The vendor is on the bridge for remote access, the engineering workstation is showing activity nobody scheduled, and the next maintenance window is six weeks out. That is when IT incident response habits fail in OT — when isolation stops the process, when patching voids the safety case, when the playbook written for Windows servers cannot tell you what to do about a Modicon PLC running production. This manual gives the working control systems engineer the architectural, governance, and defensive disciplines that hold up when the threat is real and the process cannot stop. Inside these pages: • Purdue model fluency that actually maps to a running plant — Levels 0 through 5 plus the Industrial DMZ at 3.5, applied to the network you already have • Protocol-by-protocol risk treatment — Modbus, DNP3, EtherNet/IP, PROFINET, IEC 61850, OPC UA, and the legacy installed base, with hardening that works inside the timing budget • The nine documented ICS-specific malware families — Stuxnet through FrostyGoop — and the SANS ICS Cyber Kill Chain that organizes how to detect them • ISA/IEC 62443 in depth — Foundational Requirements, zones and conduits, SL-T versus SL-C versus SL-A, and what each stakeholder owns • NERC CIP standard by standard — CIP-002 through CIP-014 plus CIP-015-1 internal network security monitoring, effective September 2, 2025 • Incident response that preserves operations — containment that does not stop the process, engineering-led recovery, forensic collection from PLCs and HMIs • Supply chain discipline — vendor risk assessment, SBOM workflow, IEC 62443-4-1 supplier evaluation, and cloud service provider integration that does not bypass the IDMZ Written for practicing control systems engineers, OT cybersecurity analysts, plant network architects, automation engineers, GICSP candidates, and ISA/IEC 62443 certificate candidates.
