What ICS Encompasses
Industrial Control Systems (ICS) is the broadest category in OT security — an umbrella term that encompasses all systems used to monitor and control industrial processes. It includes Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Intelligent Electronic Devices (IEDs), Human-Machine Interfaces (HMIs), Safety Instrumented Systems (SIS), and the communication networks that connect them. SCADA and DCS are both subsets of ICS; this page addresses the common security principles that apply across the ICS category, with particular focus on the device-level components — PLCs, RTUs, and HMIs — that appear in virtually every OT environment.
PLCs are the workhorses of industrial automation: programmable, ruggedized computers that execute control logic in real-time, reading inputs from sensors and writing outputs to actuators based on ladder logic or function block programs. RTUs are similar but typically designed for remote deployment, communicating with SCADA master stations over long-distance communication links. HMIs provide the operator interface layer: graphical displays, trend charts, alarm management, and manual control points. Safety Instrumented Systems (SIS) are a distinct class of control system designed specifically to bring a process to a safe state if operating parameters exceed predefined limits — they are physically and logically segregated from the process control DCS and subject to the most stringent reliability and security requirements.
The Internet Exposure Problem
The most alarming trend in ICS security is the growth of internet-exposed control systems. Research from Claroty, Dragos, Censys, and Shodan consistently shows that large numbers of PLCs, RTUs, and ICS vendor management interfaces are directly accessible from the public internet — either through misconfiguration, intentional connectivity for remote access, or the inadvertent exposure of operational technology to routable networks during IT/OT convergence projects.
Between 2024 and 2025, the number of internet-accessible ICS devices increased by approximately 40% according to assessments by OT security vendors citing data from industrial asset discovery scans. This growth is driven by the proliferation of cellular-connected remote telemetry units, cloud-connected SCADA platforms, and the deployment of industrial IoT (IIoT) gateways that bridge OT device data to cloud analytics platforms without adequate security controls. Each internet-exposed ICS device is a potential entry point for threat actors — and unlike IT devices, most cannot receive automated security patches and cannot detect or respond to intrusion.
CISA's Known Exploited Vulnerabilities (KEV) catalog includes vulnerabilities in PLC and ICS software from Rockwell Automation, Siemens, Schneider Electric, and others. CISA ICS-CERT advisories are published weekly and document remotely exploitable vulnerabilities in widely deployed industrial control systems. The combination of internet exposure and unpatched vulnerabilities creates a risk profile that is particularly severe in ICS environments because the consequences of exploitation extend beyond data loss to physical process disruption.
How Zero Trust Controls Apply to ICS
Asset visibility is the prerequisite for every ICS security control. You cannot segment what you cannot see; you cannot patch what you do not know exists; you cannot detect anomalous behavior without a baseline. Asset discovery in ICS environments must be passive — active network scanning can cause PLC faults, control loop disruptions, and communications failures that have real process consequences. Deploy OT network monitoring sensors that observe traffic on ICS network segments, parse industrial protocols, and build an asset inventory without injecting packets into the control network.
Network segmentation between ICS device networks and higher-level systems (SCADA servers, engineering workstations, historian servers) is the next priority. ICS devices that communicate using Modbus, EtherNet/IP, PROFINET, or other control protocols should be segmented to their own network zone with firewall policies that enforce communication directionality: controllers communicate upward to SCADA, but the SCADA network should not be able to initiate unsolicited connections to PLC device networks. Lateral movement between PLC networks — cross-pollination between unrelated process areas — should be explicitly blocked.
For PLCs and RTUs that are currently internet-exposed: identify them through the asset discovery phase and immediately remove direct internet accessibility. These devices should be accessed only through the corporate network via a properly segmented OT network — never directly from the internet. Vendor remote access to PLC programming interfaces should be brokered through a vendor access management platform, not through direct VPN connections to the device network.
HMIs and engineering workstations — devices that run general-purpose operating systems (typically Windows) — should receive standard IT security hardening: patching, antivirus, application whitelisting, and MFA through PAM. These are the most accessible entry points for attackers because they run familiar operating systems and protocols, and they have privileged access to the underlying control systems.
Safety Instrumented Systems require a particularly careful approach. SIS networks should be segregated from the process control DCS network — a requirement under IEC 61511 (the safety lifecycle standard for process industries) as well as a security best practice. Zero Trust controls on SIS networks are limited to passive monitoring and physical security; any active security control that could interfere with SIS operation must be thoroughly evaluated and validated by the SIS vendor before deployment.
Regulatory Frameworks
ICS security is governed by multiple frameworks depending on sector: NERC-CIP for bulk electric system assets, TSA Security Directives for pipeline and transportation, NIST SP 800-82 and NIST SP 800-207 (Zero Trust Architecture) for federal agencies and contractors, and IEC 62443 as the primary international technical standard. CISA's ICS-CERT advisories are a primary operational intelligence source regardless of sector.
Market Context
The global industrial control system security market is a core component of the broader $27 billion OT security market estimated for 2025. ICS security spending is growing faster than overall OT spending, driven by the insurance market (cyber insurers increasingly requiring demonstrable OT security controls for policy issuance) and the compliance mandates described above. The ICS vendor ecosystem — Rockwell Automation, Siemens, ABB, Schneider Electric, Emerson — is itself becoming a security vendor, embedding security capabilities into newer PLC and DCS products and offering managed security services for legacy installed bases.