Summary & Next Steps
Remediation Prioritization Recap
Throughout this workshop, you used the P0-P3 framework to prioritize findings by operational impact. This hierarchy applies to every artifact you built today and every finding your monitoring program surfaces going forward:
| Priority | Criteria | Response | Example |
|---|---|---|---|
| P0 -- Active Exploitation | Direct exposure + confirmed active exploitation (CISA KEV, CISA ICS advisory, or vendor alert) + safety or operational impact | Immediate action (hours, not days) | FortiGate CVE-2025-59718 on an internet-facing admin interface with active exploitation confirmed by CISA KEV and Fortinet PSIRT |
| P1 -- Critical | Direct exposure + known exploit + safety or operational impact | Investigate within 24 hours | Internet-exposed remote access portal running a product version with a published exploit, but no confirmed active exploitation from CISA or vendor sources |
| P2 -- Urgent | Remote access exposure + credential risk, or vulnerable edge device without confirmed exploitation | Remediate within 1-2 weeks | Tier 1 personnel credentials in a recent breach, or a known-vulnerable edge device not yet in CISA KEV |
| P3 -- Planned | Information disclosure, configuration weaknesses, monitoring gaps | Remediate within 30-90 days | Excessive DNS information disclosure, stale subdomains, personnel with outdated professional profiles exposing technology details |
The baseline and monitoring program give you the visibility to apply this framework consistently. Without them, prioritization is guesswork.
What You Are Leaving With (8 Artifacts)
Each artifact builds on the ones before it. Together, they form a complete OT OSINT monitoring program -- from understanding the threat landscape to operationalizing the monitoring process.
| # | Artifact | Module | Purpose |
|---|---|---|---|
| 1 | Sector threat profile | M1 | Context for what you are defending against -- recent ICS/OT attacks in your sector, common TTPs, and exposure categories to investigate |
| 2 | External attack surface inventory | M2 | Categorized list of domains, subdomains, remote access services, and identified technologies with asset documentation fields |
| 3 | Personnel exposure inventory | M3 | Role-prioritized list of personnel with breach correlation, email patterns, and professional network exposure -- tiered by proximity to OT systems |
| 4 | Vulnerability correlation table | M4 | Exposed assets mapped to CVEs with CISA KEV status, P0-P3 priority ratings, and remediation tracking |
| 5 | Push-based alert configuration | M5 | Google Alerts, CISA ICS Advisory subscriptions, vendor PSIRT feeds, and breach notification services configured for continuous monitoring |
| 6 | Pull-based monitoring schedule | M5 | Structured weekly and monthly checklist specifying tools, queries, baseline comparisons, and OT-relevant finding criteria |
| 7 | Consolidated baseline document | M5 | Single document consolidating M2-M4 outputs with each item classified as known-good, accepted risk, needs remediation, or needs investigation |
| 8 | Operational runbook | M6 | Cadenced procedures (daily, weekly, monthly, quarterly) with specific tools, queries, triage criteria, escalation paths, and [CORE]/[FULL] labels |
These artifacts are not independent documents -- they are a connected system. The threat profile (1) tells you what to look for. The inventories (2-4) tell you what you have and where you are exposed. The monitoring infrastructure (5-6) watches for changes. The baseline (7) gives you a reference point. The runbook (8) keeps it all running.
Next Steps Beyond This Workshop
The program you built today is a foundation. These are the logical next steps, ordered by the value they add to the monitoring program:
Response Playbooks
Your runbook defines routine operations -- what to check and when. Playbooks define what to do when monitoring surfaces a specific finding type. Start with playbooks for your highest-impact scenarios:
- Exposed remote access: A new VPN portal or admin interface appears in Shodan/Censys that is not in your baseline
- Breached credentials: A Tier 1 or Tier 2 employee appears in a new breach with password or hash exposure
- Critical vulnerability on exposed asset: A P0 or P1 finding from your vulnerability correlation workflow -- active exploitation confirmed by CISA KEV, CISA ICS advisory, or vendor PSIRT on an internet-facing edge device
Each playbook should define: who is notified, what immediate containment actions are taken, how the finding is validated, and how remediation is tracked to resolution.
Tabletop Exercises
Validate your playbooks before a real incident. Walk through scenarios using your actual artifacts: "The Monday morning KEV review shows CVE-2026-XXXXX added for FortiGate FortiOS 7.4.x. Your baseline shows two internet-facing FortiGate instances. Walk through your response." Tabletop exercises expose gaps in escalation paths, unclear ownership, and missing tool access before they matter.
Script Automation
The same AI clients you used throughout this workshop can generate scripts that automate your pull-based checks. Candidates for automation:
- crt.sh API queries with diff against baseline subdomain list
- CISA KEV JSON feed parsing with match against your asset inventory CPEs
- Shodan API queries for monitored IP ranges with change detection
- HIBP API lookups for domain-level breach monitoring (requires API key)
Start with the [CORE] procedures from your runbook -- these are the checks that run no matter what, so they benefit most from automation.
Program Maturity
As the program matures, build toward:
- Metrics: Track alerts received vs. actionable findings, triage response time, baseline changes per cycle, and open remediation aging. These demonstrate program value and identify where effort is wasted
- Stakeholder reporting: Quarterly briefings for management using the P0-P3 framework to frame findings and remediation progress
- Integration: Connect monitoring outputs to existing vulnerability management, change management, and incident response workflows
- Expansion: Add new monitoring targets as the organization's OT footprint changes -- new facilities, new vendors, new remote access technologies
Expanding Program Scope
This workshop covers the core operational disciplines: external attack surface discovery, personnel exposure analysis, vulnerability correlation, and monitoring operations. A mature ICS/OT OSINT program extends into additional capability areas that require dedicated training, specialized tools, or analytical expertise beyond what a 4-hour workshop can address. The following sections outline where the program goes from here.
Additional Capability Areas
Physical security and geospatial intelligence. Satellite and aerial imagery, facility perimeter reconnaissance, and publicly available mapping and permit data can reveal physical security posture, facility layouts, and infrastructure locations. For electric cooperatives and utilities, publicly filed documents often include substation locations, transmission line routes, and generation facility details that complement the digital attack surface you mapped in Module 2.
Supply chain and vendor exposure. Third-party vendors, system integrators, and managed service providers frequently have direct or VPN access to OT environments. Assessing their external posture -- exposed services, breach history, personnel exposure -- using the same techniques from Modules 2-4 extends the monitoring program to cover access paths that the organization does not directly control. The Texas water facility incidents in Module 1 illustrate what happens when vendor remote access becomes the attack vector.
Social media and open web monitoring. Threat actors discuss targets, share reconnaissance findings, and coordinate operations on public platforms. Monitoring for organizational mentions, sector-specific threat discussions, and operational security leakage (employees posting photos of control rooms, badge designs, or network diagrams) adds an early-warning layer that technical monitoring alone does not provide.
Financial and regulatory intelligence. Organizations in regulated sectors produce public filings that reveal operational details: FERC/NERC filings, Form 990s, rate case documents, capital improvement plans, and vendor contract disclosures. These documents can expose technology choices, infrastructure investments, and organizational structure that adversaries can use for targeting.
Technical intelligence (TECHINT). Firmware analysis, hardware identification from public procurement records, and protocol fingerprinting from publicly accessible services provide deeper technical intelligence about OT environments. This capability area typically requires specialized tooling and ICS/OT engineering knowledge beyond general OSINT techniques.
Incident and threat intelligence correlation. Connecting your monitoring findings to known threat actor TTPs, active campaigns, and sector-specific threat intelligence feeds transforms individual findings into actionable intelligence. Membership in sector ISACs (E-ISAC for electric utilities, WaterISAC for water/wastewater) provides access to threat intelligence sharing that contextualizes what your monitoring program detects.
Domestic Violent Extremism Research
DVE research is a recognized component of OSINT programs for critical infrastructure operators. Electric cooperatives and utilities are specifically named targets in publicly documented DVE attack planning, including physical attacks on substations and generation facilities. DVE monitoring requires additional specialized training beyond this workshop -- including source validation, analytical objectivity, bias mitigation, and proper handling of sensitive findings. This workshop does not cover DVE tradecraft. Organizations interested in building this capability should seek dedicated training from law enforcement partners (FBI InfraGard, DHS/CISA), sector ISACs, or specialized intelligence training programs.
Dark Web Monitoring
Dark web monitoring -- watching for credential dumps, ransomware group postings targeting your sector or organization, threat actor communications, and data leak forums -- is relevant to ICS/OT security programs. The breach monitoring techniques in Module 3 cover the surface web; dark web sources can surface compromised credentials, stolen data, and pre-attack reconnaissance before they appear in public databases. Effective dark web research requires specialized tools, operational security practices, and legal awareness that are beyond the scope of this workshop. Performing dark web research without proper training introduces risk: attribution errors, operational security failures, legal exposure, and collection of unreliable or manipulated intelligence. Seek dedicated training before attempting dark web research.
Resources
All workshop materials remain available on this site for reference after the workshop:
- Templates -- artifact templates for baseline, personnel inventory, vulnerability correlation, runbook, and monitoring checklist
- AI Copilot Prompt Library -- all AI prompts from Modules 1-6, organized by category and ready to copy
- Tool Reference -- browser-based OSINT tools with URLs and account requirements
- Vulnerability Intelligence Resources -- primary vulnerability sources, vendor PSIRTs, and exploit intelligence feeds