Industrial control system security stopped being a niche the day Russian GRU operators dropped Industroyer2 on Ukrainian electric substations on April 8, 2022 , and reset entirely when the U.S. Government confirmed in February 2024 that the People’s Republic of China’s Volt Typhoon campaign had been pre-positioning inside U.S. Water, energy, and communications operational technology networks. The Department of Defense (DoD) now treats every military base utility plant, every shipyard PLC, and every depot SCADA console as a contested asset. Dragos’s 9th annual 2026 OT Cybersecurity Year in Review tracks 26 active OT threat groups, finds only 30% of OT networks have adequate visibility, and notes 88% of asset owners still struggle with detection and response — numbers that explain why cleared OT hiring inside Sector Risk Management Agencies, the defense industrial base, and the four service cyber commands is accelerating faster than any other cybersecurity discipline.
If you carry a Top Secret / Sensitive Compartmented Information (TS/SCI) clearance and you can read a piping-and-instrumentation diagram without a translator, the 2026 market is yours to set the price in. This guide breaks down the roles, the salary bands, the certifications that move the needle, the standards every hiring manager cites in the position description, and the agencies and primes doing the hiring , sourced to the original government advisories and vendor research so a candidate can verify each claim before walking into an interview.
Why operational technology is now a defense-priority career track
Three forces converged. The first was the May 2021 Colonial Pipeline ransomware shutdown by the DarkSide affiliate, which prompted the Transportation Security Administration to issue the first mandatory pipeline cybersecurity directives (SD Pipeline-2021-01 and -02) and reclassified pipeline security from voluntary to enforceable. The second was the February 2024 publication by CISA, NSA, and FBI of joint cybersecurity advisory AA24-038A — the first U.S. Government confirmation that PRC state-sponsored actors had maintained persistent access to U.S. Critical infrastructure OT environments and were positioning to disrupt rather than to spy. The third was the codification of which federal department owns the cyber defense of each of the 16 critical infrastructure sectors, formalized in 2013 by Presidential Policy Directive 21 and refreshed in April 2024 by National Security Memorandum 22, which named DoD as the Sector Risk Management Agency for the Defense Industrial Base and DOE as SRMA for energy.
The Cybersecurity and Infrastructure Security Agency (CISA) absorbed the former ICS-CERT mission in 2018 and now runs the Industrial Control Systems vulnerability coordination program, the CyberSentry passive monitoring service, and the OT working groups of the Joint Cyber Defense Collaborative. That single agency has become the gravitational center of cleared ICS hiring outside of contractor primes , and its position descriptions increasingly demand the same skill stack defense primes want: protocol-level fluency in Modbus, DNP3, and PROFINET; the ability to architect to IEC 62443 zones and conduits; and a working knowledge of NIST Special Publication 800-82 Revision 3.
Dean Parsons, who teaches SANS ICS515 and writes for the SANS ICS blog, framed the discipline’s center of gravity bluntly in an April 23, 2026 post: “A cyber incident in OT is not a data event; it is a physical event with potential consequences that include operational disruption, environmental impact, and loss of life.“ The compensation premium for cleared OT defenders reflects how much money the federal government and its primes are willing to pay people who reason that way by default.
The Purdue Reference Model is the language of OT job interviews
Every serious ICS security position description references the Purdue Enterprise Reference Architecture, almost always shortened to “the Purdue Model.” Originally published by Theodore Williams at Purdue University in the 1990s and formalized into ANSI/ISA-95, the model is referenced directly in NIST SP 800-82 Rev 3 §4.2 as the canonical zoning framework for industrial control environments. If you cannot speak Purdue levels conversationally, you will not pass the first technical screen at Dragos, Claroty, or any of the defense primes building OT security practices.
| Purdue Level (per ISA-95 / NIST SP 800-82 R3) | What lives there | Security focus |
|---|---|---|
| Level 0 — Physical Process | Sensors, actuators, motors, valves | Tamper monitoring, physical access |
| Level 1 , Basic Control | PLCs, RTUs, IEDs | Firmware integrity, logic change detection |
| Level 2 — Area Supervisory | HMIs, SCADA workstations | Endpoint hardening, allowlisting, USB controls |
| Level 3 , Site Operations | Historians, engineering workstations, MES | Patching cadence, jump host architecture |
| Level 3.5 — Industrial DMZ | Data diodes, brokers, jump servers, AV update relays | No direct IT/OT path; allowlisted brokered transit only |
| Levels 4-5 , Enterprise IT | Business systems, ERP, internet edge | Standard enterprise security stack |
The single most contested boundary is Level 3.5, the industrial demilitarized zone. IT/OT convergence is the polite phrase for “the corporate network and the plant floor have started talking to each other,” and the IDMZ is where that conversation gets policed. Almost every named OT security incident of the last decade — TRITON at the Saudi Petro Rabigh facility in 2017, the 2015 and 2016 Ukrainian grid attacks, the April 2022 Industroyer2 campaign per ESET’s published analysis , exploited a weak or absent IDMZ. Expect to be asked, in interview, how you would architect one from scratch and which Foundational Requirements from IEC 62443-3-3 you would prioritize first.
What cleared ICS and SCADA roles actually pay in 2026
The salary premium for OT specialization over generalist cleared cybersecurity is real and growing. The supply-side constraint is severe: there is no four-year university program that trains industrial control system defenders the way computer science programs train software engineers. Practitioners come from process engineering, instrumentation and controls technician backgrounds, or military communications and electronics ratings, and they pick up cybersecurity on top. That bilingual profile — fluent in both protocol analysis and pump-station physics , is what the market rewards.
| Role (cleared, 2026) | Cleared range | Typical hiring agencies / primes |
|---|---|---|
| ICS Security Analyst (mid-level) | $110,000-$145,000 | CISA, DOE national labs, defense primes |
| ICS Security Engineer (senior) | $135,000-$180,000 | Dragos, Claroty, USACE, Naval Facilities Command |
| OT Security Lead / Architect | $165,000-$220,000 | DISA, DIB primes, Schweitzer Engineering customers |
| OT Incident Responder (TS/SCI) | $140,000-$185,000 | USCYBERCOM, NSA, FBI Cyber Division |
| ICS Penetration Tester | $130,000-$190,000 | DOE Idaho National Laboratory, contractor red teams |
The baseline reference number is the Bureau of Labor Statistics OEWS Information Security Analyst median (SOC 15-1212), which sat at $124,910 in the May 2024 release — the most recent national figure. Layered on top of that baseline, the clearance premium follows the same pattern as enterprise IT cyber: a Secret clearance adds roughly $10,000-$20,000 over commercial equivalents, Top Secret adds $20,000-$35,000, and a TS/SCI with current scope adds $30,000-$45,000, per the cleared-cyber listings indexed on CyberSecJobs.com over the last 36 months. For OT specifically, the multiplier is higher than baseline cleared cyber because the candidate pool is so much smaller. CyberSecJobs internal listings data showed TS/SCI cleared cyber averaging roughly $149,400 across all roles in the D.C. Locality in 2026; cleared OT roles routinely close $15,000-$25,000 above that figure.
Dale Peterson, the founder of S4 Events and the longest-running independent commentator on OT security, captured the asymmetry in a March 2025 post on OT training: “Today the OT security training market is SANS and then a number of lesser players. SANS is the most expensive, and it also is the largest.” The same dynamic shows up in hiring , a small number of vendors (Dragos, Claroty, Nozomi Networks, Schweitzer Engineering Laboratories) and a small number of federal employers (CISA, DOE Idaho National Laboratory, USCYBERCOM) compete for a candidate pool that the SANS ICS Survey series has flagged as critically under-supplied since 2019.
The four protocols every ICS defender has to read on a packet capture
Industrial control protocols were designed in an era when “network security” meant a padlock on the control room door. They carry no native authentication, no encryption, and minimal integrity checking. Modern defense relies on layered detection — passive network monitoring tools from Dragos, Claroty, Nozomi Networks, and Schweitzer Engineering Laboratories parse these protocols at line rate and alert on anomalous engineering commands.
Modbus is the lingua franca of factory floors, water utilities, and military base utility plants. It runs over TCP port 502 or serial. A defender needs to recognize function codes 5, 6, 15, and 16 , the write operations that move setpoints and toggle outputs. The unauthorized issuance of a function-code-6 write to a critical PLC register is the smoking gun in most Modbus-era incident reports.
DNP3 dominates electric utility SCADA and water distribution. It is more capable than Modbus and includes secure authentication in its modern revisions (DNP3-SA per IEEE 1815-2012), but most installed-base DNP3 is unauthenticated. Defenders watch for unsolicited responses, illegitimate freeze-and-clear operations, and any traffic on TCP port 20000 that does not originate from the master station.
PROFINET runs on most Siemens-based plant networks and is the backbone of European-architecture defense manufacturing. It is Ethernet-based, real-time, and noisy: a single PROFINET cell can generate gigabits per hour of cyclic data. ICS analysts learn to filter cyclic traffic out and focus on acyclic engineering-class messages.
IEC 61850 is the substation automation protocol — GOOSE messages for protection trip signaling, Sampled Values for current and voltage telemetry. Industroyer and Industroyer2 both spoke IEC 61850 fluently; any defender working military base electrical systems or DOE labs will encounter it.
The standards every position description names by number
Two reference documents anchor virtually every cleared OT job posting. The first is the IEC 62443 family, the international consensus standard for industrial automation and control systems security. Maintained by the International Electrotechnical Commission and the International Society of Automation (ISA), the series is structured around four stakeholder roles , asset owners, product suppliers, system integrators, and service suppliers — per the ISA standards portal. IEC 62443-3-3 specifies the seven Foundational Requirements (FR1 through FR7) and the four Security Levels (SL 1 through SL 4) that map to threat capability. IEC 62443-4-2 covers component-level requirements that PLCs, RTUs, and HMIs need to meet to be procured for critical defense applications. IEC 62443-3-2 drives the zone-and-conduit risk assessment that any new OT system must pass.
The second is NIST Special Publication 800-82 Revision 3, the federal Guide to Operational Technology Security, published September 2023 by NIST author Keith Stouffer. SP 800-82 R3 is the Sector Risk Management Agency reference for federal civilian OT. It is referenced by the Defense Federal Acquisition Regulation Supplement for any contract that touches a control system, and it is the basis for the OT-specific security controls overlay in NIST SP 800-53 Revision 5.
The Cybersecurity and Infrastructure Security Agency (CISA) layers on top of both with the Cross-Sector Cybersecurity Performance Goals, the Industrial Control Systems Strategy, and the Known Exploited Vulnerabilities catalog. Every cleared OT job description will name at least one of these documents; senior positions will reference all of them, and IEC 62443 Foundational Requirement numbers in particular show up verbatim in DIB prime position descriptions.
The named OT incidents every interview will reference
The reason any of this discipline exists is a small set of publicly attributed incidents that moved OT security from a procurement compliance exercise to a national-security priority. Hiring managers will assume a candidate can summarize each one in a sentence. The table below pairs the seven canonical incidents with their public attribution and what each one changed about defense-sector hiring.
| Year | Incident | Target sector / geography | Public attribution | Defense-sector hiring takeaway |
|---|---|---|---|---|
| 2010 | Stuxnet | Uranium enrichment / Natanz, Iran | Widely reported as U.S./Israeli joint operation (per multi-source post-2012 disclosures) | First publicly known kinetic cyber-physical effect; established the field |
| 2015 | BlackEnergy / Ukraine grid I | Electric distribution / Ukraine | Sandworm , GRU Unit 74455 (U.S. DOJ indictment 2020) | First successful grid blackout via cyber attack; permanent CISA case study |
| 2016 | Industroyer / CRASHOVERRIDE | Electric transmission / Kyiv, Ukraine | Sandworm / GRU | First malware purpose-built for grid disruption; protocol-aware |
| 2017 | TRITON / TRISIS | Petrochemical safety-instrumented system / Saudi Arabia (Petro Rabigh) | Russian CNIIHM (per CISA Joint Advisory AA22-103A) | First malware targeting safety systems; raised IEC 62443 SL ceiling for SIS |
| 2021 | Colonial Pipeline ransomware | Fuel pipeline / U.S. East Coast | DarkSide ransomware affiliate | TSA mandatory pipeline directives; civilian pipeline cyber hiring spike |
| 2022 | Industroyer2 | Electric substations / Ukraine | Sandworm / GRU (per ESET analysis, April 12 2022) | Demonstrated Industroyer evolution; CISA / NSA / FBI joint advisory |
| 2024 | Volt Typhoon disclosed | Water, energy, comms OT / U.S. | PRC state-sponsored (per CISA AA24-038A, Feb 7 2024) | DoD now treats all installation utility OT as contested; cleared OT hiring accelerated |
Each of these incidents drove a specific change to the defense hiring picture. TRITON pushed safety-instrumented system architecture into the cleared workforce conversation. Industroyer2 made IEC 61850 fluency a hard interview filter at substation programs. Volt Typhoon made every installation utility plant on a CONUS base a contested asset for cyber budgeting purposes — which is the proximate cause of the $30-$45K cleared-OT compensation premium opening up since 2024.
Certifications that pay for themselves in cleared OT hiring
The general cyber certifications still matter , CISSP, the CompTIA Security+ baseline for DoD 8140 compliance, and CISM for management tracks — but three OT-specific credentials separate the candidate who gets the interview from the candidate who gets the offer.
| Certification (2026) | Issuer | Prep effort | Exam format | Hiring impact |
|---|---|---|---|---|
| GICSP , Global Industrial Cyber Security Professional | GIAC | ~150 hours; SANS ICS410 (6 days, $9,230) | 82 questions, 3 hours, 71% pass | Standard ICS entry credential for federal and defense roles |
| GRID — GIAC Response and Industrial Defense | GIAC | ~150 hours; SANS ICS515 (6 days, $9,230; lead instructor Robert M. Lee) | GIAC proctored, 4 hours | OT incident response and threat hunting; required for many DOE and DoD roles |
| ISA/IEC 62443 Cybersecurity Expert | International Society of Automation | ~200 hours across 4 specialist modules | 4 modular exams, each proctored | Standards-aligned architecture and assessment work; preferred for OT security architect titles |
| CISSP | ISC2 | ~150 hours; $749 exam (2026) | CAT, up to 150 q, 3 hours | DoD 8140 baseline for IAM Level II/III; opens GS-13+ federal billets |
| CompTIA Security+ | CompTIA | ~90 hours; $404 exam (2026) | 90 q, 90 minutes, 750/900 pass | Minimum DoD 8140 IAT Level II credential; precondition for many contract billets |
The GICSP is the credential cleared hiring managers screen for first; SANS ICS410 is the path the overwhelming majority of credential-holders take, with Justin Searle as the long-serving lead instructor. The GRID is the credential that justifies a counter-offer when a senior analyst threatens to leave, and its course companion (ICS515) is taught by Robert M. Lee , the Dragos CEO who also wrote a 2026 Dragos blog post titled “We’re Asking the Wrong Question About OT Security Investment,” arguing that asset owners spend on tools and skip the visibility work that catches the threats those tools were procured to stop. The ISA/IEC 62443 expert track is the credential that lifts a candidate from engineer to architect and into the $180,000-plus band.
Who is hiring: agencies, primes, and pure-play OT vendors
Federal demand concentrates in a small number of organizations. The Cybersecurity and Infrastructure Security Agency (CISA) is the largest civilian employer of cleared OT talent, recruiting through both direct-hire authority and the cyber-specific GS pay scale. The Department of Energy (DOE) national laboratory system — Idaho National Laboratory in particular, which operates the federal cyber-physical test range , is the deepest bench of OT red-team and incident-response practitioners. The Department of Defense (DoD) hires across the four service cyber commands and through the Defense Information Systems Agency (DISA) for base utility cyber. The Defense Counterintelligence and Security Agency (DCSA) handles the clearance side.
On the contractor side, the pure-play OT vendors are Dragos, Claroty, Nozomi Networks, Armis, and Schweitzer Engineering Laboratories — the last of which is both a vendor and one of the largest OT cybersecurity employers in Pullman, Washington. Dragos’s company-authored May 2026 post on lessons from the frontlines opens with three load-bearing claims worth memorizing before any interview: “OT incident response often begins with uncertainty. Architecture shapes the radius of an intrusion. ICS visibility and network monitoring are the foundation for every other control.” Among the traditional primes, expect to find cleared OT roles at Leidos, Booz Allen Hamilton, SAIC, ManTech, Lockheed Martin, Raytheon Technologies, MITRE, and General Dynamics. Critical infrastructure protection (CIP) work for the electric sector also runs through NERC-CIP compliance shops at utilities themselves, though that work tends to require less clearance.
Military base utility systems: the underrated entry path
The fastest way into cleared OT work for transitioning service members is the base utility system. Every military installation runs its own electric distribution, water treatment, wastewater, natural gas, and steam plant, and every one of those plants is a SCADA environment. The Army Corps of Engineers, the Naval Facilities Engineering Systems Command (NAVFAC), and the Air Force Civil Engineer Center each run cyber programs for installation control systems, and they hire former facilities-engineering officers, civil engineering technicians, and communications-rate enlisted who have transitioned through Navy Cryptologic Technician Networks (CTN) or Army 25-series and 17-series MOSs.
The on-ramp credential is usually GICSP plus a Secret clearance, the on-ramp role is “Installation Control System Cybersecurity Analyst” at the GS-11 or GS-12 level, and within three years most of those analysts cross into either a contractor billet at $140,000-plus or a senior federal seat at GS-13/14. The DoD Cyber Workforce Framework formalizes this path through DCWF work roles, with the 461 (Systems Security Analyst), 521 (Cyber Defense Infrastructure Support Specialist), and 531 (Cyber Defense Incident Responder) roles being the most common landing spots inside the OT lane.
Frequently asked questions
Do I need a TS/SCI clearance to work in ICS cybersecurity for defense?
Not for every role. Many installation-level Industrial Control System Cybersecurity Analyst billets clear at Secret, particularly within the Army Corps of Engineers and Air Force Civil Engineer Center. TS/SCI becomes mandatory for offensive ICS work at USCYBERCOM, NSA, and the service cyber commands, and for incident-response support to classified critical infrastructure investigations under the Joint Cyber Defense Collaborative. The Top Secret / Sensitive Compartmented Information premium adds roughly $30,000-$45,000 to baseline cleared OT salaries.
Is ICS/SCADA a viable transition path from enterprise IT cybersecurity?
Yes, but expect a six-to-twelve-month learning curve on the process and protocol side. The strongest transition candidates are SOC analysts and incident responders who self-study the Purdue Model, complete SANS ICS410 toward the GICSP, and then take an associate-level role with a pure-play OT vendor like Dragos or Claroty for two years before moving to a defense prime. Network and protocol fluency transfers; the physics of pumps, breakers, and turbines does not.
What does the IT/OT convergence challenge actually mean for my job description?
It means the corporate network and the plant network are no longer air-gapped, which means an attacker who phishes a corporate user can , in a poorly architected environment — reach the engineering workstation that programs the PLC. Your job, as an OT security practitioner, is to make sure the Level 3.5 industrial demilitarized zone enforces the rules: no direct path between IT and OT, all traffic brokered through a data diode or proxy, and engineering changes audited at the protocol layer. NIST SP 800-82 Rev 3 §5 lays out the canonical reference architecture.
Which standard should I read first , IEC 62443 or NIST SP 800-82?
Read NIST Special Publication 800-82 Revision 3 first because it is free, federal, and the reference document for U.S. Government OT work. Then move to IEC 62443-3-3 for the requirements taxonomy and IEC 62443-4-2 for the component-level controls. The SANS ICS410 course paired with the GICSP credential covers both at the level a hiring manager will probe in an interview.
How does CISA’s role in industrial control system defense actually work?
CISA inherited the former ICS-CERT mission in 2018 and now runs the Industrial Control Systems vulnerability coordination program, publishes ICS advisories, maintains the Known Exploited Vulnerabilities catalog with OT entries flagged, and operates the CyberSentry passive monitoring service for participating critical infrastructure owners. CISA is also a major hiring channel for cleared OT analysts at the GS-12 through GS-15 level, particularly in the Joint Cyber Defense Collaborative and the Stakeholder Engagement Division.
How big is the OT threat landscape going into 2026?
Dragos’s 2026 OT Cybersecurity Year in Review tracks 26 active OT-focused threat groups and reports 3,300 industrial organizations impacted by ransomware in the period covered. The same report finds only 30% of OT networks have adequate visibility and 88% of asset owners struggle with detection and response — which is the supply-side argument for cleared OT compensation premiums holding through 2026.
Where to look next
- TS/SCI Cyber Jobs in 2026: The Cleared Cybersecurity Career Guide
- DoD 8140 Framework Explained: Cyber Workforce Requirements
- SOC Analyst Salary 2026: Cleared vs Commercial Pay
- Threat Hunter Cleared Salary 2026: TS/SCI Premium Analysis
- Cleared Cybersecurity Career Path: SOC Analyst to CISO
- CISSP for Cleared Cyber Analysts: Cost, ROI, and Hiring Impact
- CTN Cryptologic Technician Networks to Cleared Cyber Career Guide
- IT Information Systems Technician to Cleared Cyber Career Guide