Implementing the SANS 5 Critical ICS Cybersecurity Controls: A Practical Guide

Industrial environments are undergoing a dramatic transformation. The convergence of operational technology (OT) with IT and the Internet of Things (IoT) has unlocked new levels of efficiency, but it has also expanded the attack surface in ways few organizations anticipated. Industrial Control Systems (ICS), which manage everything from power grids to manufacturing lines, are no longer isolated. Instead, they are exposed to a diverse landscape of cyber threats, from state-sponsored groups to financially motivated ransomware operators.

The risks are no longer just digital; they are physical. In fact, a 2025 SANS survey found that more than one in four organizations (27%) experienced at least one ICS/OT security incident in the past year. This highlights how cyber risk has become an operational risk that organizations must manage alongside safety, production, and uptime.

The Expanding Attack Surface in OT Environments

Modern industrial environments are complex ecosystems that incorporate a mix of legacy technologies, as well as IoT and OT devices such as smart sensors, machinery, and automated controllers, each presenting a potential entry point for attackers. This mix of old and new technologies creates blind spots that adversaries are quick to exploit: legacy systems were built without security in mind, and the rapid proliferation of connected devices creates a sprawling attack surface that is hard to inventory and manage.

Why OT Visibility is Critical and Challenging

Comprehensive visibility is the foundation of OT security, but it’s difficult to achieve in environments filled with proprietary protocols, legacy systems, and undocumented devices. Without consistent asset discovery and monitoring, security teams can’t establish a baseline for normal activity, leaving gaps that allow attackers to move undetected. A purpose-built IoT/OT security platform can empower organizations and close this gap by delivering full asset inventories, continuous monitoring, and risk-based insights that make foundational ICS controls actionable.

What are the SANS Five ICS Cybersecurity Critical Controls?

Developed by leading experts at the SANS Institute, the ICS Five Critical Controls are a prioritized set of actions designed to provide the greatest risk reduction for industrial organizations. They are not an exhaustive list but a strategic starting point, focusing on the most effective defenses against known cyber threats targeting industrial infrastructure. These five pillars form the foundation of an effective ICS/OT security framework, guiding organizations to build a resilient and defensible posture. With tools like Asimily, organizations can meet these requirements and achieve better OT security.

ICS Critical Control 1 – ICS-Specific Incident Response Plan

Asimily provides the foundational OT visibility organizations need to develop an effective incident response plan. By delivering real-time intelligence on all IoT and OT devices on the network, it equips incident response teams to act quickly. This way, when an alert is triggered, teams can quickly identify the impacted devices, understand their criticality, see their network connections, and assess their risk level. This context allows teams to prioritize the most effective remediation actions, ideally containing threats before they can result in operational disruptions.

An incident in an OT environment can have physical consequences, impacting safety, production, and environmental stability. While many organizations maintain IT-centric incident response plans to protect corporate systems, these do not address the full range of risks in OT environments. An ICS-specific plan must reflect the unique operational constraints and cyber-physical risks of industrial systems. It should include:

• Scenario-driven playbooks tailored to OT environments
• Defined communication channels across IT, security, and operations
• Response actions that prioritize safety, service continuity, and root cause analysis
• Consideration of specialized equipment and operational safety requirements

The plan must also account for specialized equipment and operational safety considerations.

How Asimily Helps

Asimily provides the foundational OT visibility needed to build and execute an ICS-specific incident response plan. By delivering real-time intelligence on every IoT and OT device in the network, it gives teams the context to act decisively. This way, when an alert is triggered, responders can quickly pinpoint impacted devices, evaluate their criticality and connections to other devices on the network, and understand risk. This visibility supports faster containment, root cause analysis, and targeted remediation, helping organizations reduce operational disruption and enhance resilience..

ICS Critical Control 2 – Defensible Architecture

A defensible architecture reduces as much risk as possible through thoughtful system design and implementation while enabling security and IT teams to do their jobs effectively. Common elements include asset identification and inventory of critical systems, using network segmentation to create “choke points” that limit an attacker’s ability to move laterally throughout the network, and managed network infrastructure to support monitoring and log collection. A defensible architecture also allows organizations to enter a “defensible cyber position” by reducing unnecessary connectivity during heightened risk scenarios.

How Asimily Helps

A robust device inventory does more than enhance OT visibility; it accelerates defensible architecture design by automatically discovering, classifying, and inventorying all connected IoT and OT assets, even unmanaged shadow devices. The Asimily platform draws on multiple data sources to build a complete record of each device, including firmware versions, serial numbers, and its role within the network. With deep packet inspection and protocol analysis, Asimily enriches this inventory with communication patterns and network context, enabling more accurate device categorization and risk assessment.

This intelligence provides the foundation for targeted segmentation, also available within the Asimily platform. Security teams can define communication policies, validate segmentation rules, and ensure that boundaries are enforced across the OT environment, thereby strengthening network resilience.

ICS Critical Control 3 – ICS Network Visibility and Monitoring

As SANS notes, an ICS is really a “system of systems.” Each OT environment consists of many subsystems—PLCs, HMIs, sensors, controllers, and engineering workstations—that interact to drive industrial processes. Monitoring network traffic across these subsystems is the only way to fully understand how devices interact, and to detect when those interactions deviate from normal. 

Effective monitoring requires:

• Passive collection of ICS network traffic
• Deep packet inspection to understand native industrial protocols
• Baselining of normal operations to detect deviations

Beyond threat detection, robust monitoring should also:

• Support root cause analysis of operational incidents
• Validate other controls, such as defensible architecture and secure remote access
• Provide asset inventory and topology mapping
• Identify vulnerabilities across OT devices and systems
• Detect adversary tactics, techniques, and procedures (TTPs)
• Aggregate and enrich data to support investigations and efficient incident response

How Asimily Helps

Notably, ICS Control 3 is often the point where organizations begin evaluating security solutions. The depth and breadth of monitoring requirements typically exceed what internal teams can manage without dedicated tooling.

Asimily delivers continuous, passive monitoring purpose-built for OT networks. Its deep packet inspection and protocol analyzer establishes baselines of device behavior and communication patterns, while automatically capturing configuration snapshots to detect drift. By surfacing anomalous traffic, unauthorized configuration changes, and other indicators of compromise, Asimily provides the enriched visibility SANS calls for. This combination of traffic analysis, device context, and configuration intelligence enables earlier threat detection, faster investigations, and more resilient recovery from both cyber and operational disruptions.

ICS Critical Control 4 – Secure Remote Access

Remote access has become table stakes for operating in a highly-connected, digital economy. Vendors, engineers, and support staff, a wide range of personnel, need access to ICS systems as part of their job duties. However, remote access also introduces one of the most significant risks to OT environments. 

A secure remote access program should include:

• Multi-factor authentication (MFA) to reduce the risk of externally accessible connections
• Least-privilege access controls so users can only access the data and systems necessary for their job duties
• Session logging and auditing for accountability
• Compensating controls (jump hosts, choke points, traffic inspection) when MFA is not feasible
• Capability to disable connections during incidents or heightened threat conditions

How Asimily Helps

Asimily identifies and monitors all network-accessible IoT and OT devices, and maps how these devices connect and communicate across the network. This gives security teams the visibility they need to enforce strong access controls, such as MFA, and apply least-privilege policies where required. As a result of these insights, security teams can take actionable steps to reduce the expanded attack surface, ultimately allowing organizations to secure OT with confidence.

ICS Critical Control 5 – Risk-Based Vulnerability Management

The traditional IT-style cadence for vulnerability management is to scan and patch everything; this is often impractical in OT environments. Patching a critical controller could require a complete shutdown, leading to massive operational and financial losses. Instead, SANS advocates for a risk-based approach as opposed to focusing solely on the Common Vulnerability Scoring System (CVSS) score of an OT vulnerability. Organizations should make prioritized patching decisions based on the potential operational impact by identifying critical assets, understanding which vulnerabilities attackers are actively exploiting, and assessing the possible consequences of a compromise. When patching is not feasible, the focus shifts to implementing compensating controls, such as enhanced monitoring or network segmentation, to mitigate the risk without disrupting operations.

How Asimily Helps

The Asimily platform was built for IoT risk management. It passively scans networks for OT and IoT devices without causing operational impacts and downtime, giving organizations the insights they need to make informed patching decisions. 

Beyond scanning, Asimily correlates vulnerabilities with asset criticality, network accessibility, and real-world threat intelligence. It uses industry standards to identify, analyze, and rank critical vulnerabilities based on their risk to operations, not just a CVSS score, providing targeted recommendations for vulnerability management by surfacing the simplest actions to reduce risk. This approach guides efficient vulnerability management, helping security teams focus on the risks that matter most while suggesting compensating controls when patching isn’t feasible.

Build a Robust ICS Security Program with Asimily

The SANS Five Critical Controls provide a clear, prioritized path to securing industrial infrastructure. But implementing them effectively requires deep, contextual visibility that traditional IT tools alone cannot deliver.

Asimily closes this gap by streamlining asset discovery, monitoring, vulnerability prioritization, and configuration intelligence into a single IoT/OT security platform. With Asimily, organizations can move beyond generic IT approaches that don’t align with the unique challenges of OT environments and implement controls aligned to the unique risks and operational requirements of industrial systems.

By combining the proven SANS framework with an OT security platform purpose-built for risk reduction and operational resilience, organizations can build a stronger ICS security posture designed to safeguard uptime, safety, and trust in today’s connected industrial economy.

Discover how Asimily helps organizations build a robust ICS security program.