🏭 NIST SP 800-82r3 Toolkit

Exercise Your OT Security Program Against
NIST SP 800-82 Rev. 3

NIST SP 800-82 Rev. 3 is NIST's Guide to Operational Technology (OT) Security — it tailors the SP 800-53 control families to industrial environments and supplies an OT overlay spanning ICS, SCADA, DCS, PLCs, safety systems, and the Purdue Model. CyberICS provides 300+ ready-to-run OT/ICS tabletop scenarios, AI-generated After Action Reports, and a control-coverage map — so an OT team can exercise its incident response and the 800-82-relevant control families, and evidence that readiness.

IR — Incident Response (exercise-tested)
AT — Awareness & Training
CP — Contingency Planning & recovery
OT overlay — safety-aware, impact-driven
Purdue Model — IT/OT boundary
Start Free — 14-Day Trial ⚙️ See the IEC 62443 Toolkit → Talk to Our OT Security Team
Compliance & Handling Note: CyberICS exercises and evidence artifacts support the objectives of NIST SP 800-82 Rev. 3 — incident response, awareness & training, contingency planning, and the OT overlay — as part of a structured readiness program. NIST SP 800-82 is guidance, not a certification; CyberICS is an independent platform and does not assess or certify your OT program. Exercises should be run against representative, non-production scenario content — never connect live ICS/SCADA control assets to any commercial SaaS, including this platform.
Who NIST SP 800-82 Serves

OT Asset Owners & the Converged IT/OT Enterprise

NIST SP 800-82 Rev. 3 is written for everyone responsible for securing operational technology — the engineers, operators, and security teams who run ICS, SCADA, DCS, and safety systems, and the enterprise security functions that now reach across the IT/OT boundary.

OT / ICS Asset Owners & Operators

The Plant Floor & Control Room

Organizations that own, operate, or integrate industrial control systems carry the safety and availability mission that NIST SP 800-82 is built around. The guide's OT overlay reshapes the SP 800-53 controls so they fit environments where a control action has a physical, sometimes safety-critical, consequence.

  • Energy, water/wastewater & utilities (SCADA / DCS)
  • Manufacturing, chemical & process industries (PLC / SIS)
  • Oil & gas, pipelines & midstream operators
  • Transportation, building automation & smart infrastructure
  • OT engineers, control-room operators & safety staff
Tabletop exercises directly exercise the IR (incident response) and AT (awareness & training) families and the OT overlay's safety-and-operational-impact considerations.
Converged IT/OT Environments

Across the Purdue Model Boundary

As IT and OT converge, NIST SP 800-82 guides security teams that must extend enterprise controls into the plant without breaking safety or availability. Exercises rehearse the cross-domain coordination — IT SOC, OT engineering, and safety — that an IT→OT incident demands.

  • CISO / OT security lead — converged program ownership
  • SOC / IR teams — extending detection & response to OT
  • Control engineers / ICS staff — Purdue-aware response
  • Safety / process engineers — SIS & operational impact
  • System integrators & OT vendors in the supply chain
800-82 stresses segmentation across the IT/OT boundary; exercises rehearse the IT→OT pivot and the coordinated response that boundary demands.
🏭

An OT Overlay — Not an IT Control Set Copied Onto the Plant Floor

NIST SP 800-82 Rev. 3 deliberately re-prioritizes the SP 800-53 controls for OT: safety and availability come first, and every control is read through its operational and physical impact. CyberICS exercises are built the same way — safety-aware, Purdue-aware, and run in your team's working language so the whole control room can take part.

🇬🇧 English 🇫🇷 Français 🇵🇹 Português 🇪🇸 Español 🇩🇪 Deutsch 🇮🇹 Italiano
NIST SP 800-82r3 / OT Overlay Mapping

Control Families & OT Overlay → CyberICS Capability

NIST SP 800-82 Rev. 3 tailors the SP 800-53 control families for OT and adds overlay considerations for safety and operational impact. Tabletop exercises directly exercise incident response and training, support recovery and risk activities, and generate evidence across several more families.

NIST SP 800-82r3 Control-Family Reference

Coverage: Core = exercise directly exercises the family  |  Supporting = exercise validates / documents  |  Partial = scenario content covers the domain

Family Control Area OT Overlay Focus CyberICS Capability Coverage
IR Incident Response Establish, exercise, and improve an OT incident-response capability that accounts for safety and process impact Live Session mode runs structured OT incident-response exercises end-to-end; the AI AAR documents detection, containment, eradication, and recovery — the test record that exercises the IR family Core
AT Awareness & Training Role-based security awareness for OT operators, engineers, and staff who can affect the control environment Exercises are recurring, role-based training with per-participant completion records; OT-specific scenarios build the operator and engineer awareness 800-82 emphasizes Core
CP Contingency Planning Plan for and recover OT operations after disruption, prioritizing safe state and continuity of the physical process Recovery-focused exercises rehearse failover, manual operation, and restoration decisions; the AAR captures recovery timing and gaps Supporting
RA Risk Assessment Assess risk to OT operations, assets, and individuals — weighting safety and availability consequences Scenario-driven exercises surface real control gaps and consequence pathways that feed the OT risk assessment Supporting
AC Access Control Limit access to OT assets and the control network; manage remote and vendor access at the IT/OT boundary Insider, remote-access, and privilege-escalation scenarios exercise OT access-control response; AARs flag access-management gaps Supporting
SI System & Information Integrity Detect, report, and correct flaws; protect OT systems against malicious code and unauthorized change Ransomware and malware-on-OT scenarios exercise flaw and alert response; AARs document integrity-monitoring gaps Partial
CM Configuration Management Maintain baseline configurations and inventories of OT assets, accounting for change-control safety constraints Scenario content references configuration and asset-inventory gaps; the AAR flags CM weaknesses surfaced during play Partial
OT Overlay Safety & Operational Impact Read every control through its physical, safety, and availability consequence — the overlay's defining principle Safety-aware scenarios (incl. SIS) force the safe-state versus continuity decision; AARs record the safety and operational impact of each response choice Core
IT/OT Segmentation Purdue-Model Boundary Segment and defend the IT/OT boundary across the Purdue Model levels; contain lateral movement into OT IT→OT pivot scenarios exercise boundary detection and containment; AARs map where segmentation held or failed Supporting
Platform Capabilities

How CyberICS Supports Your NIST SP 800-82 Program

Three core capabilities work together to deliver, document, and evidence your OT incident-response and training objectives across the 800-82 control families.

🎲
IR · AT

Structured Exercise Execution

Live Session mode runs real-time, multi-participant OT incident-response exercises. Every step, response, and host action is timestamped — producing the incident-response test record and the training-participation evidence the IR and AT families call for.

  • Per-participant OT exercise completion record
  • Step-by-step incident-response walkthrough log
  • Session date, scope, and duration metadata
  • Detection → containment → safe-state trace
📋
IR · OT Overlay

AI-Generated After Action Report

Immediately after each exercise, CyberICS generates a structured AAR documenting the response, gaps, and NIST SP 800-82 control-family references — the artifact that shows your OT incident-response capability was exercised and what it found.

  • NIST SP 800-82 control-family references per gap
  • Safety & operational-impact notes per decision
  • Prioritized corrective-action recommendations
  • Multilingual output (EN/FR/PT/ES/DE/IT)
📄
RA · CP · AT

OT Control-Coverage Evidence Pack

The Compliance Dashboard assembles an 800-82 evidence package — IR test records, training completion, a control-family coverage map, and a prioritized gap list — so your OT program walks into an internal or external review with the evidence already built.

  • OT incident-response test record (IR)
  • Training completion roster (AT)
  • 800-82 control-family coverage map
  • Gap & remediation timeline
Scenario Library

OT/ICS Scenarios Aligned to NIST SP 800-82

Six high-fidelity OT/ICS scenarios — SCADA intrusion, safety-system compromise, PLC manipulation, ransomware on OT, IT→OT pivot, and sector OT — ready to run with AI facilitator briefing included.

SCADA Intrusion · Utility
IR · AC
Unauthorized Access to a SCADA Master

An adversary reaches the SCADA master and begins issuing unexpected commands across the control network. Exercises OT detection, containment, and the operator decision to revert to a safe state under time pressure.

SCADA IR T0855
Safety System · Process
OT Overlay · SIS
Safety-Instrumented-System (SIS) Compromise

An attacker targets the SIS protecting a hazardous process — the TRITON pattern. The team must weigh safe-state versus continuity and execute the safety-aware response the OT overlay demands.

SIS Safety TRITON
Manufacturing · PLC
SI · CM
Malicious PLC Logic Manipulation

Ladder logic on a production PLC is altered, drifting a process out of tolerance. Tests integrity detection, configuration-baseline comparison, and the engineering-led response across HMI and controller.

PLC HMI T0833
Ransomware · OT
IR · CP
Ransomware Threatening OT Availability

Ransomware spreads from IT toward the OT network, forcing a containment-versus-production decision. Exercises incident response, contingency planning, and the move to manual or degraded operation.

Ransomware CP Availability
IT→OT Pivot
IT/OT Boundary
Enterprise Breach Pivoting Into OT

An IT compromise moves laterally toward the control network across the Purdue boundary. Exercises IT/OT segmentation, cross-team coordination, and containment before the adversary reaches Level 1/0.

Purdue Segmentation Lateral Movement
Sector OT · Critical Infra
RA · OT Overlay
Sector-Specific OT Crisis Exercise

A sector-tailored OT incident — energy, water, oil & gas, or chemical — escalates to a multi-team crisis. Exercises sector-specific consequence, risk assessment, and leadership-level decision-making.

Critical Infra RA Consequence

Plus 300+ additional ICS/OT and enterprise scenarios spanning every critical-infrastructure sector NIST SP 800-82 addresses. Browse the full library →

Evidence Artifacts

Audit-Ready Documentation for Your OT Security Program

Every CyberICS exercise generates four categories of evidence supporting NIST SP 800-82 incident-response, training, and control-coverage demonstration during an internal or external review.

🛡️
OT Incident-Response Test Record

Timestamped record of a structured OT incident-response exercise — detection through safe-state recovery — evidencing the IR family.

IR
📚
OT Training Completion Record

Per-participant completion roster for operators, engineers, and security staff — the role-based training record the AT family expects.

AT
📑
Control-Family Coverage Map

A map of which NIST SP 800-82 / SP 800-53 control families each exercise touched — and where coverage gaps remain.

800-82 / 800-53
📁
After Action Report (AAR)

AI-generated AAR documenting response actions, safety and operational impact, control-family references, and prioritized remediation.

IR · RA

Explore the Full Regulatory Toolkit Library

CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

Ready to Exercise Your OT Program Against NIST SP 800-82?

Start with a free 14-day trial — no credit card required. Or speak with our OT security team about a standing 800-82-aligned incident-response and training exercise program for your plants.

Also explore: IEC 62443 Toolkit  ·  NIST CSF 2.0 Toolkit  ·  NERC CIP Toolkit