ICS Kill Chain

Industrial/ICS 🏭 • Difficulty: premium

Definition

The ICS Kill Chain describes the typical stages an attacker moves through to cause physical impact in industrial environments—from initial entry in IT, pivoting into OT, learning the process, and finally manipulating controllers or safety systems.

Examples

A phishing email compromises an engineer’s laptop (IT), the attacker pivots through the IDMZ, reaches the engineering workstation, and uploads altered PLC logic to stop a pump.
Stolen vendor VPN credentials grant access to the jump host; the attacker uses default passwords on a gateway, discovers PLCs, and issues unsafe write commands.

Discover 🔎

Kill chains help defenders think like an attacker and place controls where they matter. In ICS, attacks often begin in enterprise IT, traverse the Industrial DMZ, and then target OT assets like HMIs, engineering workstations, PLCs/RTUs, historians, and sometimes safety systems. Because physical safety and uptime are at stake, your strategy is to break the chain early and often, using segmentation, strict remote access, protocol-aware monitoring, and disciplined backups.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.