Academy

Cyber-Physical and OT Security experimental

Cyber-Physical and OT Security From the Purdue Model to the shop floor: SCADA, ICS and PLCs, a source-checked history of incidents, IEC 62443, and the case for physical segregation, closing the CyBOK Cyber-Physical Systems gap. IT, OT and Safety: Three Worlds, Not One. Why corporate IT, operational technology and safety instrumented systems optimize for different priorities, and how the Purdue Model maps that difference onto network levels.. State the priority inversion between IT (confidentiality-first) and OT/Safety (availability- and safety-first).. Map a described system onto the correct Purdue Model level.. Correctly distinguish this course's codename from the unrelated term 'bastion host'.. IT vs OT vs Safety, The priority inversion, The Purdue Model, Levels 0-5, A naming disambiguation Three worlds, not one Conventional information technology (IT) security is usually taught around the Confidentiality, Integrity, Availability (CIA) triad in the order confidentiality, integrity, availability. A leaked spreadsheet is bad; a corrupted spreadsheet is worse; a server that is briefly unreachable is, in most IT contexts, an inconvenience. Operational technology (OT), the computing systems that directly sense and actuate a physical process (a turbine, a centrifuge, a chlorine dosing pump), inverts that ordering. Availability and physical safety come first, because an OT failure does not merely inconvenience a user. It can destroy the equipment it controls, release a hazardous substance, or injure or kill the people nearby. A third category, the Safety Instrumented System (SIS), sits apart from both: its sole purpose is to independently monitor for a hazardous condition and force an emergency shutdown, deliberately isolated from the ordinary control system so that a control-layer failure does not also disable the safety layer. The Purdue Enterprise Reference Architecture The Purdue Enterprise Reference Architecture, widely known simply as the Purdue Model, gives this course a shared vocabulary for where a given system sits between the physical process and the corporate network. Level 0 is the physical process itself, sensors and actuators. Level 1 is basic control, the programmable logic controllers (PLCs) and distributed control systems (DCS) that read those sensors and drive those actuators. Level 2 is supervisory control, the human-machine interfaces (HMI) and Supervisory Control and Data Acquisition (SCADA) systems an operator watches. Level 3 is operations management. Level 3.5, the industrial demilitarized zone (DMZ), is a deliberate buffer between the OT levels below it and the business levels above. Level 4 is business operations, enterprise resource planning (ERP) and the like. Level 5 is the wider corporate IT enterprise. Every incident studied in this course can be located on this table: which level was the entry point, and which level was the ultimate target. Module 7 returns to this table explicitly to classify each incident by its physical, kinetic consequence. A necessary disambiguation This course's codename, BASTION, is unrelated to the pre-existing IT security term "bastion host," a deliberately exposed, hardened gateway machine placed at a network's edge to mediate access to a protected zone. The two senses share no technical content. Wherever this course says BASTION without further qualification, it means the CCICCS Level III course itself, not a bastion host. Where a bastion host is discussed as a technical control, later in this course, in the context of the industrial DMZ, it is named explicitly as such. Further reading See the course's own References section for the Purdue Model overviews cited there. Standards guidance and the DMZ's real stakes The U.S. National Institute of Standards and Technology's Special Publication 800-82, Guide to Operational Technology (OT) Security, revised most recently in 2023, formalizes this same priority inversion in federal guidance: it explicitly directs practitioners away from applying IT security controls to OT environments without first accounting for the safety and availability consequences a naive IT-style control (an aggressive intrusion-prevention rule, an unplanned reboot for a patch) can itself cause on a live physical process. The Level 3.5 industrial DMZ is not simply a firewall rule; it is the single most consequential architectural decision this course's Purdue Model discussion introduces, because every later module's incident, Stuxnet's Universal Serial Bus (USB)-borne crossing of an intended air gap, the Ukraine grid attacks pivoting from IT into OT, the German steel mill's spear-phishing pivot from office to production, can be read as a case study in what happens when that boundary is thinner, or more thoroughly defeated, than its designers assumed. This disambiguation matters beyond this course's own vocabulary. A learner who searches broader security literature for "bastion" will find the IT-security bastion-host pattern far more often than any reference to this course, and conflating the two in a professional setting, describing a hardened perimeter gateway as though it were this course's subject matter, or vice versa, is exactly the kind of terminology error that erodes a security team's credibility with more experienced OT colleagues. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) The Machinery of OT: SCADA, ICS, PLC, DCS, HMI. The vocabulary and machinery of operational technology, and why these systems were built for decades of unattended service, not for life on a hostile network.. Define PLC, DCS, HMI and SCADA and model how they relate to each other within the Purdue Model.. Explain why ICS equipment is typically designed for multi-decade service life.. Identify which acronym applies to a described piece of industrial equipment.. PLCs and DCS, HMI, SCADA as the supervisory layer, Decades-long service life The vocabulary of the shop floor A Programmable Logic Controller (PLC) is a ruggedized industrial computer that executes control logic directly against field sensors and actuators. It is the workhorse of Purdue Model Level 1: read a sensor, evaluate a rule, drive an actuator, repeat, often many times per second, for years without interruption. Collectively, PLCs, DCS, HMIs and SCADA systems make up what this course calls an industrial control system (ICS). A Distributed Control System (DCS) is what a large, typically continuous process, a refinery, a power plant, a chemical plant, uses instead of a single PLC: many controllers and input/output points coordinated together across the whole process. A Human-Machine Interface (HMI) is the screen an operator watches and issues commands through. Supervisory Control and Data Acquisition (SCADA) is the layer above all of that: it aggregates data and control across many PLCs, Remote Terminal Units (RTUs) and often geographically dispersed sites, a pipeline running hundreds of kilometers, a grid spanning a region, into one supervisory picture. Built for decades, not for a hostile network The capital equipment a PLC or DCS controls, a turbine, a furnace, a centrifuge cascade, is itself engineered to run for decades. The controller is frequently certified and validated alongside that equipment as a matched configuration, which makes swapping it out, or even patching its firmware, a non-trivial undertaking rather than a routine update. Module 2 examines the direct consequence of this: firmware that goes years between meaningful security review, on hardware that was never designed with an adversarial network in mind, because for most of its service life it had none. Precision in this vocabulary is not pedantry. Every later incident in this course, Stuxnet's Siemens PLCs, Triton/Trisis's Triconex Safety Instrumented System, Aliquippa's Unitronics PLC, is described using exactly these terms, and knowing which layer was touched is the difference between a control-layer compromise and a safety-layer compromise, a distinction Module 6 argues is categorical, not a matter of degree. Further reading See the course's own References section for the Purdue Model and ICS vocabulary overviews cited there. Field vocabulary that spans a region Remote Terminal Units (RTUs) matter disproportionately for exactly the kind of geographically dispersed infrastructure SCADA was built to supervise: a single pipeline operator or grid utility may have hundreds of RTUs spread across a service territory spanning an entire region, each one a field-deployed, often minimally staffed device that a SCADA system polls, commands and depends on, frequently over communication links, leased telephone lines, licensed radio, or increasingly cellular and satellite connections, that were never designed with an adversarial network in mind. Two further pieces of vocabulary complete the picture Level 3, operations management, actually runs on: an engineering workstation is the specialized computer used to program and configure a PLC or DCS directly, typically running vendor-specific software with far more authority over field devices than an HMI's operator-facing view grants, and a historian is the database that archives every process value a SCADA system collects, the record a plant later consults to reconstruct exactly what happened during an incident, including, as later modules will show, a cyber incident. Underneath HMI, SCADA and DCS sits a further layer of protocol vocabulary this course touches without dwelling on: Modbus, Distributed Network Protocol 3 (DNP3) and Profibus (the last of which reappears by name in Module 3's Stuxnet discussion) are among the field-level protocols PLCs and RTUs use to exchange the actual sensor readings and actuator commands, many of them designed in an era when authentication and encryption were not yet standard requirements for industrial communication. Getting this vocabulary right is not academic precision for its own sake. Module 2's firmware problem, Module 3's Stuxnet chain, and Module 6's Triton/Trisis case are each, at bottom, a story about a specific layer of this vocabulary being reached, and a security professional who cannot correctly distinguish a PLC-level compromise from an HMI-level compromise from a safety-layer compromise cannot accurately scope an incident's actual severity. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) The Firmware Problem. Why OT firmware receives less scrutiny and slower patching than IT software, and what current research says about the resulting exposure.. Explain the operational reasons OT patching lags IT patching.. Cite current research on insecure remote-access conditions and unpatched OT systems.. Assess a vendor advisory with no available patch against one with a patch pending deployment.. Why OT patching lags IT patching, Current research: Dragos and Claroty, Advisories without patches, The planned-outage constraint Why OT patching lags IT patching An IT server can usually be patched and rebooted with minutes of planned inconvenience. An operational technology (OT) device controlling a live physical process cannot, in general, be patched the same way: an unplanned interruption of a programmable logic controller (PLC) governing a blast furnace or a chlorine dosing pump is not a minor inconvenience, it is itself a potential availability or safety event, the exact category of harm the patch might have been trying to prevent. The result is a systemic lag between when a vulnerability is disclosed and when it is actually remediated in the field, not because operators are careless, but because a patch requires a planned outage that must be scheduled, justified, and sometimes coordinated across an entire production line. What current research shows Dragos's ongoing OT cybersecurity research gives this course current, not merely historical, figures. Roughly two out of every three organizations assessed had insecure remote-access conditions, insecure configurations, unpatched systems, or poor network architecture. Roughly 45 percent of OT Watch customers had Secure Shell (SSH) services reachable from publicly routable internet addresses. Roughly one in four vulnerability advisories relevant to industrial control system (ICS) equipment came with no vendor patch or mitigation available at all. Dragos's own risk-based "Now, Next, Never" prioritization found that only a small fraction, roughly 2 percent, of ICS-relevant vulnerabilities actually required immediate action, a useful corrective against treating every advisory as equally urgent, but the fraction with no available fix at all remains a genuine, ongoing exposure that compensating controls, not a patch, must cover. An advisory with no available patch is not a closed issue. It is an open exposure that only network segmentation, restricted remote access, and enhanced monitoring can cover until a fix exists, precisely the kind of compensating control Module 8's zones-and-conduits model formalizes. The compounding effect of long service life Module 1 established that ICS equipment often runs for decades. That same longevity means the firmware problem compounds rather than resolves: a device installed ten years ago has, all else equal, ten years of accumulated advisories against it, while the same operational and certification constraints that discourage frequent patching remain in force the entire time. The firmware problem is not a one-time backlog to clear; it is a standing condition that a mature OT security program manages continuously, through prioritized patching where possible and compensating controls everywhere else. Further reading See the course's own References section for Dragos's annual OT cybersecurity review. Why revalidation, not just scheduling, slows a patch Part of what makes OT patching slower than IT patching is not merely scheduling difficulty but a genuine technical risk: a firmware update can alter a controller's timing behavior, its exact cycle time or the precision of a control loop, in ways that were never present in the original validated configuration, so a vendor or operator revalidating a patch before deployment is not being overcautious, it is confirming the patched device still behaves identically to the specific configuration the physical process was engineered and safety-certified against. Where a patch genuinely cannot be applied promptly, this course's later modules make the compensating-control alternative concrete rather than abstract: network segmentation restricting which hosts can even reach the vulnerable device, enhanced monitoring for anomalous traffic to or from it, and restricted remote access removing the exposure Dragos's own figures above show is disproportionately common, are the specific tools Module 8's zones-and-conduits model formalizes into a repeatable architecture rather than an ad hoc list. NIST Special Publication 800-82, Guide to Operational Technology (OT) Security, revised in 2023, reaches the same conclusion from a standards-body perspective rather than an industry vendor's incident data: it explicitly recommends compensating controls as a documented, deliberate risk-acceptance decision when patching is infeasible, not as an informal workaround, precisely because an undocumented gap is far harder for a security team to inherit, audit or eventually close than a documented one. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Stuxnet and the Air Gap. How Stuxnet crossed an air-gapped network via USB, precisely fingerprinted Natanz's centrifuge cascade, and why an air gap is a control, not a guarantee.. Describe Stuxnet's 2010 discovery and its target.. Explain how Stuxnet crossed Natanz's air gap and why its targeting was so precise.. Justify why an air gap should be understood as a strong control rather than an absolute guarantee.. Discovery, 2010, USB and the air gap, Precision fingerprinting, The air gap as a control, not a guarantee Discovery, 2010 Stuxnet was first publicly identified in June 2010 by the Belarusian antivirus firm VirusBlokAda, after a client reported unusual behavior. Analysis that followed, across multiple independent security vendors, established that its real target was Iran's Natanz uranium enrichment facility, specifically the centrifuge cascade controlled by Siemens S7-300 and S7-400 series programmable logic controllers (PLCs) running Siemens's WinCC/Step 7 software. It is widely credited as the first publicly documented case of malicious code producing confirmed, physical, kinetic damage to industrial equipment: Natanz lost approximately 1,000 centrifuges to Stuxnet's activity. Crossing an air gap that was never absolute Natanz's centrifuge control network was air-gapped: it had no direct internet connection. Stuxnet crossed that gap anyway, via Universal Serial Bus (USB) flash drives, exploiting a Windows vulnerability that let it execute automatically when the drive was inserted, then spreading further within the isolated network from host to host. Before acting, it fingerprinted the specific devices it found, checking identifiers and a particular Profibus network card configuration, against the exact signature of Natanz's cascade. Everywhere else, it stayed dormant. This precision meant Stuxnet was not indiscriminate industrial sabotage; it was a narrowly targeted weapon that happened to spread more widely than its target while activating only against it. The lesson this course draws from Stuxnet is not "air gaps are useless." It is "an air gap is a control, one of the strongest available, not an absolute guarantee." Module 8 returns to this exact tension when arguing for physical segregation as the highest-assurance control available, while acknowledging Stuxnet as the standing counter-argument against treating segregation as sufficient on its own. Further reading See the course's own References section for Stuxnet's technical history. Four zero-days and two stolen certificates Stuxnet's technical sophistication went well beyond the USB-delivery mechanism alone: security researchers documented that it exploited four separate Windows zero-day vulnerabilities, previously unknown flaws with no available patch at the time of use, and used two stolen digital certificates, from Realtek and JMicron, to make its device drivers appear legitimately signed to the operating system, a level of resourcing far beyond what most criminal malware campaigns before or since have deployed. Ralph Langner, an independent industrial-control-systems security researcher, published some of the earliest and most influential public technical analysis of Stuxnet's actual attack logic, work later formalized in a peer-reviewed IEEE Security and Privacy article; Langner's central conclusion, that Stuxnet's payload was engineered with detailed, insider-level knowledge of Natanz's specific centrifuge cascade configuration, is what elevated the case from "sophisticated malware" to what many researchers still treat as the first confirmed cyberweapon. Stuxnet's disclosure in 2010 marked a turning point in how governments and operational technology (OT) operators worldwide assessed their own exposure: a capability once considered largely theoretical, a nation-state-resourced actor engineering malware to produce deliberate, precisely targeted physical destruction, was now a documented, technically dissected case study, and every incident this course covers afterward, Ukraine's grid attacks, Triton/Trisis, is properly read against the baseline Stuxnet established for what a well-resourced actor can achieve. Stuxnet's air-gap crossing is also a defense-in-depth argument, not only an air-gap argument specifically: Natanz's network had other controls in place, and none of them independently caught the intrusion before Stuxnet's centrifuge-speed manipulation began, which is precisely the failure mode Module 8's zones-and-conduits model is designed to prevent by requiring multiple, independently enforced layers rather than relying on any single control, air-gapped or otherwise, to carry the full defensive burden alone. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Grid, Pipeline and Industrial Incidents. Ukraine's confirmed 2015 and 2016 grid attacks, the disputed 2008 Turkish pipeline explosion claim, and the confirmed 2014 German steel mill attack.. Describe the 2015 and 2016 Ukraine grid attacks and their attribution.. Assess the Turkish pipeline explosion's cyberattack claim against its documented counter-evidence.. Describe the 2014 German steel mill attack's method and consequence.. Ukraine, 2015 and 2016, The Turkish pipeline claim, disputed, The German steel mill, 2014, Weighing confirmed against disputed claims Ukraine, 2015 and 2016: two confirmed grid attacks On 23 December 2015, an attack using BlackEnergy3 and the disk-wiping tool KillDisk cut power to roughly 230,000 people across Ukraine for one to six hours, the first publicly acknowledged successful cyberattack on a power grid. It relied heavily on abusing the operators' own remote-access tools and human-machine interface (HMI) software to open breakers. A year later, on 17 December 2016, a second attack used purpose-built malware, Industroyer, also known as CrashOverride, which was notably more advanced: it embedded direct knowledge of grid communication protocols, letting it issue commands to substation equipment without needing to hijack an operator's own software session. Both attacks have been attributed by Ukrainian officials and independent security researchers to the Sandworm Team, linked to Russian security services. A disputed claim: the 2008 Turkish pipeline explosion The 2008 explosion on the Baku-Tbilisi-Ceyhan pipeline near Refahiye, Turkey, was originally attributed to the Kurdistan Workers' Party (PKK) as a physical attack. A 2014 Bloomberg report, citing four unnamed Western intelligence officials, later claimed a cyberattack had over-pressurized the line and disabled alarms. This claim is specifically disputed: industrial control system (ICS) security researcher Robert M. Lee has publicly stated the cyberattack theory lacks supporting evidence, and a subsequent internal audit reportedly found that security cameras cited as corroborating evidence had actually been installed only after the explosion, and that explosive residue was present at the site, both details consistent with the original PKK physical-attack attribution rather than a hack. This course teaches the claim and its counter-evidence side by side, deliberately, rather than repeating the cyberattack narrative as settled fact or omitting a widely cited incident from the record. A confirmed industrial attack: the German steel mill, 2014 Germany's Federal Office for Information Security (BSI) reported that attackers used spear phishing to reach a steel mill's office network, then pivoted into the production network, ultimately preventing a blast furnace from shutting down normally and causing massive physical damage. Unlike the Turkish pipeline claim, this incident is confirmed by a named national authority's own report and is not disputed in the technical literature. Three incidents, three different evidentiary standings: two confirmed by government advisories and named technical attribution, one built on unnamed sources and later challenged by a named researcher with physical counter-evidence. A security professional's threat model should track that distinction, not flatten it. Further reading See the course's own References section for CISA's Ukraine advisory and Bloomberg's original Turkish pipeline report. Attribution frameworks and a persistent actor Both grid attacks are documented and attributed by name, not merely alleged: the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the MITRE ATT&CK for ICS framework, a structured catalog of adversary tactics and techniques specific to industrial control systems, both catalog them in detail, alongside independent vendor research from Dragos and other established ICS security vendors. The Sandworm Team, publicly attributed by U.S. Department of Justice indictments to Unit 74455 of Russia's Main Intelligence Directorate (GRU), did not disappear after 2016; the same actor has since been linked to further disruptive operations against Ukrainian infrastructure through the ongoing conflict, making the 2015 and 2016 grid attacks this module covers the earliest, not the only, documented instances of this specific actor's capability. The evidentiary gap between the Ukraine attacks and the Turkish pipeline claim is instructive precisely because it recurs throughout this course: Module 5's Oldsmar incident and Module 7's kinetic-effect classification both depend on exactly this same discipline, tracking not just what happened but how confidently, and on what evidentiary basis, this course or the wider security community can actually claim it happened. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Water, Food and Healthcare Under Attack. The Oldsmar water incident and its later operator-error attribution, the Aliquippa PLC attack, JBS Foods' ransomware attack, and WannaCry's and Conti's effects on healthcare.. Describe the Oldsmar incident and its subsequent, disputed attribution.. Describe the Aliquippa PLC attack and its actor attribution.. Assess JBS's and the NHS's and HSE's ransomware incidents and their sector-level consequences.. Oldsmar, disputed, Aliquippa and CyberAv3ngers, JBS Foods, 2021, WannaCry and HSE Oldsmar: a disputed hack, later called operator error In February 2021, an operator at a water treatment facility in Oldsmar, Florida, watched a remote change to the plant's supervisory human-machine interface (HMI) raise sodium hydroxide (lye) levels from roughly 100 to 11,000 parts per million, and reversed it immediately, before any lye actually reached the water supply. The incident was widely reported at the time as a malicious remote hack. A later account from Oldsmar's own former city manager described it instead as operator error, calling it a "non-event." This course teaches both the original narrative and the later attribution, because presenting only the first would omit a credible, sourced account that materially changes how the incident should be understood. Aliquippa: a confirmed PLC attack with named attribution In November 2023, an Israeli-made Unitronics programmable logic controller (PLC) at a water authority booster station in Aliquippa, Pennsylvania was disabled after being reached through a default or weak credential, part of a broader campaign against Unitronics devices across multiple sectors described in a Cybersecurity and Infrastructure Security Agency (CISA) advisory, numbered AA23-335A (AA23), following CISA's own alert-numbering convention of a two-letter prefix plus the two-digit year. The activity has been attributed to CyberAv3ngers, a persona linked to Iran's Islamic Revolutionary Guard Corps, and named individuals have since been sanctioned by the US Treasury in connection with it. Unlike Oldsmar, Aliquippa's attribution rests on a government advisory and formal sanctions, not a contested media report. Food and healthcare: ransomware reaching physical operations JBS Foods (JBS) (from founder Jose Batista Sobrinho's initials), the world's largest meat processor, suffered a May 2021 ransomware attack attributed to the REvil group, disrupting production across Australia, Brazil, Canada and the United States before the company paid an $11 million ransom to restore operations, a reminder that ransomware aimed at IT systems can still stop physical production lines. WannaCry's May 2017 spread, exploiting the EternalBlue Server Message Block (SMB) vulnerability, is estimated by the UK National Audit Office to have cost the National Health Service (NHS) roughly $100 million amid widespread disruption to patient care. Ireland's Health Service Executive (HSE) suffered a comparable disruption in March 2021 when a phishing email led to Cobalt Strike deployment and, ultimately, Conti ransomware spreading across the health service's IT estate. None of these four incidents required breaching a Purdue Model Level 0 or Level 1 device directly. Ransomware and credential abuse at the IT and supervisory layers were enough to stop physical operations, a reminder that Module 0's IT and operational technology (OT) boundary is a design goal, not an automatic guarantee. Further reading See the course's own References section for CISA Advisory AA23-335A and the JBS ransomware attack overview. A repeatable pattern, not an isolated event The Aliquippa attack was one of several similar incidents the CISA advisory documented across the same campaign: Unitronics PLCs at water utilities in at least two other U.S. states were reportedly reached through the same default-credential weakness in the same window, which is why the advisory frames Aliquippa as one instance of a broader, repeatable exposure pattern (default or unchanged vendor credentials on internet-reachable OT devices) rather than a single isolated incident. The mechanism connecting an IT-layer ransomware infection to a halted physical production line is usually simple rather than exotic: modern manufacturing and processing operations depend on IT-layer systems, order management, batch scheduling, quality-control databases, logistics coordination, to actually run Level 1 and Level 2 equipment efficiently, so encrypting or disabling those IT systems can stop physical production even when not a single PLC, Remote Terminal Unit (RTU) or HMI was itself touched by the attack. The UK National Audit Office's own assessment found WannaCry disrupted operations at roughly a third of English NHS trusts, cancelling an estimated 19,000 appointments and procedures during the outage window, a figure that illustrates why this module treats healthcare ransomware as a physical-consequence incident, not merely a data-confidentiality one, even though no medical device or life-support system was itself the direct target. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Triton/Trisis: Attacking the Safety System Itself. Why the 2017 Triton/Trisis attack on a Schneider Electric Triconex Safety Instrumented System represents a categorically more dangerous escalation than attacking the control layer alone.. Describe the Triton/Trisis attack's target and mechanism.. Explain why targeting a Safety Instrumented System is more dangerous than targeting a control-layer PLC.. Assess Triton/Trisis's attribution and significance.. What a Safety Instrumented System does, The 2017 attack, mechanism, Why safety-layer attacks are categorically worse, Attribution and significance What a Safety Instrumented System does A Safety Instrumented System (SIS), such as Schneider Electric's Triconex product line, is deliberately separate from the ordinary control system it watches over (commonly a programmable logic controller (PLC) or distributed control system (DCS)). Its job is narrow and specific: independently monitor for a hazardous condition, and if one is detected, force an emergency shutdown (ESD) regardless of what the control layer is doing. The entire design premise is independence: if the control layer fails or is compromised, the safety layer is supposed to still be there, watching, unaffected. The 2017 attack In 2017, malware now known as Triton, or Trisis, was found to have targeted a Schneider Electric Triconex Safety Instrumented System at a Saudi petrochemical plant. Its capability was to manipulate or disable the safety system itself, which could, in turn, allow a hazardous condition to progress into an actual plant disaster rather than being caught and stopped. The earliest documented sign of the attackers' activity predates the incident's widely reported December 2017 disclosure: in June 2017, the attackers appear to have inadvertently triggered the safety system, causing a temporary plant shutdown, which was the first visible symptom investigators later traced back to this campaign. Investigators subsequently found six infected Triconex emergency shutdown controllers in total, beyond the single system first identified, and FireEye (Mandiant) attributed the activity, with moderate confidence, most likely to Russia's Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM). Why this is categorically worse than a control-layer attack Every incident in Modules 3 to 5 attacked or exploited the control layer, or an IT layer feeding into it: Stuxnet's centrifuge programmable logic controllers (PLCs), the Ukraine grid's breakers, Aliquippa's booster-station PLC. In each of those cases, an intact, independent safety layer remains, in principle, a last line of defense that could still catch a runaway condition and force a shutdown before disaster. Triton/Trisis is different in kind, not just in target: it goes after that last independent check directly. If the safety layer itself can be disabled or manipulated, the one system specifically designed to catch every other layer's failure is no longer there to catch it. A plant that assumes "our control system is well secured, so our safety system needs no separate attention" has not learned Triton/Trisis's lesson. The safety layer's own security is a distinct requirement, not an automatic consequence of securing the control layer. Further reading See the course's own References section for Triton/Trisis's technical history. Functional safety standards, distinct from security standards Safety Instrumented Systems like Triconex are engineered against a distinct family of standards from the security standards Module 8 covers in depth: the International Electrotechnical Commission (IEC) 61508 standard and its process-industry-specific counterpart IEC 61511, which define Safety Integrity Levels (SIL) describing how reliably a safety function must perform its job, a functional-safety engineering discipline that predates, and is conceptually distinct from, IEC 62443's cybersecurity-specific Security Levels, even though both frameworks now increasingly reference each other as operational technology (OT) security and functional safety have converged as concerns. Triton/Trisis was not a one-off curiosity. Security researchers have since documented continued targeting interest in safety-system architectures broadly, and the same categorical logic, that disabling or manipulating the layer specifically designed to catch every other layer's failure is worth more to a sufficiently motivated attacker than disabling the control layer alone, applies to any Safety Instrumented System, not only Triconex specifically, which is why this module treats Triton/Trisis as a category-defining case study rather than a single vendor's isolated security failure. FireEye's (Mandiant's) attribution to Russia's CNIIHM was stated at moderate confidence, not certainty, and this course treats that distinction as substantive rather than a hedge: moderate-confidence attribution is still actionable for defensive purposes, since the technical facts of what the malware did and which systems it targeted do not depend on attribution being resolved, but a security professional briefing leadership on this case should represent the confidence level accurately rather than rounding it up to certainty, the same evidentiary discipline Module 4's Turkish pipeline discussion and Module 7's kinetic-effect classification both require. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Kinetic Warfare: When Code Has Physical Effects. Defining kinetic effect precisely, classifying every prior incident by confirmed versus disputed physical consequence, and examining the Davis-Besse near-miss.. Define kinetic effect in this course's terms.. Correctly assess each prior module's incident by confirmed, disputed, or absent physical consequence.. Describe the Davis-Besse Slammer worm incident as a near-miss with no kinetic effect.. Defining kinetic effect, A classification table across Modules 3-6, Davis-Besse, 2003, a near-miss, Why near-misses matter as much as confirmed incidents Defining kinetic effect This course uses "kinetic effect" to mean a physical, real-world consequence of a digital compromise: equipment destruction, a hazardous release, or bodily harm, as distinct from a purely digital consequence such as data loss or a service outage with no physical result. Not every incident this course has covered produced one, and at least one widely cited claim about a kinetic effect is itself disputed. Treating every headline as equally severe would distort a security professional's threat model; this module builds the classification instead of assuming it. A classification across Modules 3 to 6 Davis-Besse, 2003: a near-miss worth studying In February 2003, the Slammer worm reached the Davis-Besse nuclear plant's network via a contractor's computer connected to the internet, bypassing the plant's firewall. The plant's Safety Parameter Display System was down for nearly five hours as a result. No kinetic effect occurred: a redundant analog backup system remained available throughout, and the plant's reactor protection systems were unaffected. This is a genuine defense-in-depth success story, not a disaster, but the vulnerability path it reveals, an internet-connected contractor machine reaching a nuclear plant's network, is exactly the kind of finding a near-miss is valuable for, independent of the actual outcome. A near-miss and a confirmed kinetic-effect incident teach different, complementary lessons. Davis-Besse's redundant analog backup is the reason the near-miss stayed a near-miss; it is also a direct argument for the layered zones-and-conduits model Module 8 formalizes. Further reading See the course's own References section for the Davis-Besse Slammer worm case study. Slammer's indiscriminate spread and a near-miss's real cause The Slammer worm that reached Davis-Besse was not targeted at nuclear infrastructure specifically; it was an indiscriminate, self-propagating worm exploiting a Microsoft Structured Query Language (SQL) Server vulnerability that infected an estimated 75,000 hosts worldwide within roughly ten minutes of its January 2003 release, causing widespread internet slowdowns, and Davis-Besse's exposure came from an ordinary contractor laptop with an unauthorized modem connection bypassing the plant's firewall entirely, not from any deliberate targeting of the plant. Near-miss incidents like Davis-Besse are systematically underreported relative to their actual value as a data source, precisely because nothing visibly bad happened: an organization has far less external pressure to publicly disclose a near-miss than a confirmed incident with real consequences, yet the underlying vulnerability path, an internet-connected contractor machine reaching a nuclear plant's internal network, is exactly as real and exactly as worth fixing whether or not a redundant backup happened to be available that day. Davis-Besse's redundant analog Safety Parameter Display System backup, and the plant's separately engineered reactor protection systems, are worth naming specifically because they illustrate defense-in-depth working as designed: the digital display system going down for nearly five hours was a real degradation of the operators' situational awareness, but it was not, by itself, a loss of the plant's actual safety function, because that function did not depend on the compromised system alone. This module's classification table is not an academic exercise in categorization for its own sake; a security professional briefing organizational leadership or regulators after an incident needs to state, precisely and defensibly, whether a confirmed kinetic effect occurred, and conflating a near-miss like Davis-Besse with a confirmed, physically destructive incident like Stuxnet, in either direction, either overstating a near-miss or understating a confirmed incident, actively degrades the quality of the risk decisions that follow from the briefing. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) IEC 62443: Zones, Conduits and Physical Segregation. The ISA99/IEC 62443 series in depth, and why physical segregation remains the highest-assurance control available, despite Stuxnet's own crossing of an air gap.. Describe IEC 62443's security levels (SL 1-4) and its seven foundational requirements.. Explain the zones-and-conduits model.. Argue for physical segregation's continued importance while accounting for its documented limits.. ISA99 and IEC 62443's origin, Security Levels SL 1-4, Zones and conduits, Physical segregation, importance and limits IEC 62443's origin and shape The ISA99 committee (ISA99), established by the International Society of Automation in 2002, developed the standard that would become the IEC 62443 series, published in partnership with the International Electrotechnical Commission (IEC). It organizes operational technology (OT) security around two central concepts this module covers in depth: four Security Levels (SL), numbered SL 1 through SL 4, describing the sophistication of threat a zone is designed to resist, and seven Foundational Requirements describing the categories of control every zone needs, regardless of its assigned level. Zones and conduits IEC 62443 groups assets sharing a common security level and risk profile into a zone, and formally defines the path by which communication crosses between zones as a conduit. A conduit is where policy actually gets enforced: what is allowed to cross, in which direction, under what conditions. This model maps naturally onto the Purdue Model from Module 0: zones are commonly aligned with Purdue levels, and the industrial demilitarized zone (DMZ) at Level 3.5 is itself a conduit-heavy zone specifically designed to control what crosses between OT and business IT. Physical segregation, argued and qualified Among all the controls a conduit can enforce, physical segregation, a genuine air gap with no network path at all between two zones, remains the single highest-assurance option available, because it removes an entire category of remote attack outright rather than merely restricting it. This course insists on its importance for exactly that reason. But Module 3's own history is the standing qualification: Stuxnet crossed Natanz's air gap via Universal Serial Bus (USB) media, at considerable design cost to the attacker, precisely because the network path was closed. Physical segregation raises the cost and complexity of an attack substantially; it does not make an attack impossible. IEC 62443 compliance and physical segregation are complementary, not substitutes for each other: the standard's own zones-and-conduits model is built around minimizing what is allowed to cross a boundary, and segregation is the strongest available answer to that question, not an alternative to asking it. Treat physical segregation as the strongest layer in a layered defense, backed by IEC 62443's Security Levels and Foundational Requirements everywhere a genuine air gap is not achievable, never as a single control assumed to be sufficient alone. Further reading See the course's own References section for IEC 62443 overviews and the zones-and-conduits research cited there. The Foundational Requirements made concrete Mapping this course's own incidents onto IEC 62443's seven Foundational Requirements makes the framework concrete rather than abstract: Aliquippa's default-credential programmable logic controller (PLC) compromise (Module 5) is squarely a failure of Identification and Authentication Control, Stuxnet's falsified operator readings (Module 3) defeated System Integrity, and Triton/Trisis (Module 6) is best read as an attack specifically targeting Resource Availability and System Integrity at the safety layer, the one layer every other Foundational Requirement in this table assumes will still be there to catch a failure. IEC 62443 and NIST Special Publication (SP) 800-82 are complementary rather than competing references: IEC 62443 is the international, vendor- and asset-owner-facing standard this module builds around, organized by Security Levels and zones and conduits, while NIST SP 800-82, revised in 2023, is U.S. federal guidance covering much of the same ground, OT-specific risk management, network architecture, and patch management, from a regulatory and public-sector-audience perspective; a mature OT security program in practice typically references both rather than treating either as sufficient alone. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Capstone: Regulation and a Segmented OT Architecture. France's LPM/OIV regime, the EU's NIS2 Directive, and a capstone exercise designing a segmented OT architecture for a named critical-infrastructure scenario.. Describe the French LPM's OIV regime and ANSSI's role.. Describe NIS2's scope and its essential/important entity distinction.. Design a segmented OT architecture synthesizing Modules 0 to 8 for a named scenario.. LPM and the OIV regime, NIS2's scope, Designing a segmented architecture, Synthesis across the course France's LPM and the OIV regime France's Loi de Programmation Militaire (LPM) establishes mandatory cybersecurity obligations for Opérateurs d'Importance Vitale (OIV), operators across twelve sectors identified by the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) whose unavailability would significantly threaten the nation's security or survival capacity. This regime sits within the broader security-of-vital-activities framework known by its own short name, SAIV (SAIV), from "Sécurité des Activités d'Importance Vitale," the umbrella scheme under which the OIV designation and its obligations are organized. An OIV's core obligations include reporting security incidents to ANSSI, undergoing security audits performed by ANSSI-qualified providers, and using ANSSI-qualified or certified products and services under the Prestataires de Détection d'Incidents de Sécurité (PDIS) framework. Non-compliance carries penalties of up to 150,000 euro for individuals, and up to 750,000 euro for legal persons. The EU's NIS2 Directive The EU's NIS2 Directive (NIS2) (2022/2555) replaced the original directive on the security of network and information systems, retroactively known as NIS1 (NIS1) (2016/1148), with an effective transposition deadline of 18 October 2024. NIS2 and NIS1 are each directive's own short name, drawn from "Network and Information Security," rather than independently expandable acronyms beyond that shared source phrase. It covers eighteen sectors, split between Annex I high-criticality sectors, energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, information and communications technology (ICT) business-to-business service management, public administration, and space, and Annex II other critical sectors, postal and courier services, waste management, chemicals, food, manufacturing, digital providers, and research. NIS2 distinguishes essential from important entities largely by sector criticality combined with size thresholds, broadly, at least 50 employees or turnover or balance sheet above 10 million euro. Capstone: designing a segmented OT architecture This module's capstone exercise asks the learner to design a segmented operational technology (OT) architecture for a named critical-infrastructure scenario, synthesizing the entire course. A complete design references, at minimum: the IT, OT and Safety Instrumented System triad and its priority inversion (Module 0); the specific industrial control system (ICS) vocabulary involved: programmable logic controller (PLC), distributed control system (DCS), human-machine interface (HMI), and Supervisory Control and Data Acquisition (SCADA) (Module 1); the firmware and patching posture of the equipment in scope (Module 2); relevant historical precedent, confirmed and, where applicable, disputed (Modules 3 to 6); a kinetic-effect classification of the threats being defended against (Module 7); an International Electrotechnical Commission (IEC) 62443 zones-and-conduits design with physical segregation applied at the highest-assurance boundaries (Module 8); and the applicable regulatory regime, LPM/OIV, NIS2, or both, governing the scenario's reporting and audit obligations. This course's overall argument, synthesized here: OT and Safety systems invert IT's confidentiality-first priority toward availability and physical safety; a documented, and at points genuinely disputed, history of incidents shows the real stakes of getting that inversion wrong; IEC 62443 and physical segregation are the standing technical response; and the LPM's OIV regime and NIS2 are the standing regulatory response. Together, these form one coherent discipline, not a list of unrelated facts. Further reading See the course's own References section for ANSSI's SAIV page and the European Commission's NIS2 overview. Comparable enforcement stakes NIS2's enforcement mechanism is comparably significant to the French LPM's: essential entities found non-compliant face administrative fines of up to 10 million euro or 2 percent of total worldwide annual turnover, whichever is higher, with important entities facing a lower but still substantial ceiling of 7 million euro or 1.4 percent of turnover, penalties large enough that board-level risk committees across the EU's covered sectors have had to treat NIS2 compliance as a standing governance obligation rather than a technical team's isolated concern. NIS2 does not operate alone within the EU's critical-infrastructure regulatory landscape; the companion Critical Entities Resilience (CER) Directive, adopted alongside it, addresses physical and operational resilience for many of the same critical-infrastructure operators NIS2 covers from a cybersecurity angle, meaning a covered organization in practice typically manages parallel physical-resilience and cybersecurity obligations under two related but formally distinct EU legal instruments. This capstone's design exercise is where the course's two halves, the technical material of Modules 0 to 8 and this module's regulatory material, are meant to converge into one operating picture: a segmented OT architecture is not merely a network diagram that happens to satisfy an auditor, it is the same defense-in-depth structure this course has argued for throughout, expressed in a form that also happens to discharge the reporting, audit and qualified-product obligations LPM and NIS2 each impose on the organization operating it. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/)