NIST SP 800-82 Rev. 3 is NIST's Guide to Operational Technology (OT) Security — it tailors the SP 800-53 control families to industrial environments and supplies an OT overlay spanning ICS, SCADA, DCS, PLCs, safety systems, and the Purdue Model. CyberICS provides 300+ ready-to-run OT/ICS tabletop scenarios, AI-generated After Action Reports, and a control-coverage map — so an OT team can exercise its incident response and the 800-82-relevant control families, and evidence that readiness.
NIST SP 800-82 Rev. 3 is written for everyone responsible for securing operational technology — the engineers, operators, and security teams who run ICS, SCADA, DCS, and safety systems, and the enterprise security functions that now reach across the IT/OT boundary.
Organizations that own, operate, or integrate industrial control systems carry the safety and availability mission that NIST SP 800-82 is built around. The guide's OT overlay reshapes the SP 800-53 controls so they fit environments where a control action has a physical, sometimes safety-critical, consequence.
As IT and OT converge, NIST SP 800-82 guides security teams that must extend enterprise controls into the plant without breaking safety or availability. Exercises rehearse the cross-domain coordination — IT SOC, OT engineering, and safety — that an IT→OT incident demands.
NIST SP 800-82 Rev. 3 deliberately re-prioritizes the SP 800-53 controls for OT: safety and availability come first, and every control is read through its operational and physical impact. CyberICS exercises are built the same way — safety-aware, Purdue-aware, and run in your team's working language so the whole control room can take part.
NIST SP 800-82 Rev. 3 tailors the SP 800-53 control families for OT and adds overlay considerations for safety and operational impact. Tabletop exercises directly exercise incident response and training, support recovery and risk activities, and generate evidence across several more families.
| Family | Control Area | OT Overlay Focus | CyberICS Capability | Coverage |
|---|---|---|---|---|
| IR | Incident Response | Establish, exercise, and improve an OT incident-response capability that accounts for safety and process impact | Live Session mode runs structured OT incident-response exercises end-to-end; the AI AAR documents detection, containment, eradication, and recovery — the test record that exercises the IR family | Core |
| AT | Awareness & Training | Role-based security awareness for OT operators, engineers, and staff who can affect the control environment | Exercises are recurring, role-based training with per-participant completion records; OT-specific scenarios build the operator and engineer awareness 800-82 emphasizes | Core |
| CP | Contingency Planning | Plan for and recover OT operations after disruption, prioritizing safe state and continuity of the physical process | Recovery-focused exercises rehearse failover, manual operation, and restoration decisions; the AAR captures recovery timing and gaps | Supporting |
| RA | Risk Assessment | Assess risk to OT operations, assets, and individuals — weighting safety and availability consequences | Scenario-driven exercises surface real control gaps and consequence pathways that feed the OT risk assessment | Supporting |
| AC | Access Control | Limit access to OT assets and the control network; manage remote and vendor access at the IT/OT boundary | Insider, remote-access, and privilege-escalation scenarios exercise OT access-control response; AARs flag access-management gaps | Supporting |
| SI | System & Information Integrity | Detect, report, and correct flaws; protect OT systems against malicious code and unauthorized change | Ransomware and malware-on-OT scenarios exercise flaw and alert response; AARs document integrity-monitoring gaps | Partial |
| CM | Configuration Management | Maintain baseline configurations and inventories of OT assets, accounting for change-control safety constraints | Scenario content references configuration and asset-inventory gaps; the AAR flags CM weaknesses surfaced during play | Partial |
| OT Overlay | Safety & Operational Impact | Read every control through its physical, safety, and availability consequence — the overlay's defining principle | Safety-aware scenarios (incl. SIS) force the safe-state versus continuity decision; AARs record the safety and operational impact of each response choice | Core |
| IT/OT Segmentation | Purdue-Model Boundary | Segment and defend the IT/OT boundary across the Purdue Model levels; contain lateral movement into OT | IT→OT pivot scenarios exercise boundary detection and containment; AARs map where segmentation held or failed | Supporting |
Three core capabilities work together to deliver, document, and evidence your OT incident-response and training objectives across the 800-82 control families.
Live Session mode runs real-time, multi-participant OT incident-response exercises. Every step, response, and host action is timestamped — producing the incident-response test record and the training-participation evidence the IR and AT families call for.
Immediately after each exercise, CyberICS generates a structured AAR documenting the response, gaps, and NIST SP 800-82 control-family references — the artifact that shows your OT incident-response capability was exercised and what it found.
The Compliance Dashboard assembles an 800-82 evidence package — IR test records, training completion, a control-family coverage map, and a prioritized gap list — so your OT program walks into an internal or external review with the evidence already built.
Six high-fidelity OT/ICS scenarios — SCADA intrusion, safety-system compromise, PLC manipulation, ransomware on OT, IT→OT pivot, and sector OT — ready to run with AI facilitator briefing included.
An adversary reaches the SCADA master and begins issuing unexpected commands across the control network. Exercises OT detection, containment, and the operator decision to revert to a safe state under time pressure.
An attacker targets the SIS protecting a hazardous process — the TRITON pattern. The team must weigh safe-state versus continuity and execute the safety-aware response the OT overlay demands.
Ladder logic on a production PLC is altered, drifting a process out of tolerance. Tests integrity detection, configuration-baseline comparison, and the engineering-led response across HMI and controller.
Ransomware spreads from IT toward the OT network, forcing a containment-versus-production decision. Exercises incident response, contingency planning, and the move to manual or degraded operation.
An IT compromise moves laterally toward the control network across the Purdue boundary. Exercises IT/OT segmentation, cross-team coordination, and containment before the adversary reaches Level 1/0.
A sector-tailored OT incident — energy, water, oil & gas, or chemical — escalates to a multi-team crisis. Exercises sector-specific consequence, risk assessment, and leadership-level decision-making.
Plus 300+ additional ICS/OT and enterprise scenarios spanning every critical-infrastructure sector NIST SP 800-82 addresses. Browse the full library →
Every CyberICS exercise generates four categories of evidence supporting NIST SP 800-82 incident-response, training, and control-coverage demonstration during an internal or external review.
Timestamped record of a structured OT incident-response exercise — detection through safe-state recovery — evidencing the IR family.
Per-participant completion roster for operators, engineers, and security staff — the role-based training record the AT family expects.
A map of which NIST SP 800-82 / SP 800-53 control families each exercise touched — and where coverage gaps remain.
AI-generated AAR documenting response actions, safety and operational impact, control-family references, and prioritized remediation.
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with a free 14-day trial — no credit card required. Or speak with our OT security team about a standing 800-82-aligned incident-response and training exercise program for your plants.
Also explore: IEC 62443 Toolkit · NIST CSF 2.0 Toolkit · NERC CIP Toolkit