Table of Contents

Click Here to Return To the CompTIA SecOT+ Course Page

OT Threat Intelligence is 14% of the CompTIA SecOT+ (SOT-001) exam. This domain teaches you who attacks OT, how they operate, and how you turn raw information into intelligence that drives defense. Real OT attacks are rare but consequential, so you study the landmark cases closely because they define the techniques you must detect.

Threat intelligence is the difference between guarding everything equally and guarding what an actual adversary is likely to target. You map your defenses to known behavior, not to imagination.

Intelligence Disciplines

Intelligence is gathered from distinct sources.

DisciplineSource
HUMINTHuman sources and people
SIGINTIntercepted communications and signals
OSINTPublicly available sources
IMINTPhotographs and other imagery
MASINTTechnical sensor measurements and signatures

Analysis Models

You structure analysis with proven models.

  • The Diamond Model links adversary, capability, infrastructure, and victim.
  • The intelligence life cycle repeats planning, collection, analysis, and dissemination.
  • MITRE ATT&CK for ICS catalogs adversary tactics and techniques against industrial control systems.
  • The ICS Cyber Kill Chain describes the stages of an attack against industrial control systems.

MITRE ATT&CK for ICS is the OT-specific companion to the enterprise ATT&CK matrix. Learn it as your shared language for describing OT attacker behavior.

Landmark OT Threats

These real incidents shaped the field and appear throughout the exam.

ThreatWhat it did
StuxnetPhysically damaged Iranian centrifuges by manipulating PLCs
TRISISTargeted a safety instrumented system to disable safety functions
BlackEnergyContributed to power outages in Ukraine
IndustroyerManipulated electric grid substation equipment
FrostyGoopTargeted OT controllers over the Modbus protocol
Colonial PipelineA ransomware incident that disrupted fuel distribution

TRISIS stands out as the first known malware to target a safety instrumented system. Attacking the last safety barrier turns a cyber event into a potential physical disaster.

Threat Actors

You profile the adversary to anticipate their behavior.

  • A nation-state actor is a well-resourced attacker working for a government.
  • An advanced persistent threat is a stealthy, long-term, capable intruder.
  • A hacktivist is motivated by political or social causes.
  • A cybercriminal is motivated primarily by financial gain.
  • An insider threat comes from people inside the organization who misuse access.

Attack Techniques

OT attackers use techniques you must recognize.

  • A removable media threat carries malware on USB drives and portable storage, a common way into air-gapped OT.
  • Phishing and vishing use deceptive messages or voice calls to steal access.
  • Lateral movement is moving between systems after initial access.
  • An IT to OT pivot is crossing from the IT network into the OT network, the classic path into a plant.
  • A rogue base station is a fake cellular tower used to intercept communications.

Sharing and Consuming Intelligence

You exchange intelligence in standard formats and through trusted channels.

ToolRole
Indicator of compromiseAn observable artifact that suggests a breach
YARAA rule format for identifying and classifying malware
STIXA standard format for sharing threat intelligence
ISACAn Information Sharing and Analysis Center for a sector
Threat intelligence feedA stream of current threat data and indicators

You also describe an actor’s tactics, techniques, and procedures to characterize their behavior, and you use bug bounty programs and OEM threat feeds to gather more.

Next Steps

With the adversary understood, continue to OT Cybersecurity Architecture, Design, and Engineering to build defenses against these threats. Return anytime to the CompTIA SecOT+ Course .