A deep guide for engineers, security leaders, and IoT builders

How to Use This OT / ICS Cybersecurity Reading List

Before diving into each book, it helps to understand how these titles complement one another.

Broadly, they fall into four categories:

Real‑world context and threat landscape
- Sandworm
- Countering Cyber Sabotage
Fundamentals of industrial networks and security architectures
- Industrial Network Security
- Practical Industrial Cybersecurity
Hands‑on defensive engineering and operations
- Industrial Cybersecurity (Pascal Ackerman)
- Industrial Cybersecurity: Case Studies and Best Practices
Offensive techniques, red‑teaming, and defensive counter‑strategy
- Hacking Exposed: Industrial Control Systems
Management, governance, and communication
- Engineering‑Grade OT Security: A Manager’s Guide

You do not have to read them in a strict sequence, but if you are building or securing IoT/OT environments, a sensible order is:

Start with Sandworm to understand the stakes.
Move to Industrial Network Security and Practical Industrial Cybersecurity for your technical foundation.
Layer on Industrial Cybersecurity and Industrial Cybersecurity: Case Studies and Best Practices for hands‑on guidance.
Add Hacking Exposed ICS to see how real attackers operate.
Use Engineering‑Grade OT Security and Countering Cyber Sabotage to shape strategy, governance, and consequence‑driven design.

With that roadmap in mind, let’s look at each book in more detail.

1. Sandworm – Understanding Real‑World Implications

Author: Andy Greenberg

Why this book matters for OT/ICS and IoT

If you only read one cybersecurity book about industrial systems, many practitioners would tell you to start with Sandworm. It is not a configuration manual or a protocol reference. Instead, it is a gripping narrative about a Russian state‑sponsored group that repeatedly targeted Ukraine’s power grid and other critical infrastructure.

For OT/ICS and IoT professionals, Sandworm answers a crucial question: “Could this really happen to us?” The book chronicles attacks that leveraged malware such as BlackEnergy and NotPetya, moving from IT environments into ICS networks and causing real, physical disruption.

Key takeaways

Attackers are willing and able to target power grids, transportation, and industrial companies, not just banks or SaaS platforms.
The line between cyber warfare and criminal activity is blurry. Techniques refined in geopolitical conflicts often trickle into ransomware and other financially motivated operations.
OT/ICS incidents often begin with a familiar IT vector (phishing, VPN compromise, stolen credentials) and then pivot into control systems.

How to apply it

Use stories from Sandworm to justify investment in segmentation, monitoring, and incident response for OT networks.
Incorporate case studies into tabletop exercises with plant managers and executives. Vivid narratives help non‑technical stakeholders grasp why “air gaps” and outdated assumptions no longer hold.
For IoT builders, the book is a reminder that your connected devices may end up embedded inside larger critical systems where the consequences of failure are severe.

2. Industrial Network Security – Building Your Fundamentals

Author: Eric Knapp (and colleagues)

Focus: Fundamentals of industrial networking, SCADA/DCS/PLC architectures, and core security concepts.

When you are new to OT/ICS, the alphabet soup of acronyms—SCADA, DCS, PLC, RTU, HMI, historian—can be overwhelming. Industrial Network Security breaks this down into a structured, vendor‑neutral overview.

What you will learn

How traditional ICS architectures are layered: field devices, control, supervisory, enterprise integration.
The unique characteristics of industrial protocols such as Modbus, DNP3, Profinet, and others.
Typical network topologies in utilities, manufacturing, and other critical sectors.
Core security patterns for segmentation, firewalls, demilitarized zones, and jump hosts.

Why it is foundational

A lot of modern content jumps straight into cloud platforms, containers, and machine learning. In OT, you cannot skip the basics. Misunderstanding how a PLC scan cycle works or how a remote I/O network behaves leads to dangerous assumptions.

Industrial Network Security gives you the mental models needed to:

talk with control engineers using their vocabulary,
understand how an attacker could move from the enterprise into control networks, and
design secure architectures that respect real‑time and safety constraints.

IoT angle

If you are designing IIoT gateways or edge devices, the patterns in this book help you avoid breaking key assumptions in existing control systems. You will see where to terminate TLS, how to connect historians or MQTT brokers safely, and where “north‑south” vs “east‑west” traffic actually flows.

3. Industrial Cybersecurity – Real‑World Resources for Getting It Done

Author: Pascal Ackerman

Pascal Ackerman’s Industrial Cybersecurity series is beloved by practitioners because it is unapologetically practical. Each volume dives into hands‑on tasks, often using open‑source tools, to show how you can assess and harden real industrial environments.

Highlights

Step‑by‑step walkthroughs of building network maps, asset inventories, and traffic baselines.
Deep dives into intrusion detection, log analysis, and security monitoring tailored to OT networks.
Guidance on designing defense‑in‑depth architectures that account for legacy equipment.
Lab scenarios and examples you can adapt for your own training environments.

The books are written from the perspective of someone who has actually been on plant floors, chased down undocumented devices, and worked around maintenance windows.

Why you want this on your shelf

When you move from “strategy deck” to “implementation plan,” this series becomes invaluable.
The content is not limited to one vendor ecosystem; it focuses on timeless principles and widely available tools.
As the image notes, each volume is different—together they form a toolkit you will consult repeatedly.

For IoT deployments

Industrial Cybersecurity is especially helpful if you are building:

SOC capabilities that must monitor both IT and OT networks,
in‑house security engineering teams for smart factories, or
managed services for industrial customers.

You can map the book’s guidance to tooling like Zeek, Suricata, industrial DPI sensors, and SIEM platforms that ingest IIoT telemetry.

4. Engineering‑Grade OT Security: A Manager’s Guide

Author: Andrew Ginter

Technology alone does not secure industrial systems. You also need management understanding, governance, and clear lines of accountability. Andrew Ginter’s Engineering‑Grade OT Security targets precisely that gap.

What sets this book apart

It is written as a manager’s guide, explaining OT/ICS risk in language executives and plant leadership can act on.
It discusses how cyber threats translate into safety, environmental, and business consequences.
The book emphasises architectures and controls that are physically and logically resilient, not just compliant on paper.

Ginter also provides free companion resources that help leaders evaluate different aspects of OT cybersecurity and understand where their programs are weak.

Why it is crucial

Many organizations have technically capable security engineers but fail to:

give them the authority to enforce standards,
integrate cybersecurity into capital projects and change management, or
allocate realistic budgets for long‑lived industrial assets.

This book helps managers and directors grasp why “engineering‑grade” security, not “IT‑grade” security, is required in plants, pipelines, and grids.

Using it in IoT programs

When you are pitching a new IIoT initiative, Engineering‑Grade OT Security is a powerful ally:

It provides language and frameworks to align business value with risk reduction.
You can use its concepts to design governance models where cybersecurity requirements are embedded into equipment procurement, vendor contracts, and lifecycle planning.

5. Hacking Exposed: Industrial Control Systems – Better Defense through Offense

Authors: Clint Bodungen, Bryan Singer, and others

The Hacking Exposed series has long been a staple of penetration testers. The ICS‑focused volume applies that lens to industrial systems.

What you will find inside

How attackers perform reconnaissance on industrial networks.
Examples of exploiting weak authentication, insecure protocols, and misconfigurations.
Techniques for escalating from IT footholds into OT domains.
Guidance on building secure architectures and hardening controls based on insights from offensive testing.

Although the book explains attack techniques, its goal is not to encourage reckless hacking. Instead, it arms defenders with a realistic understanding of how systems fail.

Why defenders should read offensive material

If you are leading OT/ICS security or IoT security programs:

You need to know which vulnerabilities actually matter in a plant context.
You must be able to prioritize mitigations based on feasible attack paths, not just CVSS scores.
Red‑team exercises and penetration tests are more effective when you understand the techniques and their limitations.

Caution

Never experiment with the attack techniques from Hacking Exposed ICS on live production systems. Always use lab environments or vendor‑approved testing windows. The book itself stresses this, and it is especially important in safety‑critical sectors.

6. Practical Industrial Cybersecurity – Start Studying for Your GICSP Exam

Authors: Charles J. Brooks and Philip A. Craig Jr.

Many professionals enter OT/ICS security by preparing for the SANS GICSP (Global Industrial Cyber Security Professional) certification. Practical Industrial Cybersecurity pulls double duty:

It is a primer on ICS/IIoT security fundamentals.
It also acts as a study guide for GICSP’s entry‑level content.

What the book covers

High‑level overview of ICS architectures, protocols, and components.
Policy, governance, and risk‑management concepts tailored to industrial environments.
Fundamentals of secure remote access, patch management, and incident response.
Considerations for Industry 4.0 and IIoT: cloud connectivity, analytics, and smart devices.

Who benefits most

IT security professionals transitioning into OT roles.
Control engineers who need a structured introduction to cybersecurity concepts.
Managers who want an overview before authorizing staff training or SANS courses.

Relation to IoT and IIoT

Because it explicitly calls out Industry 4.0 and IIoT, this book is particularly relevant if you are:

extending legacy plants with sensor networks and analytics,
building secure architectures that span PLCs, edge gateways, and cloud applications, or
preparing internal teams for certification paths in both IT and OT security.

7. Industrial Cybersecurity: Case Studies and Best Practices

Author: Steve Mustard

Steve Mustard brings a heavy engineering background to Industrial Cybersecurity: Case Studies and Best Practices. Rather than focusing solely on abstract frameworks, he walks through real projects and how cybersecurity considerations played out in practice.

What stands out

Concrete case studies from oil and gas, manufacturing, and other industrial sectors.
Exploration of how control system upgrades, safety systems, and cybersecurity intersect.
Best practices expressed in a way that engineers, not just security pros, can understand.

The book can work as both an introduction and an advanced reference, depending on your background. It is especially useful for controls and automation engineers who suddenly find themselves responsible for cybersecurity deliverables.

Why engineers should read it

You will see how configuration choices, network diagrams, and vendor integrations look under the security spotlight.
It demonstrates that engineering decisions and cybersecurity decisions are inseparable in modern projects.
The examples help you push back when others suggest shortcuts that would create unacceptable risk.

For IoT and digital‑twin initiatives

Use the case studies as templates when you:

design new connected architectures,
create project specifications that include security requirements, and
document lessons learned from your own deployments.

8. Countering Cyber Sabotage – Consequence‑Driven, Cyber‑Informed Engineering

Authors: Andy Bochman and Sarah Freeman

The final book on our list, Countering Cyber Sabotage, introduces a methodology known as Consequence‑Driven, Cyber‑Informed Engineering (CCE). Instead of starting with vulnerability scans, CCE begins with a stark question:

“What are the worst plausible consequences if an attacker compromises this system?”

From there, you work backward:

identify critical functions,
map how they could be corrupted or disrupted,
and engineer safeguards that make catastrophic outcomes far less likely.

Why this perspective matters

Traditional IT security often focuses on probabilities: likelihood of exploit, expected loss, etc. In OT/ICS and many IoT contexts, consequences matter more than probabilities. Even if the chance of an attack is small, outcomes like equipment damage, environmental release, or safety incidents are not acceptable.

Countering Cyber Sabotage:

helps you prioritize crown‑jewel systems and high‑consequence scenarios,
encourages collaboration between cybersecurity teams and core engineering disciplines,
and provides a playbook for boards and regulators who want assurance that critical systems are being designed and operated with cyber threats in mind.

How to use it

Apply CCE thinking to new IIoT projects, where you still have design flexibility.
Use it to challenge assumptions like “our PLC network is air‑gapped” or “no one would ever target us.”
Integrate its ideas into safety reviews, HAZOP studies, and enterprise risk management.

Building Your Personal OT / ICS Cybersecurity Learning Path

With eight substantial books, where should you start? Here is a sample roadmap tailored to different roles.

For IT security engineers moving into OT/ICS

Practical Industrial Cybersecurity – get the vocabulary and big picture.
Industrial Network Security – deepen your understanding of protocols and architectures.
Industrial Cybersecurity (Ackerman) – start building labs and doing hands‑on assessments.
Hacking Exposed ICS – round out your view of attacker techniques.
Countering Cyber Sabotage – learn consequence‑driven thinking.

For controls/automation engineers new to cybersecurity

Industrial Network Security – anchor your existing knowledge in security concepts.
Industrial Cybersecurity: Case Studies and Best Practices – see how peers handle security in projects.
Industrial Cybersecurity (Ackerman) – add practical defensive skills.
Engineering‑Grade OT Security – understand how management views risk and compliance.
Sandworm – build appreciation for real‑world attackers and motivations.

For managers, plant leaders, and executives

Sandworm – understand the stakes in business and geopolitical terms.
Engineering‑Grade OT Security – frameworks for governance, investment, and accountability.
Countering Cyber Sabotage – strategy for consequence‑driven protection of critical functions.
Practical Industrial Cybersecurity – enough technical grounding to ask the right questions of your teams.

For IoT / IIoT product managers and architects

Practical Industrial Cybersecurity – link ICS concepts with Industry 4.0.
Industrial Network Security – understand the environments your devices will enter.
Industrial Cybersecurity (Ackerman) – see how monitoring and diagnostics can make or break deployments.
Countering Cyber Sabotage – consider worst‑case outcomes of compromised devices or cloud platforms.
Hacking Exposed ICS – design products that are resistant to common attacker workflows.

Turning Reading into Action for IoT and OT

Books alone will not secure a factory or pipeline, but they give you patterns and language you can apply immediately. Here are concrete steps to turn this reading list into better security outcomes.

1. Run cross‑functional reading groups

Pick one book at a time and invite participants from:

IT security,
OT/controls engineering,
safety and risk management,
operations leadership,
and any IoT platform teams.

Assign one chapter per week and end with a short workshop:

“What in this chapter looks like our environment?”
“Where are we already doing this well?”
“Where are the gaps, and who owns them?”

This small practice accelerates culture change.

2. Map book concepts to your reference architecture

As you read:

Use Industrial Network Security and Practical Industrial Cybersecurity to annotate your network diagrams, marking recommended zones, conduits, and security controls.
Use Industrial Cybersecurity and Hacking Exposed ICS to identify monitoring points and potential attack paths.
Use Engineering‑Grade OT Security and Countering Cyber Sabotage to enrich your risk registers and policy documents with more precise language.

3. Build or refine your OT lab

Ackerman’s books and Hacking Exposed ICS are ideal companions for a testbed or cyber‑range:

Simulate PLCs, HMIs, historians, and IIoT gateways.
Reproduce network topologies from the books.
Practice incident detection, response, and forensics in a safe environment.

This is especially powerful for IoT teams who rarely see how their devices behave inside real control loops.

4. Align with certifications and training programs

If your staff are pursuing:

GICSP,
CISSP‑ISSEP,
ISA/IEC 62443 certificates, or
vendor‑specific OT security credentials,

these books provide cost‑effective preparation and ongoing reference material.

Quick Comparison Table

Book	Primary Focus	Best For	Role in IoT / OT Programs
Sandworm	Real‑world nation‑state attacks on critical infrastructure	Everyone, especially leadership	Raises urgency, fuels risk discussions and tabletop exercises
Industrial Network Security	Fundamentals of ICS networks and protocols	IT and OT engineers	Foundation for secure architectures and segmentation
Industrial Cybersecurity (Ackerman)	Hands‑on implementation and monitoring	Security engineers, SOC analysts	Guide for building detection, response, and hardening capabilities
Engineering‑Grade OT Security	Management‑level governance and architecture	Managers, directors, CISOs	Aligns security investments with engineering reality
Hacking Exposed ICS	Offensive techniques and paths to compromise	Red teams, advanced defenders	Helps prioritize defenses based on real attacker methods
Practical Industrial Cybersecurity	ICS/IIoT basics and GICSP prep	New OT security professionals	Bridges IT and OT, introduces Industry 4.0 concerns
Industrial Cybersecurity: Case Studies and Best Practices	Real project stories and lessons	Control engineers, project managers	Demonstrates how to embed security into engineering projects
Countering Cyber Sabotage	Consequence‑driven, cyber‑informed engineering	Senior engineers, risk and safety leaders	Focuses defenses on high‑impact outcomes and crown‑jewel systems

Final Thoughts

OT/ICS cybersecurity and industrial IoT security are no longer niche topics. As more physical processes depend on connected systems, every engineer and security leader needs at least a working understanding of how attacks unfold and how to design resilient architectures.

The eight books highlighted in the attached image provide one of the most balanced and practitioner‑approved reading lists available today. Together, they cover:

the real‑world threat landscape,
the fundamentals of industrial networks,
hands‑on defensive and offensive techniques,
best practices from engineering projects, and
management‑level strategy and consequence‑driven thinking.

Whether you are protecting a water plant, modernizing a factory with IIoT sensors, or designing the next generation of connected infrastructure, investing time in these books will give you a decade of field experience in a fraction of the time.

Consider this your roadmap. Start with one title, build a reading habit across your team, and let these authors guide you toward safer, more resilient OT and IoT systems.

Top 8 OT / ICS Cybersecurity Books Every Industrial and IoT Professional Should Read