Module 1: ICS/OT Threat Context
Overview
Before we start building an OSINT monitoring program, we need to understand why it matters. The attacks below were all enabled -- or made significantly worse -- by information that was publicly discoverable before the attack occurred.
Attacks Enabled by Public Exposure
| Incident | What Was Exposed | What Happened |
|---|---|---|
| Aliquippa Water Authority (Nov 2023) [1] | Unitronics PLCs discoverable via internet scanning; default password "1111" | Iranian-linked actors accessed water treatment SCADA systems |
| Colonial Pipeline (2021) [2] | VPN credential found in a breach database | $4.4M ransomware attack disrupted fuel pipeline operations across the U.S. East Coast |
| Texas Water Facilities (Jan 2024) [3] | Vendor remote access software exposed to the internet | Russian-linked actors accessed SCADA systems and posted video evidence of interaction |
| Fortinet FortiGate Campaign (Dec 2025) [4][5] | ~30,000 FortiGate admin interfaces with FortiCloud SSO exposed to the internet | Mass exploitation of CVE-2025-59718 (CVSS 9.8) within 3 days of disclosure; attackers stole device configurations and established rogue VPN tunnels |
In each case, the information an attacker needed -- exposed devices, breached credentials, vulnerable services -- was available through publicly accessible sources before the attack happened. A monitoring program that regularly checks these sources can identify exposures before adversaries exploit them.
The Problem
Most ICS/OT security teams do not have a systematic way to answer these questions:
- What does our organization look like from the outside?
- Which of our remote access services are visible on the internet?
- Have any of our employees' credentials appeared in breach databases?
- Are the specific products we deploy being actively exploited right now?
This workshop builds a repeatable OSINT monitoring process -- not a one-time assessment. You will leave with operational artifacts and procedures you can use starting tomorrow.
Lab: Generate a Sector Threat Profile
In this lab, you will use your AI client to generate a sector-specific threat profile. This document becomes the context for everything you do in the remaining modules.
Step 1: Open Your AI Client
Open your preferred AI assistant (ChatGPT, Claude, or other). You will use this throughout the workshop as a working partner for analysis, query generation, and document drafting.
Step 2: Generate Your Sector Threat Profile
Use the prompt template below, customized with your organization's sector, operational technology, and environment. Replace the bracketed fields with your own details:
I work at a [organization type -- e.g., "rural electric cooperative",
"municipal water utility", "food manufacturing company"]. We operate
[OT/ICS systems -- e.g., "SCADA/EMS systems for grid management",
"SCADA for plant process control", "DCS and PLC-based control systems"].
Generate a sector threat profile including:
1. Top 3 external exposure categories for the [sector] sector
2. Priority remote access technologies commonly deployed at
[organization type]
3. Key personnel roles that adversaries would target
4. Recent threat actor groups known to target [sector]Worked Example: NRECA Electric Cooperative Sector
Using the prompt above for a rural electric cooperative (NRECA member):
I work at a rural electric cooperative that operates generation,
transmission, and distribution infrastructure. We are a member of
NRECA and operate SCADA/EMS systems for grid management.
Generate a sector threat profile including:
1. Top 3 external exposure categories for the electric cooperative sector
2. Priority remote access technologies commonly deployed at cooperatives
3. Key personnel roles that adversaries would target
4. Recent threat actor groups known to target the electric sectorExample AI Response (Electric Cooperative Sector)
Electric Cooperative Sector Threat Profile
Top 3 External Exposure Categories:
- Remote access infrastructure -- VPN portals (especially FortiGate, Cisco, SonicWall), RDP gateways, and vendor remote support tools are the primary entry points adversaries target. Many cooperatives maintain internet-facing administrative interfaces for these devices.
- SCADA/EMS web interfaces -- Energy management system dashboards, historian servers, and HMI web clients are sometimes reachable from the internet, particularly through misconfigured network segmentation or dual-homed systems.
- Email and credential exposure -- Employee credentials from third-party breaches, combined with predictable email formats (firstname.lastname@domain), enable credential stuffing attacks against VPN and webmail portals.
Priority Remote Access Technologies:
- Fortinet FortiGate SSL-VPN (widely deployed at cooperatives for site-to-site and remote admin access)
- Cisco AnyConnect / ASA
- TeamViewer, AnyDesk, or similar tools used by SCADA vendors for remote support
- Citrix or RDP-based virtual desktop environments
- OPC-UA gateways or data diodes with web management interfaces
Key Personnel Roles Targeted:
- SCADA/EMS administrators -- direct access to control systems
- IT administrators / CIO -- credentials often provide VPN and firewall admin access
- Plant managers -- operational authority, often have system access
- Executives (CEO, CFO) -- business email compromise and strategic intelligence
- Third-party integrator contacts -- shared credentials for vendor support access
Recent Threat Actor Groups:
- Volt Typhoon (PRC) -- pre-positioning in U.S. critical infrastructure, including energy sector, using living-off-the-land techniques
- CyberAv3ngers (Iran-linked) -- targeted water and energy infrastructure using default credentials on exposed PLCs
- Sandworm (Russia/GRU) -- history of targeting electric grids; responsible for Ukraine power grid attacks
- Various ransomware groups -- financially motivated attacks on utilities via exposed RDP and VPN credentials from breach databases
If you work in a different sector, here are additional starting points:
I work at a municipal water utility that operates water treatment
and distribution infrastructure serving 50,000 customers. We use
SCADA systems for plant process control and remote pump station
monitoring.
Generate a sector threat profile including:
1. Top 3 external exposure categories for the water/wastewater sector
2. Priority remote access technologies commonly deployed at water utilities
3. Key personnel roles that adversaries would target
4. Recent threat actor groups known to target water infrastructureI work at a food and beverage manufacturing company with 12 plants
across the Midwest. We operate DCS and PLC-based process control
systems for batch production and packaging lines.
Generate a sector threat profile including:
1. Top 3 external exposure categories for the food manufacturing sector
2. Priority remote access technologies commonly deployed at manufacturing plants
3. Key personnel roles that adversaries would target
4. Recent threat actor groups known to target manufacturingGenerate your sector threat profile and save the output. You will reference this document in every remaining module.
Step 3: Review and Refine
Review the AI-generated profile for accuracy. Consider:
- Does the list of exposure categories match what you know about your environment?
- Are the remote access technologies accurate for your organization?
- Are there personnel roles or threat actors specific to your sector that the AI missed?
Edit the document to correct any gaps. This is your operational artifact -- the AI accelerates the drafting, but you validate the content.
Output
Artifact 1: Sector threat profile document. This profile provides the context for the remaining modules -- it identifies what exposure categories to investigate (Module 2), which personnel roles to prioritize (Module 3), what technologies to correlate against vulnerability databases (Module 4), and what keywords to monitor (Module 5).
References
- MITRE ATT&CK -- Unitronics Defacement Campaign (C0031). https://attack.mitre.org/campaigns/C0031/
- CISA -- Alert AA20-049A: Ransomware Pipeline Operations. https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-049a
- Texas Department of Information Resources -- 2024 Cybersecurity Report. https://dir.texas.gov/sites/default/files/2024-11/2024%20Cybersecurity%20Report.pdf (PDF)
- CISA -- CVE-2025-59718 Added to Known Exploited Vulnerabilities Catalog. https://www.cisa.gov/news-events/alerts/2025/12/16/cisa-adds-one-known-exploited-vulnerability-catalog
- Dragos -- Poland Power Grid Attack: Electrum Targets Distributed Energy Facilities via Exposed FortiGate Devices. https://www.dragos.com/blog/poland-power-grid-attack-electrum-targets-distributed-energy-2025