CutSec OT OSINT Program Workshop
Building an ICS/OT OSINT Monitoring Program
Workshop Overview
A 4-hour hands-on workshop teaching ICS/OT security professionals to build sustainable OSINT monitoring programs using AI-assisted workflows. Students work through 6 modules and leave with 8 operational artifacts they can use immediately.
This workshop focuses on the core disciplines of an ICS/OT OSINT monitoring program: external attack surface discovery, personnel exposure analysis, vulnerability correlation, and operationalizing the monitoring process. These are the capabilities every program needs first. A mature ICS/OT OSINT program extends well beyond what a single workshop can cover -- the Summary outlines where the program goes from here.
Schedule
| Module | Read | Lab | Total |
|---|---|---|---|
| M1: ICS/OT Threat Context | 5 min | 10 min | 15 min |
| M2: External Attack Surface Discovery | 10 min | 35 min | 45 min |
| M3: Personnel & Credential Exposure | 10 min | 30 min | 40 min |
| Break 1 (10 min) | |||
| M4: Vulnerability Correlation | 10 min | 30 min | 40 min |
| M5: Monitoring & Alerting Setup | 10 min | 40 min | 50 min |
| Break 2 (10 min) | |||
| M6: Runbook Development | 10 min | 25 min | 35 min |
| Summary & Next Steps | 10 min | -- | 10 min |
Prerequisites
- Laptop with web browser (Windows primary; macOS/Linux supported)
- AI client access (ChatGPT, Claude, or preferred AI assistant)
- Basic OSINT familiarity
- Optional: free-tier accounts for Shodan, Censys, and SecurityTrails
The Broader Program
The six modules in this workshop establish the operational foundation of an ICS/OT OSINT program. A complete program also incorporates capability areas that require additional training, specialized tools, or dedicated analytical expertise:
- Physical security and geospatial intelligence -- satellite and aerial imagery analysis, facility perimeter reconnaissance, publicly available mapping and permit data
- Supply chain and vendor exposure -- identifying third-party vendors, integrators, and service providers with access to OT environments and assessing their external posture
- Social media and open web monitoring -- tracking threat actor activity, sector-specific discussions, and operational security leakage on public platforms
- Financial and regulatory intelligence -- FERC/NERC filings, Form 990s, rate case documents, and other regulatory submissions that reveal infrastructure and operational details
- Technical intelligence (TECHINT) -- firmware analysis, hardware identification, and protocol fingerprinting from public sources
- Incident and threat intelligence correlation -- connecting external findings to known TTPs, threat actor campaigns, and sector-specific threat intelligence feeds
Two additional areas deserve specific mention because they are directly relevant to critical infrastructure operators but require specialized training beyond this workshop:
Domestic violent extremism (DVE) research is a recognized component of OSINT programs for critical infrastructure operators. Electric cooperatives and utilities are specifically named targets in publicly documented DVE attack planning. DVE research requires additional specialized training -- including source validation, analytical objectivity, bias mitigation, and proper handling of sensitive findings. Students interested in this area should seek dedicated training from law enforcement partners (FBI InfraGard, DHS/CISA), sector ISACs, or specialized intelligence training programs.
Dark web monitoring -- watching for credential dumps, ransomware group postings, threat actor communications, and data leak forums -- is relevant to ICS/OT security programs. Effective dark web research requires specialized tools, operational security practices, and legal awareness that are beyond the scope of this workshop. Performing dark web research without proper training introduces risk: attribution errors, operational security failures, legal exposure, and collection of unreliable or manipulated intelligence. Seek dedicated training before attempting dark web research.
The Summary & Next Steps page covers these areas in more detail and identifies where to continue building after this workshop.
Supporting Materials
Templates
Baseline, personnel inventory, vulnerability correlation, runbook, and monitoring checklist templates.
AI Copilot Prompts
All AI prompts from the workshop, organized by category and ready to copy.
Tool Reference
Browser-based OSINT tools used in the workshop with URLs and account requirements.
Vulnerability Intel
Primary vulnerability sources, vendor PSIRTs, and exploit intelligence feeds.
Worked Examples
NRECA worked examples for domain discovery, personnel analysis, vulnerability correlation, and alert configuration.