A practical guide for industrial and IoT security teams

1. Before You Start: Using ChatGPT Safely in OT/ICS Environments

Before we dive into the 20 prompt ideas, it’s important to set some guardrails. Industrial environments are sensitive; a careless AI experiment can create real risk.

1.1 Treat AI as an assistant, not an oracle

ChatGPT is excellent at:

Drafting and structuring content
Translating complex standards into plain language
Suggesting checklists, scenarios, and edge cases
Brainstorming ideas you might otherwise miss

But it can also:

Get facts wrong (hallucinations)
Make unsafe assumptions about your architecture
Miss niche vendor specifics

Rule of thumb: use AI for ideation and drafting; always validate outputs with your own expertise and vendor documentation before implementation.

1.2 Never paste highly sensitive data

Avoid including:

Live IP addresses, passwords, private keys, VPN configs
Detailed as‑built diagrams for critical national infrastructure
Proprietary control logic, ladder diagrams, or vendor source code
Unredacted incident reports with personal information

Instead, abstract or anonymize:

Replace site names and IP addresses with placeholders.
Generalize from “Siemens S7‑1500 with firmware X.Y” to “modern PLC in a manufacturing plant.”
Remove customer names or PII from logs and tickets.

1.3 Be explicit about the environment

OT is different from IT. When prompting ChatGPT, always clarify:

Industry sector (e.g., water/wastewater, oil & gas, discrete manufacturing)
Type of control system (DCS, PLC/RTU + SCADA, building‑management system, etc.)
Constraints (24/7 uptime, safety‑critical, legacy systems, vendor support agreements)

This context helps the model produce more realistic and safer advice.

2. Asset Management Prompts – Know What You Have

You can’t protect what you don’t know you own. Asset inventory is still one of the biggest gaps in OT security.

2.1 Why asset management is hard in OT

Legacy PLCs and RTUs with no modern discovery protocols
Shadow assets installed by vendors or local teams
Air‑gapped segments that were never documented
Multiple naming conventions across OT and IT

2.2 Example ChatGPT prompt for OT asset inventories

You are an OT security architect.Help me design a detailed asset-inventory template for an ICS network in a [type of facility, e.g., municipal water plant]. The template should capture both IT and OT devices, including PLCs, RTUs, HMIs, engineering workstations, servers, switches, firewalls, wireless access points, and IIoT gateways.For each asset, propose the key fields we should track (e.g., device role, vendor, model, firmware version, network zone, criticality, maintenance owner). Present the result as a table description that can be implemented in a CMDB or spreadsheet.

2.3 How this helps

Provides a structured list of fields for your CMDB or OT asset tool.
Encourages you to include OT‑specific attributes (safety impact, process criticality, physical location, vendor support status).
You can then export this structure to Excel or a CMDB and start populating it.

3. Vulnerability Management Prompts – From Patch Chaos to Risk‑Based Plans

Patching OT systems is tricky:

Maintenance windows are rare
Vendors may not support third‑party patches
Some systems run unsupported operating systems

Instead of blindly patching, you need a risk‑based vulnerability‑management strategy.

3.1 Example vulnerability‑management prompt

Act as an OT vulnerability manager.Draft a practical vulnerability-management workflow for a [industry, e.g., food & beverage] plant that runs PLCs, HMIs, SCADA servers, and Windows engineering workstations.Describe how to:- Ingest vulnerability information from multiple sources (vendor advisories, ICS-CERT, MSSP reports).- Perform risk-based prioritization that considers safety impact, downtime cost, and compensating controls.- Coordinate with operations to schedule remediation or compensating controls.- Track exceptions and document "accept, mitigate, transfer" decisions.Structure the answer as step-by-step process plus a RACI-style overview of responsibilities.

3.2 Tips

Ask ChatGPT to create email templates or meeting agendas for your vulnerability‑review board.
Request a one‑page version you can share with plant managers.

4. Secure Network Architecture Prompts – Designing OT Zones and Conduits

Network segmentation is core to OT security: separating safety‑critical control gear from enterprise IT and the internet.

4.1 Key concepts to emphasize

Demilitarized Zone (DMZ) between IT and OT
Zones for safety systems, control, supervisory, and corporate layers (often aligned with ISA/IEC‑62443)
Restricted pathways for vendor remote access and historian data flows

4.2 Example architecture prompt

You are a network architect with deep OT/ICS experience.Sketch a secure network architecture for a [industry] facility that uses PLCs, a central SCADA system, and connections to the corporate IT network.Explain:- How you would segment the network into security zones aligned with ISA/IEC 62443.- Where to place firewalls, data diodes, or secure gateways.- Which traffic should be allowed between zones (e.g., historian to ERP) and which should be blocked.- How to handle vendor remote support in a secure way.Provide the answer as both a high-level narrative and a bulleted list of zone-to-zone rules.

4.3 Use cases

Early design discussions when building a new plant network
Validating that an integrator’s design matches your security expectations
Creating training material for IT teams new to OT concepts

5. Backup & Recovery Prompts – Planning for “Worse Than Worst” Days

In OT, recovery is about much more than restoring a VM from backup. You may need to:

Reload PLC logic
Restore HMI projects and graphics
Rebuild historian databases
Validate safety‑instrumented system configurations

5.1 Example backup & recovery prompt

Act as an OT disaster-recovery planner.For a [industry] plant that uses PLCs, HMIs, SCADA servers, historians, and engineering workstations, outline a backup and recovery strategy focused on cyber incidents (e.g., ransomware, wiper malware).Include:- What should be backed up (configurations, firmware, logic, project files, OS images).- How often and where backups should be stored (on-site, off-site, offline).- Validation and restore-testing procedures specific to OT systems.- Special considerations for safety systems and regulatory evidence.Summarize the plan as a checklist that plant managers can follow.

5.2 Pro tip

Ask ChatGPT to generate test scenarios for periodic disaster‑recovery exercises—e.g., “Historian database corrupted due to ransomware, demonstrate recovery within 4 hours.”

6. Incident‑Response Planning Prompts – From Theory to OT‑Specific Runbooks

Generic IT incident‑response plans rarely translate cleanly into OT environments.

Safety and availability trump confidentiality.
Isolation steps must be coordinated with control engineers.
Some assets can’t simply be “powered off.”

6.1 Example IR‑plan prompt

You are writing an incident-response playbook for a mid-sized [industry] facility with legacy PLCs and a central SCADA system.Create a cyber-incident response plan tailored to OT that covers:- Roles and responsibilities (operations, engineering, IT security, management, vendors).- Initial triage steps that prioritize safety and process continuity.- Communication paths (internal, regulators, customers, vendors).- Decision points for containment actions (e.g., network segmentation, switching to manual mode).- Evidence-collection practices that do not endanger the process.Present the plan in sections that can be pasted into our IR manual.

6.2 Extend with scenario‑based prompts

Ask for specific playbooks such as:

“Ransomware detected on an engineering workstation.”
“Suspicious Modbus commands observed from an IT subnet.”

7. Security Awareness Training Prompts – Making OT Cyber Real for Operators

Control‑room staff, engineers, and technicians are often the first line of defense. But generic phishing training won’t resonate with them.

7.1 Example awareness‑session prompt

Act as an OT security trainer.Design a 1-hour cybersecurity awareness session aimed at control-room operators and maintenance technicians in a [industry] plant.The session should:- Use real-world OT/ICS cyber incidents as examples.- Cover practical behaviors: USB usage, remote vendor access, handling suspicious HMI behavior, and reporting channels.- Avoid technical jargon and focus on what they can see and do in their daily work.Provide a slide-by-slide outline with speaker notes and a short quiz at the end.

7.2 Ideas

Ask ChatGPT to generate role‑playing scenarios or “spot the suspicious behavior” quizzes.
Localize content: different prompts for contractors, engineers, and executives.

8. Compliance & Governance Prompts – Translating Standards into Plain Language

Standards such as ISA/IEC‑62443, NERC CIP, ISO 27001, or local regulations are dense. ChatGPT can help interpret them for specific audiences.

8.1 Example compliance prompt

You are a compliance consultant.Explain the key requirements of ISA/IEC 62443-3-3 in plain language for a [industry] plant manager.Focus on:- What they are expected to implement in their facility.- How these requirements relate to network segmentation, account management, patching, and logging.- Practical examples of controls that would satisfy the intent of the standard.Keep the answer under 1,000 words and structured as bullet points that can be turned into a checklist.

8.2 Additional uses

Request side‑by‑side comparisons: “Compare IEC‑62443-3‑3 with NIST SP 800‑82 for a water utility.”
Draft policy templates and standard operating procedures aligned with standards, then refine internally.

9. Tabletop‑Exercise Prompts – Practicing the Unthinkable

Tabletop exercises are vital in OT, where real‑world testing is risky. AI can help you:

Create realistic scenarios
Define injects and timeline events
Prepare scoring criteria and debrief questions

9.1 Example tabletop‑exercise prompt

Act as an OT incident-response facilitator.Design a 2-hour tabletop exercise for a [industry] facility that simulates a cyber attack affecting both the SCADA system and engineering workstations.Include:- A short background story and starting situation.- A series of 6–8 timed "injects" (new information or complications).- Decision points for operations, engineering, IT security, and management.- Specific questions to ask participants at each stage.- Debrief topics focused on lessons learned and improvements.Tailor the exercise for non-technical executives as well as technical staff.

10. Risk‑Assessment Prompts – Identifying OT‑Specific Risks

Risk assessments for ICS must consider safety, environmental impact, and downtime cost, not just data confidentiality.

10.1 Example risk‑assessment prompt

You are an OT cybersecurity consultant.For a [industry] facility with PLCs controlling critical processes, create a prioritized list of the top 10 cyber risks.For each risk include:- A short description.- Likely threat actors or causes (e.g., ransomware gangs, misconfigurations, insider threats).- Potential impact on safety, environment, and financial loss.- Example mitigations or controls.Assume the plant uses basic firewalls but has limited monitoring and legacy Windows systems.

10.2 Follow‑up

Ask ChatGPT to convert that list into:

A risk register template
Slides for a management‑level risk‑awareness workshop

11. Threat‑Intelligence Prompts – Understanding Adversaries in ICS

Threat intelligence for OT includes not just malware names but also:

Tactics, Techniques, and Procedures (TTPs)
Mappings to frameworks like MITRE ATT&CK for ICS
Sector‑specific threat actors

11.1 Example threat‑intel prompt

Act as an analyst specializing in ICS threats.Summarize the common tactics and techniques used in recent attacks against OT/ICS environments (map them to MITRE ATT&CK for ICS where possible).For each tactic, provide:- A short explanation.- A simple example relevant to a [industry] facility.- High-level defensive measures (detection or prevention) that an OT security team should prioritize.Keep jargon minimal and explain acronyms.

11.2 Benefit

Use this as training material or as input to detection‑engineering projects and risk assessments.

12. Network‑Security‑Monitoring Prompts – Seeing What Matters

Traditional IT SOCs often lack visibility into OT protocols like Modbus, DNP3, PROFINET, or EtherNet/IP. ChatGPT can help you design:

Log sources
SIEM use cases
Alert triage runbooks

12.1 Example monitoring prompt

You are helping to design OT network security monitoring for a [industry] plant.List the 10–15 most valuable log sources and network data points that would help detect early signs of a cyber attack on an ICS network (e.g., abnormal PLC downloads, unexpected remote connections, suspicious Modbus function codes).For each source, explain:- What we are looking for.- Where the data can be collected (switch SPAN port, firewall, historian, engineering workstation, etc.).- Example alerts or SIEM correlation rules we should implement.

12.2 Extra

Once you have the list, ask for sample detection rules in human language or pseudo‑code that your SOC can adapt to its toolset.

13. Secure‑Remote‑Access Prompts – Balancing Convenience and Safety

Remote access to PLCs, HMIs, and SCADA systems is often essential for:

Vendor support
Remote engineering
Centralized monitoring

But it’s also a major attack vector.

13.1 Example remote‑access prompt

Act as an OT security architect.Recommend a secure remote-access architecture for vendors who need to troubleshoot PLCs and HMIs in a [industry] facility.Address:- Authentication and authorization (e.g., MFA, just-in-time access).- Jump hosts or remote-access gateways.- Session recording and logging.- Segmentation between vendor sessions and other OT traffic.- Processes for approving, scheduling, and terminating remote sessions.Avoid generic VPN advice and focus on OT constraints (limited bandwidth, 24/7 availability, safety).

14. Threat‑Hunting Prompts – Proactively Searching OT Networks

Threat hunting in OT often starts from subtle anomalies in industrial protocols or workstation behavior.

14.1 Example threat‑hunting prompt

You are designing threat-hunting playbooks for an OT network.Create a set of hunting ideas focused on suspicious Modbus and OPC traffic in a [industry] plant.For each idea, describe:- The hypothesis (what kind of attack or misbehavior we might detect).- What data we need (packet captures, logs, asset inventory).- Example queries or patterns to look for.- Recommended response steps if we confirm suspicious activity.

14.2 Benefit

Use these hunting ideas to schedule quarterly hunts with your SOC or external MSSP.

15. Honeypot Prompts – Detecting Attackers Early

Honeypots—decoy systems designed to attract attackers—can be powerful in OT when carefully isolated.

15.1 Example honeypot prompt

Act as an OT security engineer.Propose a design for an ICS-themed honeypot that mimics a small PLC-controlled process, suitable for deployment in a demilitarized zone of a [industry] network.Cover:- What services and protocols it should emulate (e.g., Modbus, web HMI).- How to make it look realistic without exposing production data.- Logging and alerting requirements.- Safety and segmentation precautions so the honeypot cannot be used as a pivot into real OT assets.

15.2 Use carefully

Honeypots must be isolated and clearly documented.
Always coordinate with legal and compliance before deploying deception technologies.

16. Physical‑Security Prompts – Protecting the “Cyber‑Physical” Bridge

Many OT incidents still start with physical access:

Unauthorized USB use on engineering workstations
Rogue equipment plugged into switches
Tampering with cabinets and field devices

16.1 Example physical‑security prompt

You are conducting a physical-security review for a [industry] facility.List the most critical physical-security controls to protect OT systems, including control rooms, cabinets, network closets, and field devices.For each control, explain:- The risk it addresses.- Example implementation suited for an industrial environment (not a corporate office).- Any low-cost quick wins vs. longer-term investments.

17. Executive‑Awareness Prompts – Getting the Board on Board

Senior leaders often underestimate OT cyber risk—or view it purely as an IT problem.

17.1 Example executive‑briefing prompt

Act as an OT cybersecurity leader.Write an outline for a 5-slide executive briefing explaining why investing in ICS cybersecurity is critical to operational resilience and safety for a [industry] company.Each slide should include:- A main message.- 3–4 supporting bullet points.- One suggested visual (chart, diagram, or picture).Focus on business impact: safety, downtime cost, regulatory exposure, and reputation.Avoid deep technical jargon.

17.2 Use it

Refine the outline with your own data—downtime costs, near misses, industry incidents—then build your slide deck.

18. Metrics & KPI Prompts – Measuring What Matters

Without meaningful metrics, it’s hard to justify security investment or track progress.

18.1 Example metrics prompt

You are designing KPIs for an OT/ICS cybersecurity program in a [industry] organization.Propose a set of 10–15 metrics that cover:- Asset visibility and patch status.- Network segmentation and remote-access control.- Incident detection and response performance.- Training and awareness effectiveness.- Compliance with internal standards or external regulations.For each metric, define:- The formula or measurement method.- Data sources.- Recommended reporting frequency.- How it should be interpreted by executives.

18.2 Outcome

You’ll get a candidate scorecard that you can adapt for monthly or quarterly reporting.

19. Threat‑Modeling Prompts – Understanding How OT Systems Can Be Attacked

Threat modeling is the discipline of systematically thinking through:

What you are protecting
Who you are protecting it from
How they might attack
Which controls matter most

19.1 Example threat‑model prompt

Act as a threat-modeling facilitator.Perform a high-level threat model for a [industry] facility where PLCs control critical pumps and valves, and operators use a central SCADA system.Use a structured approach (e.g., STRIDE, attack trees, or MITRE ATT&CK for ICS) and:- Identify key assets and trust boundaries.- List plausible threats and attack paths.- Highlight existing or recommended controls to mitigate each threat.Present the result as a table plus a short narrative summary suitable for inclusion in a design review document.

19.2 Benefit

Feed this analysis into:

Risk assessments
Security requirements for new projects
Prioritization of monitoring and incident‑response capabilities

20. Career‑Development Prompts – Building an OT/ICS Cybersecurity Workforce

Many organizations struggle to find people who understand both control systems and cybersecurity.

20.1 Example career‑path prompt

You are mentoring a junior engineer who wants to move into OT/ICS cybersecurity.Suggest:- The key knowledge areas they should focus on (control systems, networking, security basics, safety culture).- Recommended certifications, training courses, and hands-on labs.- Typical entry-level and mid-level roles in OT security.- A 12–18 month learning roadmap.Assume they currently work as an automation engineer in a [industry] plant.

20.2 Organizational use

Share the roadmap with HR and training departments.
Use AI to draft job descriptions and interview question banks tailored to OT security roles.

21. Penetration‑Testing Prompts – Safely Exploring Weaknesses

Penetration testing in OT must be handled with extreme care; active testing can disrupt operations. But planning and scoping such tests is an area where ChatGPT can help.

21.1 Example pentest‑planning prompt

Act as an OT security consultant.Outline a safe penetration-testing strategy for a [industry] facility that includes PLCs, HMIs, and a SCADA system.Cover:- Which parts of the environment are suitable for active testing and which require passive methods or lab replicas.- OT-specific techniques relevant to ICS (e.g., insecure protocols, weak segmentation, default credentials) that can be tested without harming operations.- Pre-test approvals, change-management requirements, and safety checks.- How findings should be categorized and reported to both engineers and executives.

21.2 Caution

Always coordinate pentests with:

Operations and safety engineering
Vendors and integrators (some contracts prohibit testing)
Legal and compliance

Use AI for planning and documentation, not for automatically generating exploit code to be run on live systems.

22. Integrating These Prompts into Your OT Security Program

Having 20 ideas is great, but how do you turn them into consistent practice?

22.1 Create a shared “prompt library”

Store your best, customized prompts in a version‑controlled repository, wiki, or knowledge base.
Tag them by use case (asset management, IR, training, etc.).
Encourage engineers and analysts to update prompts as they learn what works best.

22.2 Build workflows around prompts

Examples:

Quarterly vulnerability review:
- Use prompts to draft meeting agendas, risk rationales, and follow‑up emails.
New plant or line design:
- Run architecture and threat‑model prompts as part of the design‑review checklist.
Incident post‑mortems:
- Use ChatGPT to help summarize timelines and extract key lessons (without sharing sensitive details).

22.3 Keep humans firmly in control

Designate owners for each use case (e.g., OT security architect, SOC lead, plant manager).
Require peer review of AI‑generated documents before adoption.
Track where AI was used in documentation for audit transparency.

23. Frequently Asked Questions (FAQ)

Q1. Can I paste firewall configs or PLC logic into ChatGPT to ask for hardening advice?

It’s safer not to. Those artifacts may be sensitive and could contain exploitable details. Instead:

Summarize the current rules or logic in natural language.
Ask for best‑practice recommendations for similar environments.
Apply the guidance manually, in consultation with your OT engineers and vendors.

Q2. How accurate are AI‑generated recommendations for OT security?

Accuracy varies. ChatGPT is trained on a mix of sources and may not know the latest vendor advisories or niche control‑system quirks. Treat outputs as drafts and inspiration, not final answers.

Always cross‑check with:

Vendor documentation
ICS‑CERT / CISA advisories
Your own engineers and security experts

Q3. Is it worth training a custom LLM on our OT data?

For most organizations, the best starting point is RAG and prompt engineering using existing models. Fine‑tuning or training custom models might make sense later if:

You have significant proprietary know‑how or support content.
You need a highly specialized assistant (e.g., for a global fleet of similar plants).
You can invest in proper data cleaning, labeling, and MLOps.

Q4. Should we allow all staff to use public AI tools for OT work?

Provide clear policies:

Which tools are approved, and for what data types
How to anonymize or abstract information
Who to contact with questions or uncertain cases

Often, the best approach is to offer enterprise‑grade AI access with logging and data‑protection controls instead of blocking everything.

Q5. How does generative AI fit into a broader OT security roadmap?

Think of AI as a force multiplier for tasks you already know you should be doing:

Better documentation and runbooks
Faster training and awareness
More consistent risk assessments and metrics

It does not replace foundational work like network segmentation, secure remote access, or patching programs.

24. Conclusion – Turning ChatGPT Into Your OT Cyber Co‑Pilot

Operational Technology and Industrial Control Systems are too important to leave unprotected:

A misconfigured PLC can halt production or cause physical damage.
A compromised water plant can impact public health.
A ransomware hit on a manufacturing line can cost millions per day.

At the same time, OT security teams are often under‑staffed and over‑stretched. This is where generative AI, used responsibly, makes a real difference.

By leveraging the 20 prompt categories we explored—asset management, vulnerability management, network design, backup, IR, training, compliance, exercises, risk, threat intel, monitoring, remote access, hunting, honeypots, physical security, executive awareness, metrics, threat modeling, career development, and pentesting—you can:

Accelerate planning and documentation
Improve training and communication
Make better, more informed decisions
Free scarce human experts to focus on the highest‑value work

The key is to remember:

ChatGPT is a co‑pilot, not an autopilot.

Used thoughtfully, with guardrails and human oversight, it can become a powerful ally in building secure, resilient, and efficient OT/ICS and industrial IoT environments.

Start small—perhaps with one or two prompts from this guide. Refine them, share them, and gradually build an AI‑assisted OT cybersecurity playbook that fits your organization’s culture, risk appetite, and regulatory context.

Your industrial systems—and the people who depend on them—will be safer for it.

20 ChatGPT Prompts for OT/ICS Cybersecurity