Suleyman Ozarslan, PhD | 8 MIN READ

CREATED ON July 01, 2025

Breach and Attack Simulation for ICS Security: Validating Controls Across IT/OT Environments

From smart factories to power plants, modern industrial operations depend on a blend of traditional IT systems and specialized OT systems. Cyber threats now routinely cross between these networks. Today’s adversaries don’t breach your control systems first; they breach your business systems and then pivot into your operational technology (OT) environment.

We’ve seen how a simple phishing email in the office network can lead to a plant shutdown, as was the case in infamous incidents like the Ukrainian power grid attack and the Colonial Pipeline breach.  In fact, many of the most dangerous ICS-targeted campaigns in history, like those attributed to APT33, APT34, Dragonfly, OilRig, Sandworm, and Triton, began with IT-side compromises, exploiting endpoint weaknesses before jumping the boundary into OT. 

Is Your Industrial Security Truly Battle-Tested?

This convergence of IT and OT means one thing for security leaders: your defenses need to be airtight across the board. But how can you be sure? Short of an actual cyberattack (which nobody wants), how do you know if your firewall rules, network and endpoint security controls, SIEMs, and incident response plans will hold up against a determined hacker? How do you know if your defenses can detect and stop an attacker moving from Level 4 to Level 2? 

The Problem: Assumptions About IT/OT Segmentation Are Not Enough

CS security teams have long relied on the Purdue Model to separate enterprise systems from control networks. However, segmentation is effective only when actively enforced and regularly tested. Real-world threats commonly start with phishing, malicious downloads, or document exploits targeting IT endpoints. From there, they establish persistence, harvest credentials, and pivot across the Purdue levels. Some examples include:

  • APT33 and APT34: Deliver malware via email to IT workstations in critical infrastructure.

  • Dragonfly and Sandworm: Notorious for campaigns involving malware droppers and loaders that originate in business networks.

  • Triton and Industroyer2: Final payloads are ICS-specific, but delivery often begins with spear-phishing or backdoors dropped in enterprise systems.

These patterns underscore one key message: If you don’t validate your IT/OT controls regularly, you may be blind to adversaries already inside.

Breach and Attack Simulation (BAS) for Industrial Networks: Validating the Purdue Stack

Breach and Attack Simulation (BAS) is an automated platform that simulates real cyberattacks on your network in a controlled, harmless way. BAS functions as a controlled, continuous 'cybersecurity drill,' testing your organization's defenses safely. It’s like hiring an army of ethical hackers that work 24/7, constantly testing your defenses, but with zero risk to your actual operations. For environments with both IT and OT, BAS is a game-changer. It can mimic the tactics of malware and attackers that jump from IT to OT and evaluates whether your layered defenses can detect and stop an APT-style attack from initial IT compromise to OT impact.

IT-OT-graph-picus-dark

Figure 1: Example of a converged IT/OT network architecture (based on the Purdue Model). Image Credit: Fortinet

Here’s how BAS applies across the Purdue levels:

Level 4/5 Enterprise IT or Corporate Networks

This zone hosts corporate business systems such as email, file servers, and user workstations—and is the most common entry point for ICS/OT intrusions. Stopping attackers here prevents lateral movement into OT. Given that most industrial breaches begin here, continuous validation at this level is crucial.

Key Threat Simulations at Level 4/5:

  • Spear-Phishing & Malware Droppers
    Advanced threat groups like APT27, APT33, and OilRig (APT34) frequently use email-based attacks. For instance, OilRig infiltrated Middle Eastern energy firms with spear-phishing emails carrying malicious attachments, and APT33 often employs phishing emails with weaponized Office documents or links. Sandworm (behind Ukraine’s 2015 grid attack) used Excel macros to deploy BlackEnergy malware. BAS can simulate these phishing tactics (attachments, links, macros) to validate your email security, endpoint detection, and SIEM alerts.

  • Drive-by Downloads & Supply Chain Trojans
    Dragonfly trojanized ICS software installers in a watering-hole attack, while threats like Shamoon, Petya/NotPetya can spread destructively. BAS drops inert test files or executables to see if anti-malware and application controls respond appropriately. Emulating ransomware (e.g., Shamoon 3, linked to APT33) tests behavioral detection.

Regular BAS exercises confirm whether email gateways, web filters, endpoint protection, and SIEM monitoring are effective. For example, simulating an Sandworm-style multi-step attack checks if the target workstation’s EDR blocks it and if alerts appear in the SIEM. Blocking threats at Level 4/5 prevents deeper intrusion into OT.

Level 3.5 (OT DMZ and Jump Servers)

Level 3.5 serves as the IT/OT demilitarized zone between enterprise and OT networks. It typically contains jump hosts, remote access gateways, data historians, and other intermediary systems that broker communications between IT and OT. Many real-world campaigns have used stolen credentials or malware on jump servers to reach OT.

Key Threat Simulations at Level 3.5:

  • Lateral Movement & Credential Theft
    Attackers who breach IT commonly move here next. During the 2015 Ukraine grid attack, Sandworm pivoted from IT into ICS networks. BAS can simulate an attacker on a compromised jump box attempting credential dumping or other pivot techniques, verifying if OT DMZ monitoring blocks or detects this behavior.

  • Malware Delivery Across IT/OT
    BAS can test if boundary defenses detect and stop malicious payloads like EKANS or LockerGoga. This confirms your segmentation, firewall rules, and intrusion detection are ready to prevent attacks from crossing into OT.

Level 3 (Operations & Controls)

Purdue Level 3 includes critical ICS operational components such as SCADA master stations, control servers, HMIs, I/O server, Historian, and engineering workstations.  This is where IT and OT truly converge: Level 3 devices are often general-purpose computers (Windows or Linux) running specialized control software. They are crucial for operations, yet if compromised, they give attackers the “keys to the kingdom” in an ICS.

Key Threat Simulations at Level 3:

  • ICS-Focused APT Intrusions & Data Theft
    Groups like Dragonfly and Sandworm have stolen SCADA configurations and HMI screenshots after reaching Level 3. BAS can replicate these tactics using a cloned HMI or engineering workstation agent. This tests whether ICS-specific IDS or host-based logging detects malicious data collection or unusual transfers.

  • Destructive Malware on ICS Hosts
    Threats like EKANS/Snake, Meteor (used by Indra hacktivists), and other wipers can disrupt operations by killing PLC processes or encrypting system files. BAS can emulate ransomware or wiper behavior on a virtual HMI, checking if ICS incident response sees suspicious kills, ransom notes, or file encryption attempts. Repeated simulations (e.g., monthly or upon new OT malware intel) ensure ongoing readiness.

Because Level 3 is vital to production, BAS tools safely use cloned VMs or digital twins of real devices, allowing realistic tests without risking live systems.

Level 2 and Below (Control Networks)

These layers include local PLC supervisory interfaces (Level 2), controllers like PLCs and RTUs (Level 1), and physical equipment (Level 0). Attacks here directly affect industrial processes, opening breakers, halting turbines, or tampering with sensors.

  • Safety-First Testing
    Because direct interaction with PLCs or HMIs can endanger operations, BAS typically uses cloned engineering workstations or HMI images rather than live endpoints.

  • Simulating Malware & Protocol Misuse
    BAS can emulate threats like Triton, Havex, Darkside, LockerGoga, or KillDisk by deploying safe test patterns on these cloned systems to confirm if security measures detect and contain them before real processes are impacted.

By continuously testing these pivotal OT endpoints, organizations ensure attackers cannot escalate to critical physical operations.

Key Benefits of BAS for ICS Security

  • Reflects Real-World Threats: All simulation techniques map to actual campaigns from groups like OilRig, Indra, and DarkSide.

  • Detect Gaps Across the Purdue Model: From phishing to file drops to network traversal, BAS validates every stage.

  • Enhances IT/OT Visibility: Simulations identify specific vulnerabilities across network boundaries.

  • Minimizes Risk: BAS testing is safe and non-intrusive.

Applying Real-World ICS / OT Threat Simulations with Picus

Picus enables realistic threat simulations aligned with Purdue Model layers, such as the following Sandworm threat group campaign scenario:

  1. Email Delivery – A Kapeka backdoor malware is sent to a user (Picus Threat ID: 46557). Kapeka is a successor to Sandworm’s GreyEnergy malware (Picus Threat IDs: 47678 and 31724), which is the successor of the famous BlackEnergy malware (Picus Threat IDs: 31107 and 77923) malware used to insert malicious code into the Ukrainian power grid in 2015.

  2. Endpoint Execution – Simulating an attack campaign of the Sandworm group on an endpoint, such as a campaign including following actions: discovery, file transfer via a Bash script file, deploying a new cryptominer, persistency via Cron Jobs, obfusting files, and executing an ELF file (Picus Threat ID: 34800).

  3. Command & Control – Simulated outbound C2 traffic, downloading additional files from C2s  (Picus Threat ID: 34800).

  4. Movement to OT – The BAS platform can simulate attacks on clones of Workstation or HMI, both of which typically run on Linux or Windows-based machines, and are therefore susceptible to the same types of exploits seen in enterprise environments (e.g. Picus Threat ID: 34800).

Each simulation step provides validation of specific security controls: email filters, endpoint protection, SIEM alerts, and firewall policies.

Beyond Sandworm, Picus's comprehensive Threat Library includes attack campaigns from other threat groups targeting ICS and OT infrastructure, including APT33, APT27, and the DarkSide ransomware group. The platform also simulates ICS-targeting malware like BlackEnergy, Conficker, CrashOverride, EKANS/SNAKE, Havex, Industroyer2, LockerGoga, Petya, Shamoon, Triton, VPNFilter, and HatMan.

For organizations seeking rapid security validation, Picus provides two specialized Threat Templates: "Malware Targeting ICS & OT Systems" and "Threat Groups Targeting ICS & OT Systems."

Malware Targeting ICS & OT Systems

Conclusion: Strengthening IT Defenses is Essential to Protect OT Environments

Attackers who compromise an engineer’s inbox or unsecured endpoints may eventually access critical controllers, engineering workstations, HMIs, or safety systems.

Breach and Attack Simulation proactively identifies vulnerabilities before adversaries exploit them. In converged environments, BAS is the only way to validate controls across the full Purdue Model. It’s how security teams move from assumption to assurance, and from reactive defense to proactive validation.

Table of Contents