (7) **Colonial Pipeline (2021)** — DarkSide ransomware on IT; Colonial themselves shut down OT preventatively; 5500-mile pipeline shutdown 5 days. **Lesson**: IT-OT interdependence — IT attack can stop physical operations. (8) **Pipedream / INCONTROLLER (2022)** — ICS attack toolkit revealed by Mandiant before use; targets Schneider M580/M340, Omron PLCs, OPC UA servers. **Patterns from lessons**: (a) 80% of ICS attacks start in IT (phishing, supply chain), 20% direct; (b) attackers prefer 'living off the land' using native ICS tools; (c) safety systems (SIS) became targets for state-sponsored actors; (d) supply chain attacks (firmware backdoors, USB-based) increasingly common; (e) destructive attacks (CrashOverride, Industroyer2) outpace 'merely' espionage.

**IEC 62443** is a series of ISA/IEC standards for cybersecurity of IACS (Industrial Automation and Control Systems); de facto global standard, mandatory in NIS2 for critical infrastructure. Series structure: **62443-1** (general): terminology. **62443-2** (policies & procedures): 2-1 IACS Security Program, 2-3 patch management, 2-4 service provider requirements. **62443-3** (system): 3-2 risk assessment for zone/conduit, 3-3 system security requirements. **62443-4** (component): 4-1 secure development lifecycle for vendors, 4-2 component requirements. **Security Levels (SL 1-4)**: SL1 (casual misuse), SL2 (intentional, low resources), SL3 (sophisticated attackers, moderate), SL4 (state-sponsored, extensive). Each zone has assigned target SL; minimum SL2 for most ICS, SL3 for critical infrastructure. **Foundational Requirements (FR 1-7)**: FR1 (Identification & Authentication Control), FR2 (Use Control), FR3 (System Integrity), FR4 (Data Confidentiality), FR5 (Restricted Data Flow), FR6 (Timely Response to Events), FR7 (Resource Availability). **Practical application**: (1) **Asset owner** → 62443-2-1 (security program), 62443-2-4 (vendor management), 62443-3-2 (risk assessment), 62443-3-3 (system requirements). (2) **System integrator** (Yokogawa, Endress+Hauser) → 62443-3-3 (system security), 62443-2-4 (service provider). (3) **Product vendor** (Siemens, Rockwell, Schneider, ABB) → 62443-4-1 (secure SDLC), 62443-4-2 (component security). **Certification**: ISASecure (most common), TÜV Rheinland, Bureau Veritas. **Implementation roadmap**: 6-18 months for risk assessment + remediation, 12-24 months for full compliance; don't try all-at-once — phased approach with highest risk first.

Twelve top controls per IEC 62443 and NIST SP 800-82r3: (1) **Asset inventory** — complete list of PLC, RTU, HMI, switches, historians; tools: Claroty, Nozomi, Dragos, Forescout SilentDefense. Critical: you don't know what you don't see. (2) **Network segmentation (Purdue)** — strict zones/conduits, firewalls between levels, jump servers in DMZ. (3) **Passive ICS monitoring** — zero active scanning; passive IDS via SPAN port detects anomalies in Modbus/DNP3/IEC 60870 traffic. (4) **Protocol-aware firewalls** — Tofino, Bayshore Networks, Belden Tofino; whitelist legitimate commands; **block 'write' operations** from untrusted sources. (5) **Privileged Access Management (PAM)** — all engineering connections through jump servers + MFA + session recording (CyberArk PSM, BeyondTrust, ARCON); no shared accounts. (6) **Patch management OT-specific** — quarterly maintenance windows, sandbox lab testing, vendor-validated patches; virtual patching (IPS rules) when patch impossible. (7) **Anti-malware OT-approved** — vendor-certified solutions (Symantec ICS Protection, McAfee MOVE, Trend Micro Industrial Endpoint); whitelist > blacklist; passive monitoring before active blocking. (8) **Removable media controls** — USB drives most common vector (Stuxnet); sanitization kiosks (Olea, Metadefender Kiosk), whitelist authorized media, physical USB blockers on critical assets. (9) **Backup & recovery** — air-gapped backups of PLC configuration, ladder logic, HMI projects, historian data; quarterly restore exercises. (10) **Secure remote access** — VPN only for vendor/integrator support; zero standing access; time-bounded approvals; recorded sessions. (11) **Incident Response ICS plan** — separate from IT; collaboration with plant operations; runbook for 'PLC compromise', 'HMI lockout', 'SIS bypass'; tabletop exercises minimum quarterly. (12) **ICS-specific awareness training** — operators learn IT vs OT differences, common attack patterns, reporting procedures, social engineering specific to ICS contexts. **Mature program**: 18-36 months to baseline, $500K-$5M+ initial for mid-size manufacturer, $200K-$1M/year ongoing.

Three regulatory levels for global ICS operators: (1) **NIS2 Directive (EU 2022/2555)** — transposition deadline 17.10.2024; covers 'essential entities' (energy, transport, banking, healthcare, water, digital infrastructure, public administration) and 'important entities' (postal, waste, food, manufacturing, digital providers). Requirements: risk management measures (Art. 21), incident reporting (24h early warning, 72h notification, 1 month report), supply chain security, MFA everywhere, encryption, training, BCP. **Penalties**: up to **€10M or 2% turnover** (essential), **€7M or 1.4%** (important). (2) **CER Directive (EU 2022/2557)** — Critical Entities Resilience; physical and organizational resilience; complements NIS2 cyber requirements with physical. (3) **Sectoral regulations**: **NERC CIP** (USA, energy) — comprehensive 14 standards for bulk electric system; CIP-005 (network perimeter), CIP-007 (system management), CIP-013 (supply chain). **TSA Pipeline Security Directives** (USA, post-Colonial Pipeline 2021) — mandatory cybersecurity for pipelines. **EO 14028** (Cybersecurity Improving Nation's Security) — federal. **Sectoral national authorities**: ENISA (EU), CISA (USA), BSI (Germany), ANSSI (France), NCSC (UK). (4) **IEC 62443 as bridge**: in practice most ICS asset owners use IEC 62443 as framework satisfying NIS2 / NERC CIP requirements — automatic 80% compliance. (5) **Standards & frameworks** widely adopted: **IEC 62443** (de facto standard), **ISO/IEC 27001/27002**, **NIST SP 800-82r3** (Guide to OT Security), **NIST CSF**, **ENISA guidelines**. **Compliance roadmap for ICS operators**: (i) classify entity (essential/important per NIS2 or NERC CIP applicability), (ii) gap analysis vs IEC 62443 SL2 minimum (SL3 for critical), (iii) remediation plan with 12-24 month timeline, (iv) IR plan + tabletop exercises annually, (v) supply chain assessment (vendor 62443-2-4 compliance), (vi) monitoring (Claroty/Nozomi/Dragos), (vii) audit (62443-2-1 self-assessment annually, third-party every 2-3 years). **Practical advice**: start with IEC 62443 framework — it automatically satisfies 80% of NIS2/NERC CIP requirements and is globally respected by vendors, integrators, auditors.