Immersive Labs

The following table shows the specific collections within the Immersive OT/ICS license package.

OT Fundamentals

The OT Fundamentals category on the Immersive Labs cybersecurity training platform builds practical knowledge of operational technology security across industrial control systems, devices, protocols, architectures, and real-world threats. Through the OT: Fundamentals collection, learners establish core context by differentiating IT, OT, ICS, and embedded devices; exploring the Purdue Model’s enterprise and control zones; and understanding SCADA and DCS operations along with common threats and vulnerabilities. This foundation helps learners reason about safety, reliability, and real-time constraints that shape risk in industrial environments.

Building on that, the OT: Devices and Protocols collection provides hands-on familiarity with PLCs and IEC 61131-3 programming, HMIs, and data historians, and dives into key ICS protocols including CIP – Ethernet/IP, MODBUS, PROFINET, and S7Comm, enabling learners to recognize protocol behavior, anticipate security blind spots, and inform monitoring and segmentation strategies. The OT: Threats and Vulnerabilities collection applies this knowledge to adversary tradecraft with Mitre ATT&CK for ICS, examines malware such as Triton, and explores risks like protocol injection and remote access misuse, preparing learners to identify techniques, validate exposure, and prioritize mitigations. Skills are validated in the Assessment: Operational Technology collection, confirming readiness to operate in OT contexts. This category is designed for security analysts, SOC teams, incident responders, engineers, and risk practitioners who need to understand and defend ICS environments; graduates will be equipped to assess OT risk, harden architectures, enhance detection, and support effective incident response across industrial networks.

Collections

OT: Devices and Protocols

OT: Fundamentals

OT: Threats and Vulnerabilities

Assessment: Operational Technology

OT Incident Command

Defensive OT

Defensive OT on the Immersive Labs cybersecurity training platform builds practical skills for defending industrial control systems, SCADA networks, and other operational technology that underpins critical infrastructure. Through the OT Challenges collection—featuring hands-on labs such as Modding the Modbus, Traffic Lights, Tic Tac Toe, Shut Down The Grid, Code Cracker, Code Cracker X, Orchid Energy – Open-Source Intelligence, and Defuse the Bomb—learners practice protocol analysis, PLC-style logic reasoning, process safety thinking, and time-pressured troubleshooting to strengthen real-world defensive instincts.

Complementing this practice, the OT: Malware collection examines how threats like Medusa Ransomware, FrostyGoop, CaddyWiper, IOCONTROL, and Industroyer behave in OT contexts, helping learners recognize behaviors, identify indicators, and plan containment and recovery. The OT: Threat Actors collection profiles groups including BAUXITE, CyberAv3ngers, GRAPHITE, Sandworm Team, and KAMACITE to illuminate motives and TTPs, while OT: Threats and Vulnerabilities grounds defenders in MITRE ATT&CK for ICS and notable issues like Triton, protocol injection, and remote access weaknesses to inform detection engineering and hardening. This category is designed for SOC analysts, incident responders, OT/ICS engineers, and security leaders who protect industrial environments; by completing it, they will be equipped to assess risk, prioritize mitigations, and detect, respond to, and recover from OT-focused attacks while maintaining safety and reliability.

Collections

OT Challenges

OT: Malware

OT: Threat Actors

OT: Threats and Vulnerabilities

Introduction to Incident Response for OT

OT Threat Hunting

OT Incident Detection

OT Honeypots

OT System Recovery

Sandworm Team Industroyer Campaign

OT: Malware

Offensive OT

On the Immersive Labs cybersecurity training platform, the Offensive OT category immerses learners in adversarial techniques against industrial control systems and broader operational technology. Through safe, hands-on labs, you’ll practice reconnaissance, discovery, exploitation, and process manipulation across PLCs, HMIs, and common ICS protocols such as Modbus, while building an understanding of ladder logic, network traffic analysis, and OSINT applied to industrial environments.

Two structured pathways anchor the category. In OT: Hack Your First PLC, you progress from fundamentals to practical tradecraft: discovering internet-exposed PLCs with Shodan, identifying devices with Wireshark and active discovery tools, manipulating processes via Modbus, and tampering with ladder logic before proving capability in a capstone. Hack Your First HMI mirrors this journey for operator interfaces, covering discovery, exploitation, and indirect manipulation to influence underlying processes. The OT Challenges collection reinforces these skills through scenario-based exercises—modifying Modbus registers, conducting open-source intelligence in Orchid Energy, simulating grid disruption, defusing time-critical hazards, and more—to hone problem-solving under realistic constraints. This category is designed for red teamers, penetration testers, ICS/OT security practitioners, and security engineers transitioning into OT; by the end, learners will be equipped to emulate real-world attack paths, assess OT attack surfaces safely, and communicate risk and remediation effectively.

Collections

OT Challenges

OT: Hack Your First PLC

Hack Your First HMI

Hack Your First RTU

OT Governance, Risk and Compliance

On the Immersive Labs cybersecurity training platform, the OT Governance, Risk and Compliance category develops the knowledge and practical skills needed to govern, assess, and assure security in industrial and critical infrastructure environments. The ISA/IEC 62443 Fundamentals collection builds a solid foundation in the leading OT security framework, explaining what the standard is, its core focus areas, structure and components, how it relates to other standards, and how to interpret security requirements alongside business and management considerations. Learners come away able to translate 62443 guidance into governance processes, risk controls, and lifecycle practices appropriate to real-world OT systems.

Complementing the standards focus, the OT: Threat Actors collection examines adversaries that target industrial environments—such as BAUXITE, CyberAv3ngers, GRAPHITE, Sandworm Team, and KAMACITE—so learners can recognize motivations, techniques, and campaign patterns and use that insight to prioritize defenses and inform risk decisions. The OT: Cyber Threat Intelligence collection then guides learners through the OT-specific CTI lifecycle, from key concepts and setting direction and requirements to collection, analysis, and effective dissemination that supports governance and compliance outcomes. This category is designed for OT security practitioners, GRC professionals, risk managers, compliance officers, and industrial engineers, equipping them to align programs with ISA/IEC 62443, understand and track relevant threat activity, integrate CTI into decision-making, and strengthen operational resilience while meeting regulatory and business expectations.

Collections

ISA/IEC 62443 Fundamentals

OT: Threat Actors

OT: Cyber Threat Intelligence

Adaptive Assessment

We are providing a CAT-style adaptive assessment to help establish a baseline and track progress over time against that baseline. This assessment contains a pool of 150 OT/ICS-specific questions with varying difficulty levels. When assigning this content to users, a selection of questions with varying difficulty levels is selected, and a baseline score is generated. 

Crisis Simulations

The following Crisis Simulations are considered OT/ICS content.

Operation Pressure Test

As Ganymede’s site manager after a recent acquisition, you face a localized cyberattack that led the Texas Railroad Commission to suspend operations. With legacy systems not yet aligned to Orchid Energy, you must run an IT/OT penetration test, remediate weaknesses, and deliver evidence that OT is protected from unauthorized access, control, and manipulation to restart production.

You’ll decide test scope and methods, coordinate OT/IT/security and vendors, manage evidence and change control, and prioritize fixes while balancing safety, downtime, and regulatory expectations. The scenario sharpens risk-based communication and decision-making with regulators, corporate leaders, and field staff against cyber threats targeting industrial control systems. Ideal for site leaders, OT/IT security managers, incident responders, and compliance professionals in energy and other critical infrastructure.

Orchid Energy: Pipeline Panic

In Orchid Energy: Pipeline Panic, participants confront a targeted nation-state cyberattack against newly acquired oil field operations controlled via Siemens PLCs, HMIs, and a compact SCADA system. With IT monitored by Splunk but the OT network largely blind except for a passive packet capture, suspected manipulation of pumpjacks, pipelines, and potentially a safety instrumented system triggers operational disruption, safety risk, and regulatory scrutiny across Orchid Energy’s Midland-based control center.

Success demands rapid, cross-functional decision-making: distinguishing IT vs OT impacts, safely isolating and restoring industrial processes, prioritizing safety over production, coordinating Incident and Crisis Management Teams, communicating with executives and stakeholders, and fulfilling regulatory obligations. The exercise emphasizes asset visibility, OT monitoring, M&A cybersecurity due diligence, and crisis leadership under pressure. Ideal for incident responders, OT engineers, security leaders, and crisis managers in energy and other critical infrastructure sectors.

OT Crisis management for Executives

• Understanding why OT incidents carry consequences that data breaches don't: safety risk, operational downtime costs, and regulatory complexity
• Recognizing when a security incident becomes a crisis and what decisions need to happen in the first hour
• Making high-pressure calls with incomplete information, including when to shut down production, when to invoke emergency procedures, and how to weigh safety against operational continuity
• Managing stakeholder and regulatory communication under pressure: who needs to know, what, and when
• Leading the business through prolonged operational disruption, including manual fallback decisions and workforce communication
• Running a post-crisis review from a leadership perspective: what decisions held up, what failed, board reporting, and regulatory follow-up

Cyber Range Exercises

The following Cyber Range Exercises are considered OT/ICS content.

Kween - Offensive

Kween – Offensive places users in the role of penetration testers tasked with performing activities against a small network named kween.local. The scenario simulates a real-life situation where the internal network has been compromised due to easily attainable external access and a series of internal vulnerabilities.

Users begin their engagement outside the network and must find a way to breach the perimeter. Once inside, the objective is to fully compromise an Active Directory environment, pivot to a second AD environment, and ultimately disable a PLC-like system. This multi-stage attack path mimics complex, layered network intrusions.

The technical requirements for this scenario include brute-forcing proxy servers, performing SQL injection on public-facing servers, and dumping passwords. Advanced stages involve DCSync attacks, password spraying, and exploiting buffer overflows to achieve privilege escalation on the operational technology (PLC) components.

Kween - Defensive

Kween – Defensive is aimed at SOC Analysts and IR professionals investigating a compromise at Kween Industries. The client suspects a network breach and has provided access to their Splunk and Velociraptor setups for investigation.

The network environment includes various servers and workstations with Sysmon and Splunk Universal Forwarders installed. Users must navigate through event logs to detect the attack path.

Observable techniques in this scenario include password brute-forcing, RDP access using recovered credentials, and credential dumping from the registry. The investigation also covers DCSync attacks, PowerShell persistence scripts, and SSH access to operational technology components like the Kween PLC. 

Qing - Defensive

Qing – Defensive is a scenario aimed at SOC Analysts investigating an attack against the Qing Corporation. The network environment is extensive, including an Operational Technology (OT) network segment with PLCs and SCADA HMIs.

Users are provided with Splunk, Fleet, and Velociraptor to aid in detection. The scenario involves investigating compromised Exchange servers, Jenkins servers, and workstations.

The attack utilizes the ProxyLogon exploit (CVE-2021-26855) for initial access on the Exchange server. Persistence is achieved via Registry Run keys. Attackers pivot to workstations using PsExec and exploit a Jenkins server to retrieve VPN credentials, ultimately targeting the OT network.

Qing - Offensive

Qing – Offensive tasks users with performing pentest-like activities against the fictional corporate network of Qing Corp. The objective is to move through three different networks—starting from an external phishing campaign—to reach the target Operational Technology (OT) network.

Attackers must successfully launch a phishing campaign to gain an initial foothold. From there, they must traverse the network layers, eventually gaining access to the OT environment where they can optionally cause damage to the machines, such as the SCADA HMI and PLC Modbus systems.

The specific techniques required include Exchange Server RCE and Jenkins exploitation to move through the corporate infrastructure. Users will need to recover credentials from email backups and .lnk files to facilitate lateral movement. The final stage involves Denial of Service (DoS) attacks against the OT components.