Three days ago, I made a decision that will define the next several months of my life: I'm going all-in on Industrial Control Systems (ICS) and Operational Technology (OT) cybersecurity, with a laser focus on the energy sector.

Not because it's trendy. Not because someone told me to. But because critical infrastructure protection is where cybersecurity matters most—and the skills gap is massive.

Why ICS/OT? Why Energy?

Let me be direct: I'm not a cybersecurity expert. Yet.

I'm someone with foundational IT knowledge who sees where the industry is headed. While everyone else is chasing cloud security and web app pentesting roles (valid, but crowded), the energy sector is desperately short on people who understand both cyber AND operational technology.

The attacks on Ukraine's power grid, the Triton/Trisis malware targeting safety systems, Colonial Pipeline—these aren't hypothetical scenarios. They're the reality of modern warfare and cybercrime. And the utilities, grid operators, and energy companies protecting our infrastructure need defenders who actually understand how SCADA systems, PLCs, and IEC-61850 protocols work.

That's where I'm going. Specifically: transmission and grid operations cybersecurity, with deep expertise in IEC-61850.

The 30-Week Roadmap

I'm not doing this randomly. I've built a structured, 30-week learning pathway that progressively builds from IT security fundamentals all the way to energy-sector specialization:

Phase 1 (Weeks 1-6): Purple Team Foundations
Learning to think like both an attacker and defender. If I can't break it, I can't effectively defend it. Building detection rules in Splunk, simulating credential attacks, lateral movement, and data exfiltration—all documented.

Phase 2 (Weeks 7-12): OT/ICS Fundamentals
This is where things get interesting. OpenPLC, ScadaBR, Modbus protocol analysis, and understanding why a 20-year-old PLC can't just be "patched." Learning the Purdue Model, network segmentation for safety-critical systems, and what makes OT fundamentally different from IT.

Phase 3 (Weeks 13-20): ICS Attack & Detection
Executing (safely, in VMs) replay attacks, sensor spoofing, unauthorized PLC writes. Then building multi-layer detection—network-based (Suricata), SIEM correlation (Splunk), and behavioral analysis. Creating SOC playbooks for ICS-specific incidents.

Phase 4 (Weeks 21-30): Energy Sector Specialization
Power grid architecture, substation automation, IEC-61850 deep dive, NERC-CIP compliance, and threat actor analysis. The capstone: a comprehensive security assessment for a fictional utility that demonstrates end-to-end expertise.

Week 1: The Lab Setup

Today marks Day 3 of Week 1, and I've already:

Built the lab environment

  • Dell OptiPlex 3040 (i5, 16GB RAM) running Ubuntu

  • VirtualBox with Kali Linux (attacker), Windows 10 (target), and Ubuntu Server (defender)

  • Host-Only networking for isolated attack simulations

Created documentation infrastructure

  • GitHub portfolio repository: Every lab, every finding, every lesson learned

  • Learning log tracking daily progress

  • Case study template for Purple Team methodology

Started theory study

  • TCP/IP fundamentals (subnetting, routing, common ports)

  • MITRE ATT&CK framework mapping

  • SIEM fundamentals with Splunk Free

What Makes This Different?

I'm documenting everything. Not just the wins—the failures, the confusion, the "why isn't this VM booting" moments. Because:

  1. Portfolio proof: Employers want evidence, not claims. My GitHub will show exactly what I can do.

  2. Learning by teaching: Writing forces clarity. If I can't explain it, I don't understand it.

  3. Community value: Someone else starting this journey shouldn't have to figure everything out alone.

Every case study I create will include:

  • Technical walkthrough with commands, screenshots, pcaps

  • Detection engineering showing how to identify the attack

  • Communication artifacts translating technical findings for executives, operations teams, and technical staff

  • MITRE ATT&CK mapping showing understanding of adversary behavior

The Bigger Picture

Here's what I know: The energy sector needs cybersecurity professionals who can speak both languages—the language of IT security (threats, vulnerabilities, exploits) AND the language of operations (safety, reliability, uptime).

A CISO at a utility doesn't just want someone who can run Nmap. They need someone who understands that scanning a substation's IEDs during peak load could trip protection relays and cause a blackout.

That's the expertise I'm building. And I'm building it publicly, transparently, and with a timeline that proves it's achievable.

What's Next?

This week's remaining focus:

  • Deploy Windows 10 target VM and configure RDP/SMB

  • Run first credential attack simulation (password spraying)

  • Build first Splunk detection rule for failed login attempts

  • Document full attack → detection → communication workflow

Week 2 starts Monday, and it's all about lateral movement attacks and network-based detection with Suricata.

If you're in cybersecurity, considering ICS/OT, or just curious about what it takes to break into critical infrastructure protection, follow along. I'll be publishing weekly updates, technical deep-dives, and lessons learned.

Connect:
LinkedIn: https://www.linkedin.com/in/ryan-sharpnack-ics-security
Questions? Hit reply or reach out.

Keep Reading

© 2026 Critical Infrastructure Security Insights.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv