IoT and OT Security — SCADA, Shodan, and Firmware Analysis for Beginners

What Is IoT and OT Security and Why Does It Matter?

NIST SP 800-183 (Networks of Things) defines the foundational architecture for IoT systems, while the OWASP IoT Top 10 identifies the most critical security risks for connected devices. ICS-CERT (now CISA ICS) has published over 4,000 advisories on vulnerabilities in industrial control systems, underscoring the scale of the threat to operational technology.

IoT and OT security is one of the most critical and rapidly growing areas in cybersecurity because connected devices now control everything from home thermostats to water treatment plants, power grids, and manufacturing lines. The convergence of Information Technology (IT) and Operational Technology (OT) has created an attack surface that most organisations are not prepared to defend.

For career changers studying for CompTIA Security+ SY0-701 or CEH v13, IoT and OT security appears across multiple exam domains. Entry-level security roles in critical infrastructure, manufacturing, utilities, and government increasingly require understanding of how connected devices and industrial control systems are secured.

Who this is for

This page is written for cybersecurity beginners with no prior IoT or OT experience. If you have ever used a smart speaker, seen a security camera, or heard about a factory using automated systems, you already have a basic intuition about what IoT and OT are. This page builds on that intuition to give you security knowledge that is relevant in interviews and on the job.

IoT security became personal for me when I realised how many connected devices were already in my life — a smart TV, a Wi-Fi router, a fitness tracker, a doorbell camera. None of them had I ever updated. None of them had I checked the default credentials on. I was studying cybersecurity and my own home network was a textbook example of what not to do. That realisation made IoT security feel urgent and practical, not just another exam topic to memorise.

Certification objective: CompTIA Security+ SY0-701 Domain 2 covers IoT vulnerabilities and embedded system risks. CEH v13 Module 18 covers IoT and OT hacking, including SCADA/ICS attacks, Shodan reconnaissance, and firmware analysis.

Quick Answer

What is IoT and OT security? IoT security protects internet-connected devices (cameras, sensors, wearables), while OT security protects industrial control systems (SCADA, PLCs, DCS) that monitor and control physical processes — as defined by NIST SP 800-183 and NIST SP 800-82. Why it matters for beginners: Roles in critical infrastructure, utilities, and manufacturing increasingly require IoT/OT security knowledge, and it appears in both CompTIA Security+ and CEH exams. Key framework: The OWASP IoT Top 10 provides the standard checklist for assessing IoT device security risks.

What Do Real-World IoT and OT Attacks Look Like?

The MITRE ATT&CK for ICS framework catalogues over 80 adversary techniques specifically targeting industrial control systems, based on documented real-world attacks against critical infrastructure including power grids, water treatment facilities, and manufacturing plants.

These are not hypothetical scenarios. IoT and OT attacks have caused real physical damage, endangered public safety, and cost organisations millions.

Incident	Target	Impact	Attack method
Mirai botnet (2016)	IoT devices (cameras, routers, DVRs)	600+ Gbps DDoS attack on Dyn DNS, taking down Twitter, Netflix, Reddit, and GitHub	Scanned for devices with default credentials; infected 600,000+ devices worldwide
Oldsmar water treatment (2021)	Florida water treatment SCADA	Attacker increased sodium hydroxide (lye) to 111x safe levels — operator caught it in real time	Remote access via TeamViewer using shared credentials; no MFA
Ukraine power grid (2015)	Three regional electricity distribution companies	230,000 customers lost power for 1-6 hours in the first confirmed cyberattack on a power grid	Spear phishing, then BlackEnergy malware to access SCADA systems and open circuit breakers
Triton/TRISIS (2017)	Saudi Arabian petrochemical plant	Targeted Safety Instrumented Systems (SIS) designed to prevent catastrophic failure — could have caused explosion	Custom malware targeting Triconex safety controllers; attributed to nation-state actor
Verkada camera breach (2021)	150,000+ security cameras across hospitals, prisons, schools, Tesla	Live feeds accessed and recorded; exposed sensitive environments	Hardcoded credentials found in Verkada’s development infrastructure
Colonial Pipeline (2021)	Fuel pipeline OT systems	Pipeline shut down for 6 days; fuel shortages across US East Coast; $4.4M ransom paid	VPN credential compromise (no MFA); IT attack forced OT shutdown as precaution

The Mirai botnet is particularly instructive for beginners. It exploited one of the simplest vulnerabilities possible — default usernames and passwords on IoT devices. The attacker, a university student, scanned the internet for devices using credentials like admin/admin, root/root, and default/default. With 600,000 compromised devices, the botnet generated enough traffic to disrupt major internet services globally.

How Does IoT and OT Security Work?

NIST SP 800-82 (Guide to ICS Security) defines the Purdue Model as the standard reference architecture for segmenting IT and OT networks, establishing the foundational security principle that IT and OT systems must be separated by a dedicated demilitarised zone (DMZ).

Key Definition

SCADA (Supervisory Control and Data Acquisition) is a control system architecture used to remotely monitor and control distributed infrastructure — such as water treatment plants, power grids, and oil pipelines — by collecting data from remote terminal units (RTUs) and presenting it through a human-machine interface (HMI). SCADA systems were originally designed for isolated networks without security controls, making them vulnerable when connected to IT networks. Source: NIST SP 800-82.

Think of IoT and OT like the nervous system of a building or factory. Sensors are like nerve endings that detect temperature, pressure, motion, and flow. Gateways are like the spinal cord, aggregating signals and routing them to the brain. The cloud or control centre is the brain, processing data and sending commands back down. Actuators are the muscles, opening valves, starting motors, and triggering alarms.

When any part of this nervous system is compromised — a sensor sends false readings, a gateway is intercepted, or the brain receives malicious commands — the physical world responds. Unlike IT attacks where you lose data, OT attacks can cause explosions, contaminate water, or shut down power grids.

Key Terminology

Term	What it means	Example
IoT (Internet of Things)	Network-connected devices with sensors and software that collect and exchange data	Smart cameras, thermostats, wearables, connected medical devices
OT (Operational Technology)	Hardware and software that monitors and controls physical processes	Factory PLCs, SCADA systems, building management systems
ICS (Industrial Control Systems)	Umbrella term for systems that manage industrial processes	Includes SCADA, DCS, and PLCs
SCADA	Supervisory Control and Data Acquisition — remote monitoring and control of distributed infrastructure	Water treatment, power grids, oil pipelines
PLC (Programmable Logic Controller)	Industrial computer that controls specific physical processes	Controls a motor, valve, conveyor belt, or pump
HMI (Human-Machine Interface)	Screen or panel that operators use to monitor and control industrial processes	Touch-screen display showing tank levels in a water plant
DCS (Distributed Control System)	Control system where controllers are distributed throughout the plant	Used in manufacturing, chemical plants, refineries
RTU (Remote Terminal Unit)	Field device that collects data from sensors and sends it to SCADA	Monitors pipeline pressure at a remote location

The Purdue Model

The Purdue Model (also called the Purdue Enterprise Reference Architecture) is the standard framework for understanding and segmenting IT/OT networks. It defines layers from the physical process at the bottom to the enterprise network at the top.

IoT/OT Architecture Layers

📊 Visual Explanation

IoT/OT Architecture — The Purdue Model

Layered architecture from physical processes to enterprise IT — security requires segmentation between layers

Pause

Level 5: Enterprise Network

Corporate IT — email, ERP, business applications, internet access

Level 4: IT/OT DMZ

Data historians, patch servers, security monitoring — the critical boundary

Level 3: Site Operations

SCADA servers, HMI workstations, engineering stations

Level 2: Area Control

PLCs, RTUs, DCS controllers — the automation layer

Level 1: Basic Control

Sensors, actuators, safety systems — direct process interface

Level 0: Physical Process

The actual physical process — water flow, temperature, pressure, motor speed

Idle

The critical security principle is segmentation between layers. The IT/OT DMZ (Level 4) should be the only connection point between enterprise IT (Level 5) and OT systems (Levels 0-3). When this boundary is breached or missing — as in the Colonial Pipeline incident — IT compromises can cascade into OT shutdowns.

Step-by-Step: How IoT and OT Attacks Work

Step 1: Reconnaissance with Shodan

Shodan is a search engine for internet-connected devices. Unlike Google, which indexes web pages, Shodan indexes banners — the metadata that devices broadcast when queried. This includes device type, firmware version, open ports, and sometimes default credentials.

Attackers use Shodan to find vulnerable IoT and OT devices exposed to the internet. Defenders use it to discover their own exposed assets before attackers do.

# Shodan CLI — search for SCADA systems
shodan search "scada" --fields ip_str,port,org

# Find exposed Modbus devices (common ICS protocol)
shodan search "port:502 modbus"

# Search for specific PLC brands
shodan search "Siemens S7" --fields ip_str,port,org,country

# Find webcams with default credentials
shodan search "Server: webcamXP" --fields ip_str,port,org

# Check your own organisation's exposure
shodan search "org:\"Your Organisation Name\""

Step 2: Understanding ICS Protocols

Unlike IT networks that use standardised, secure protocols (TLS, SSH), many ICS protocols were designed decades ago for reliability, not security. They lack authentication, encryption, and integrity checks.

Protocol	Use case	Security weakness
Modbus	Communication between PLCs, RTUs, and SCADA	No authentication, no encryption, commands sent in cleartext
DNP3	Used in utilities (power, water) for SCADA communication	Originally no authentication; Secure Authentication added later but adoption is slow
OPC	Data exchange between industrial devices and software	Classic OPC uses DCOM (Windows RPC) — broad attack surface
BACnet	Building automation (HVAC, lighting, access control)	No built-in authentication or encryption in standard mode
EtherNet/IP	Industrial Ethernet for PLCs and I/O devices	CIP protocol lacks authentication; relies on network segmentation for security

Step 3: Firmware Analysis

IoT device firmware often contains hardcoded credentials, unpatched vulnerabilities, and insecure configurations. Firmware analysis is the process of extracting and examining this code.

# Extract firmware filesystem using binwalk
binwalk -e firmware.bin

# Analyse entropy to identify compressed/encrypted sections
binwalk -E firmware.bin

# Search extracted filesystem for credentials
grep -r "password\|passwd\|secret\|api_key" _firmware.bin.extracted/

# Find configuration files
find _firmware.bin.extracted/ -name "*.conf" -o -name "*.cfg" -o -name "*.ini"

# Check for SSL/TLS certificates and private keys
find _firmware.bin.extracted/ -name "*.pem" -o -name "*.key" -o -name "*.crt"

# Identify binary architectures (ARM, MIPS common in IoT)
file _firmware.bin.extracted/usr/bin/*

Step 4: Exploiting Default Credentials

The Mirai botnet’s attack methodology was devastatingly simple:

1. Scan random IP addresses for devices with open Telnet (port 23) or SSH (port 22).
2. Attempt login using a dictionary of 62 common default credential pairs.
3. On successful login, download and execute the Mirai payload.
4. The infected device joins the botnet and begins scanning for more victims.

# Example of the type of credentials Mirai used (DO NOT use against devices you don't own)
# admin:admin
# root:root
# admin:password
# root:default
# admin:1234
# user:user

# Nmap scan to identify IoT devices on a local network (lab only)
nmap -sV -p 23,80,443,8080,8443 192.168.1.0/24

# Check for default web interfaces
curl -s http://192.168.1.1 | grep -i "title"

OWASP IoT Top 10

The OWASP Internet of Things Top 10 identifies the most critical security risks for IoT devices and systems.

Rank	Risk	Description
I1	Weak, guessable, or hardcoded passwords	Default credentials, easily brute-forced passwords, or credentials embedded in firmware
I2	Insecure network services	Unnecessary or insecure services exposed, including unencrypted management interfaces
I3	Insecure ecosystem interfaces	Vulnerable web, API, cloud, or mobile interfaces used to manage the device
I4	Lack of secure update mechanism	No ability to securely update firmware, or updates transmitted without validation
I5	Use of insecure or outdated components	Deprecated libraries, unpatched OS, and vulnerable third-party software
I6	Insufficient privacy protection	Personal data collected and stored insecurely or shared without consent
I7	Insecure data transfer and storage	Sensitive data transmitted in cleartext or stored without encryption
I8	Lack of device management	No ability to inventory, monitor, or manage devices at scale in production
I9	Insecure default settings	Devices shipped with insecure defaults that users are unlikely to change
I10	Lack of physical hardening	No tamper detection, exposed debug ports, or removable storage with sensitive data

How Does IoT/OT Security Fit Into a Security Architecture?

NIST SP 800-82 Rev. 3 emphasises that effective ICS security requires network segmentation based on the Purdue Model, with the IT/OT DMZ serving as the sole controlled connection point between enterprise IT and operational technology systems.

IT vs OT Security Priorities

📊 Visual Explanation

IT Security vs OT Security Priorities

IT Security

• CIA priority: Confidentiality first — Protect data secrecy — breaches expose personal and business information
• Patch frequently — Regular update cycles; downtime for patching is acceptable
• 3-5 year lifecycle — Hardware and software refreshed regularly
• Standard protocols — TCP/IP, TLS, SSH — well-understood and actively maintained
• Virtual environments — Cloud, virtualisation, containers — abstract from hardware

VS

OT Security

• AIC priority: Availability first — Keep systems running — downtime can mean physical danger or production loss
• Patch rarely — Patching requires scheduled maintenance windows; some systems cannot be taken offline
• 15-25 year lifecycle — Industrial equipment runs for decades; legacy systems everywhere
• Legacy protocols — Modbus, DNP3, BACnet — designed for reliability, not security
• Physical processes — Controls real-world equipment — valves, motors, generators, pumps

Verdict: IT prioritises Confidentiality; OT prioritises Availability. Applying IT security practices directly to OT environments can be dangerous — taking a PLC offline to patch it might stop a production line or disrupt critical infrastructure.

Use case

Security professionals working in converged IT/OT environments must understand both mindsets. The biggest risk comes from applying IT assumptions to OT systems.

IT/OT Convergence

Historically, OT systems were air-gapped — completely isolated from IT networks and the internet. This is no longer the case. Organisations connect OT to IT for:

• Remote monitoring — Operators can check system status from anywhere.
• Data analytics — Process data feeds into business intelligence systems.
• Cost reduction — Shared infrastructure and centralised management.
• Regulatory compliance — Reporting requirements that need data aggregation.

This convergence creates the challenge: OT systems designed for isolated, trusted networks are now exposed to the same threats as IT systems, but without the same security controls, patching capabilities, or monitoring tools.

What Does IoT/OT Security Assessment Look Like in Practice?

The OWASP IoT Top 10 and NIST SP 800-82 together provide the assessment framework for evaluating IoT device security and ICS/SCADA system hardening in both lab and production environments.

These commands are for learning and authorised testing in lab environments only.

Network Discovery for IoT Devices

# Discover devices on your local network
nmap -sn 192.168.1.0/24

# Service detection on discovered IoT devices
nmap -sV -p 1-65535 192.168.1.100

# Identify ICS protocols
nmap -sV -p 502,102,47808,44818,20000 192.168.1.0/24
# Port 502 = Modbus
# Port 102 = Siemens S7comm
# Port 47808 = BACnet
# Port 44818 = EtherNet/IP
# Port 20000 = DNP3

# Banner grabbing for device identification
nmap -sV --script=banner 192.168.1.100

Modbus Traffic Analysis with Wireshark

# Capture Modbus traffic on a specific interface
tshark -i eth0 -f "port 502" -w modbus_capture.pcap

# Read captured Modbus traffic
tshark -r modbus_capture.pcap -Y "modbus" -T fields \
  -e frame.number -e ip.src -e ip.dst -e modbus.func_code

# Common Modbus function codes to watch for:
# 1 = Read Coils        (read digital outputs)
# 3 = Read Holding Regs (read configuration values)
# 5 = Write Single Coil (change a digital output — DANGEROUS)
# 6 = Write Single Reg  (change a configuration value — DANGEROUS)
# 16 = Write Multiple   (change multiple values at once — DANGEROUS)

Firmware Extraction and Analysis

# Download firmware from manufacturer website (or extract from device)
wget https://example.com/firmware/device-v2.1.bin -O firmware.bin

# Identify file type and embedded filesystems
binwalk firmware.bin

# Extract all identified components
binwalk -e firmware.bin

# Check for known vulnerable versions of busybox, openssl, etc.
strings _firmware.bin.extracted/squashfs-root/bin/busybox | grep "BusyBox v"
strings _firmware.bin.extracted/usr/lib/libssl.so | grep "OpenSSL"

# Look for web server configuration
cat _firmware.bin.extracted/squashfs-root/etc/lighttpd/lighttpd.conf

Legal and ethical warning: Only scan, probe, or analyse devices and networks you own or have explicit written authorisation to test. Scanning ICS/SCADA systems without authorisation is illegal and potentially dangerous — it can disrupt physical processes. Under the Criminal Code Act 1995 (Australia), the Computer Fraud and Abuse Act (US), and similar legislation, unauthorised access carries serious penalties. Always test in isolated lab environments.

What Are the Limitations of IoT and OT Security?

ICS-CERT advisories consistently highlight that many OT security controls face inherent constraints — legacy protocols that cannot support encryption, equipment with 15-25 year lifecycles that cannot be patched, and operational requirements that prevent downtime for security updates.

Security control	Benefit	Limitation / failure mode
Network segmentation (Purdue Model)	Isolates OT from IT threats; contains breaches	Legacy systems may not support VLANs; convergence pressure erodes boundaries
Air gapping	Complete isolation from network threats	Increasingly impractical; USB and supply chain attacks bypass air gaps (Stuxnet proved this)
Firmware updates	Patches known vulnerabilities	Many IoT devices lack update mechanisms; OT systems cannot be taken offline for patching
Default credential changes	Eliminates the most common IoT attack vector	Manufacturers ship insecure defaults; users rarely change them; some credentials are hardcoded
Shodan monitoring	Discovers your own exposed assets	Only finds internet-exposed devices; internal IoT/OT assets remain invisible
ICS protocol monitoring	Detects anomalous commands to PLCs/RTUs	Requires deep protocol knowledge; false positives from legitimate operational changes
IoT device inventory	Enables visibility and management at scale	Shadow IoT — devices connected without IT knowledge — creates blind spots
Encryption for ICS protocols	Protects data in transit	Many legacy protocols cannot support encryption; performance overhead on constrained devices

What Interview Questions Should You Expect About IoT and OT Security?

CompTIA Security+ SY0-701 Domain 2 and CEH v13 Module 18 both include IoT/OT security objectives, making these questions increasingly common in interviews for roles across critical infrastructure, managed security, and government.

IoT and OT security questions are appearing more frequently in interviews, especially for roles in critical infrastructure, managed security services, and government.

Q1: What is the difference between IT and OT security?

Strong answer: “The fundamental difference is priority. IT security prioritises confidentiality — protecting data. OT security prioritises availability — keeping systems running. In OT, downtime can mean physical danger, production loss, or public safety risks. This means you cannot simply apply IT security practices to OT environments. For example, you cannot patch a PLC controlling a water pump the same way you patch a laptop — you need scheduled maintenance windows and rigorous testing to avoid disrupting physical processes.”

Q2: What made the Mirai botnet so effective?

Strong answer: “Mirai exploited the most basic vulnerability in IoT — default credentials. It scanned the internet for devices with open Telnet and SSH, attempted login using a dictionary of just 62 common default username and password pairs, and built a botnet of over 600,000 compromised devices. The lesson is that IoT security often fails at the most fundamental level. If manufacturers shipped devices with unique credentials and disabled remote access by default, Mirai would not have worked.”

Q3: What is the Purdue Model and why does it matter?

Strong answer: “The Purdue Model is a reference architecture that defines layers from the physical process at the bottom to the enterprise IT network at the top, with a DMZ separating IT and OT. It matters because it provides the framework for network segmentation in industrial environments. The security principle is that traffic should only flow between adjacent layers, and the IT/OT DMZ should be the only connection point between enterprise IT and OT systems. When this segmentation breaks down, IT compromises can cascade into OT disruptions.”

Q4: How would you start assessing IoT security in an organisation?

Strong answer: “First, I would build an inventory of all connected devices — you cannot secure what you do not know exists. Then I would check for devices with default credentials, identify devices exposed to the internet using tools like Shodan, review firmware versions for known vulnerabilities, and assess network segmentation to ensure IoT devices are isolated from critical systems. The OWASP IoT Top 10 would guide my assessment checklist.”

How Is IoT/OT Security Used in Real Security Operations?

The Security of Critical Infrastructure Act 2018 (SOCI Act), expanded in 2022, covers 11 critical infrastructure sectors in Australia and requires entities to maintain a Critical Infrastructure Risk Management Program (CIRMP) that explicitly addresses cyber and supply chain risks to OT systems.

Day-One SOC IoT/OT Scenarios

In organisations with IoT or OT infrastructure, SOC analysts encounter specific alert types:

• Exposed device alert. An automated Shodan or attack surface management scan discovers a building management system exposed to the internet. You verify the finding, assess the risk, and coordinate with facilities to restrict access.
• Anomalous ICS protocol activity. The OT monitoring platform flags a Modbus write command to a PLC outside normal operating hours. You check whether maintenance was scheduled, verify the source workstation, and escalate if the activity is unauthorised.
• IoT malware detection. Network monitoring identifies traffic patterns consistent with a botnet command-and-control channel from a smart TV on the corporate network. You isolate the device, analyse the traffic, and check whether other IoT devices are affected.
• Firmware vulnerability advisory. A vendor publishes a critical vulnerability in a widely deployed IoT camera firmware. You cross-reference the advisory against your device inventory to determine exposure and coordinate patching with the IT operations team.

OT Security Monitoring

OT environments require specialised monitoring approaches:

1. Passive network monitoring — Tools like Nozomi Networks, Claroty, or Dragos passively observe OT network traffic to build asset inventories and detect anomalies without disrupting operations.
2. ICS protocol deep inspection — Monitoring tools that understand Modbus, DNP3, and S7comm can detect malicious commands (e.g., writing dangerous values to safety-critical registers).
3. Baseline behaviour analysis — Establishing what “normal” looks like for OT traffic patterns, then alerting on deviations.

Australian Context: Critical Infrastructure and the SOCI Act

Australia takes IoT and OT security seriously through several regulatory frameworks:

• Security of Critical Infrastructure Act 2018 (SOCI Act) — Expanded in 2022 to cover 11 critical infrastructure sectors including energy, water, healthcare, education, transport, and telecommunications. Entities must have a Critical Infrastructure Risk Management Program (CIRMP) that covers cyber and supply chain risks to OT systems.
• ASD Essential Eight — While designed for IT, the principles apply to OT environments. Organisations are increasingly expected to map Essential Eight controls to their OT assets where feasible.
• ACSC OT security guidance — The ACSC publishes specific guidance for securing operational technology environments, including network segmentation, remote access controls, and incident response for OT.
• Australian Water and Energy sectors — These sectors are explicitly covered under the SOCI Act. The 2021 Oldsmar water treatment attack (US) served as a wake-up call for Australian water utilities to audit their SCADA remote access controls.

For career changers in Australia, understanding the SOCI Act and its implications for OT security is valuable in interviews for roles in government, utilities, healthcare, and managed security services.

Summary and Key Takeaways

IoT and OT security is a critical domain where cybersecurity meets the physical world, and it is an area of growing demand for security professionals.

• IoT devices expand the attack surface dramatically. Default credentials, unpatched firmware, and insecure protocols make them easy targets — the Mirai botnet compromised 600,000+ devices using simple default passwords.
• OT security prioritises availability over confidentiality. Taking a PLC offline to patch it can stop a production line or disrupt critical infrastructure. Security approaches must account for this.
• The Purdue Model provides the segmentation framework for IT/OT environments. The IT/OT DMZ is the critical boundary that must be maintained.
• ICS protocols like Modbus and DNP3 were not designed for security. They lack authentication and encryption, making network segmentation and monitoring essential.
• Shodan discovers internet-exposed IoT and OT devices — defenders should use it proactively to find their own exposed assets before attackers do.
• Firmware analysis with tools like binwalk reveals hardcoded credentials, outdated libraries, and insecure configurations embedded in IoT devices.
• IT/OT convergence is creating new risks as previously isolated OT systems connect to enterprise networks and the internet.

Individual results vary. Career timelines, salary outcomes, and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Related

• Understanding the Threat Landscape for broader context on threat actors targeting IoT and critical infrastructure
• Networking Basics for the TCP/IP and protocol foundations that IoT/OT security builds on
• Security Concepts for the CIA triad and how its priorities shift in OT environments
• Home Lab Setup to practise IoT and firmware analysis in a safe environment

Frequently Asked Questions

What is the difference between IoT and OT?

IoT (Internet of Things) refers to network-connected devices with sensors and software that collect and exchange data, such as smart cameras, thermostats, and wearables. OT (Operational Technology) refers to hardware and software that monitors and controls physical processes, such as factory PLCs, SCADA systems, and building management systems. IoT focuses on data collection; OT focuses on controlling physical processes.

What is SCADA?

SCADA stands for Supervisory Control and Data Acquisition. It is a system used to remotely monitor and control distributed infrastructure like water treatment plants, power grids, and oil pipelines. SCADA systems collect data from remote sensors (RTUs) and allow operators to monitor and control processes through a centralised interface (HMI).

What is the Purdue Model?

The Purdue Model is a reference architecture that defines six levels for industrial networks, from the physical process (Level 0) to the enterprise network (Level 5), with a DMZ at Level 4 separating IT and OT. It provides the framework for network segmentation in industrial environments, ensuring that IT threats cannot directly reach OT systems.

How did the Mirai botnet work?

Mirai scanned the internet for IoT devices with open Telnet or SSH ports, attempted login using a dictionary of 62 common default credentials like admin/admin and root/root, and installed malware on successfully compromised devices. It built a botnet of over 600,000 devices that launched a massive DDoS attack against Dyn DNS, disrupting major internet services globally.

What is Shodan and how is it used in security?

Shodan is a search engine that indexes internet-connected devices by scanning for service banners. Unlike Google which indexes web pages, Shodan reveals device types, firmware versions, open ports, and sometimes default configurations. Defenders use it to discover their own exposed assets; attackers use it to find vulnerable targets. It is a legitimate security tool that highlights the importance of proper device configuration.

Why can't you patch OT systems the same way as IT systems?

OT systems prioritise availability — keeping physical processes running. Patching requires taking systems offline, which can halt production lines, disrupt utilities, or create safety risks. Many OT systems run for 15 to 25 years and may no longer receive vendor patches. Patching must be carefully scheduled during maintenance windows with thorough testing to avoid unintended disruptions to physical processes.

What is firmware analysis?

Firmware analysis is the process of extracting and examining the software embedded in IoT devices. Using tools like binwalk, security researchers can extract filesystems from firmware images and search for hardcoded credentials, outdated libraries, insecure configurations, and known vulnerabilities. It is a key technique for assessing IoT device security.

What are the main ICS protocols and why are they insecure?

Common ICS protocols include Modbus, DNP3, BACnet, and EtherNet/IP. They were designed decades ago for reliability in isolated networks, not for security. Most lack authentication, encryption, and integrity checks. Commands are sent in cleartext, meaning anyone with network access can read or modify them. Security relies on network segmentation rather than protocol-level protections.

What is the OWASP IoT Top 10?

The OWASP IoT Top 10 identifies the most critical security risks for IoT devices. The top risks include weak or hardcoded passwords, insecure network services, insecure ecosystem interfaces, lack of secure update mechanisms, use of insecure components, insufficient privacy protection, insecure data transfer, lack of device management, insecure default settings, and lack of physical hardening.

Do I need IoT/OT knowledge for entry-level cybersecurity jobs?

Understanding the fundamentals is increasingly valuable. While not every SOC analyst role requires deep OT expertise, organisations in critical infrastructure, manufacturing, utilities, and healthcare are actively hiring security professionals with IoT and OT awareness. Knowing the basics of the Purdue Model, IT/OT convergence risks, and IoT attack vectors will strengthen your interviews and open doors to specialised roles.

Related sections

Understanding the Threat Landscape

Learn about threat actors and attack patterns, including nation-state campaigns targeting IoT and critical infrastructure.

Explore Networking Basics

Master TCP/IP, protocols, and network architecture — the foundation that IoT and OT security builds upon.

Explore Home Lab Setup

Build a safe practice environment for IoT device analysis, firmware extraction, and network reconnaissance.

Explore

More resources

OWASP IoT Top 10

The industry-standard list of the most critical IoT security risks, from weak passwords to lack of physical hardening.

Visit NIST SP 800-82 — ICS Security Guide

NIST guide to Industrial Control Systems security, covering SCADA, DCS, and PLC environments.

Visit CISA ICS Advisories

Advisories and alerts about vulnerabilities in industrial control systems from the US Cybersecurity and Infrastructure Security Agency.

Visit

---

Sources: OWASP IoT Top 10, NIST SP 800-82 Rev. 3, CISA ICS-CERT, ASD/ACSC, Purdue Enterprise Reference Architecture. Last verified: March 2026.