Regulatory Toolkit

NIST SP 800-82 Rev 3
ICS Security Tabletop Toolkit

NIST SP 800-82 Rev 3 (2023) is the definitive guide to Industrial Control System (ICS) security — covering SCADA, DCS, PLC, RTU, and HMI security practices aligned to NIST SP 800-53 controls. Skyhigh maps every OT/ICS tabletop exercise to SP 800-82 security control families — generating audit-ready evidence for CISA, DOE, and sector cybersecurity assessments.

Start Your First ICS Exercise → Download Buyer's Guide

⚠️ NIST SP 800-82 Rev 3 is guidance, not a mandatory regulation — unless referenced by a specific regulatory framework (e.g., NERC CIP, TSA directives). This toolkit is for exercise program design. Consult your sector regulator for mandatory requirements.

Rev 3
Released 2023
4 ICS Types
SCADA · DCS · PLC · RTU
18 Families
SP 800-53 Control Families
OT/ICS Focus
Critical Infrastructure Operators
Understanding NIST SP 800-82 Rev 3
The definitive ICS security guide for critical infrastructure operators — updated in 2023 with OT-specific security control overlays, cloud-connected OT guidance, and enhanced supply chain risk management for industrial environments.
🏭
What is NIST SP 800-82?
NIST SP 800-82 Rev 3 is NIST's comprehensive guide to securing Industrial Control Systems (ICS) — the technology that controls power grids, water treatment, oil and gas pipelines, manufacturing, and other critical infrastructure. It provides OT-specific security guidance aligned to NIST SP 800-53 control families. Rev 3 (2023) updates cover cloud-connected OT, supply chain ICS risk, and enhanced OT-specific security control overlays. It is widely referenced by CISA, NERC CIP, and DOE cybersecurity assessments.
⚙️
ICS-Specific Security Considerations
Unlike IT systems, ICS security must account for: real-time operational requirements (availability takes priority over confidentiality), legacy systems with multi-decade operational lifecycles, safety system integration (ICS compromise can cause physical harm), vendor-controlled patch cycles, and air-gap vs. connected network architectures. SP 800-82 Rev 3 provides OT-specific adaptations of SP 800-53 controls that respect these constraints — including modified patch management, remote access, and incident response guidance.
🎯
SP 800-82 and Incident Response (IR Family)
SP 800-82 Rev 3's IR control family (IR-1 through IR-10) explicitly addresses ICS incident response — including OT-specific incident handling procedures, ICS-aware forensics, and the challenge of conducting digital forensics on operational systems without disrupting production. Tabletop exercises are the recommended mechanism for testing IR procedures (IR-3: Incident Response Testing) in ICS environments where live exercises would be operationally disruptive. Skyhigh provides exactly this capability.
SP 800-82 Control Family Mapping
How Skyhigh tabletop exercises generate evidence across NIST SP 800-82 Rev 3 control families — mapped to SP 800-53 control designations used in CISA and DOE assessments.
SP 800-82 / SP 800-53 Control Area ICS-Specific Requirement Skyhigh Coverage Evidence Generated
IR Family — Incident Response (IR-1 to IR-10) IR-3: Incident response testing required. IR-6: Incident reporting. IR-8: ICS incident response plan Core Exercise = IR-3 testing compliance; AAR = IR-6/IR-8 documentation
AT Family — Awareness & Training (AT-2, AT-3) OT-specific security awareness; role-based ICS security training for operators/engineers Core Each exercise = AT-2/AT-3 training event evidence for ICS personnel
CA Family — Security Assessment (CA-2, CA-7, CA-8) ICS security control assessment; continuous monitoring; penetration testing (OT-adapted) Direct Exercise gap analysis = CA-2 assessment evidence; finding remediation = CA-8
SI Family — System & Info Integrity (SI-3, SI-4, SI-7) OT malware protection (OT-adapted); ICS monitoring; software/firmware integrity Direct Detection exercise results; OT monitoring coverage gaps surface in scenarios
SC Family — System & Comms (SC-7, SC-39) OT network segmentation (DMZ, zones); boundary protection; remote access security Direct IT/OT lateral movement scenarios test segmentation; DMZ architecture gaps
AC Family — Access Control (AC-2, AC-17) ICS user account management; remote access controls; vendor/third-party access Direct Remote access abuse scenarios; vendor credential compromise; access review gaps
CM Family — Configuration Mgmt (CM-2, CM-6, CM-7) ICS baseline configuration; OT configuration settings; least functionality Supporting Configuration gap findings from scenarios (default creds, unnecessary services)
SA Family — System Acquisition (SA-12) ICS supply chain risk management; OEM/vendor software integrity Direct Supply chain attack scenarios; OEM vendor compromise; firmware integrity exercises
Platform Capabilities for SP 800-82 Compliance
Skyhigh is purpose-built for OT/ICS security teams — designed around the operational constraints, multi-discipline teams, and evidence requirements of industrial control system environments.
🏭
OT/ICS-Specific Scenario Library
NIST SP 800-82 Rev 3 emphasizes that ICS security requires OT-aware incident response procedures. Skyhigh's 65+ scenario library includes purpose-built ICS scenarios covering SCADA ransomware, PLC/RTU manipulation, HMI compromise, historian data breach, OT network lateral movement, and vendor remote access abuse — all designed with the operational constraints of ICS environments in mind.
SCADA Scenarios PLC/RTU HMI Compromise OT Network
🔒
SP 800-82 Evidence for CISA & DOE Assessments
CISA Industrial Control Systems assessments and DOE cybersecurity evaluations reference SP 800-82 Rev 3 as the baseline standard for ICS security. Skyhigh generates exercise evidence mapped to SP 800-82 control families — providing documented IR-3 testing evidence, AT-2/AT-3 training records, and CA-2 assessment findings that satisfy CISA/DOE assessment expectations.
CISA ICS Assessment DOE Evaluation IR-3 Evidence CA-2 Findings
OT/IT Cross-Domain Exercise Design
SP 800-82 Rev 3 emphasizes the need to address ICS-specific challenges in cross-domain (IT/OT convergence) security incidents. Skyhigh exercises are specifically designed for multi-discipline teams — bringing together IT security, OT engineering, safety, operations, and executive leadership — reflecting the cross-functional response required in real ICS incidents.
IT/OT Convergence Multi-Discipline Cross-Domain OT Engineering
ICS/OT Tabletop Scenarios — SP 800-82 Aligned
Purpose-built scenarios for industrial control system environments — designed to test the specific controls and response procedures addressed in NIST SP 800-82 Rev 3.
SCADA · RANSOMWARE
SCADA Control System Ransomware — Energy Generation
Ransomware encrypts IT historian and engineering workstations before attempting propagation to SCADA HMI systems at a power generation facility. Tests SP 800-82 IR family procedures, OT isolation (SC-7), detection capabilities (SI-4), and recovery prioritization with operators maintaining manual control during restoration.
IR-3 SC-7 SI-4
DCS · MANIPULATION
Distributed Control System Logic Manipulation
Adversary with persistent access to the engineering network begins making unauthorized changes to DCS control logic — adjusting process set-points in a chemical plant. Tests detection capabilities (SI-7 firmware integrity), safety system response, OT incident classification, and ICS-specific forensics procedures (IR-9).
SI-7 IR-9 AT-3
PLC · FIRMWARE
PLC Firmware Compromise — Manufacturing Production Line
Nation-state actor exploits unsecured remote access to compromise PLC firmware across a manufacturing production line (Stuxnet-style attack pattern). Tests supply chain risk (SA-12), firmware integrity verification (SI-7), vendor notification, and the challenge of safe evidence collection from operational PLCs.
SA-12 SI-7 AC-17
HISTORIAN · EXFIL
OT Historian Data Breach — Process Intelligence Theft
Attacker compromises the OT data historian (Wonderware, OSIsoft PI) and exfiltrates years of process intelligence data — revealing operational parameters, production volumes, and plant layouts. Tests AC-2 (account management), SI-4 (monitoring), data classification procedures, and incident severity assessment for OT intellectual property theft.
AC-2 SI-4 IR-6
LATERAL · IT/OT
IT/OT Network Lateral Movement — Purdue Model Breach
Attacker pivots from corporate IT network through the DMZ into the OT network, violating the Purdue reference model segmentation. Tests SC-7 boundary protection effectiveness, OT monitoring detection (SI-4), IT/OT incident coordination, and emergency segmentation procedures — the most common real-world ICS attack pattern.
SC-7 CA-7 IR-4
REMOTE · VENDOR
Vendor Remote Access Abuse — OEM Engineering Account
A legitimate vendor remote access session is hijacked by an adversary, who uses the OEM engineering account to make unauthorized changes to safety system configuration. Tests AC-17 (remote access controls), vendor credential management, session monitoring, safety system integrity verification, and third-party incident response procedures.
AC-17 SA-12 IR-3
SP 800-82 Assessment Evidence Artifacts
Every Skyhigh exercise generates documentation mapped to SP 800-82 control families — ready for CISA ICS assessments, DOE cybersecurity evaluations, and sector regulatory reviews.
🏭
IR-3 Testing Record
SP 800-53 IR-3 incident response test evidence — CISA/DOE assessment-ready documentation
🎓
AT-2/AT-3 OT Training Evidence
ICS-specific security awareness and role-based training record with OT personnel participants
🗺️
SC-7 Segmentation Gap Report
OT network segmentation gap findings from IT/OT exercise — SP 800-82 network architecture evidence
📋
CA-2 Assessment Findings
Security control assessment evidence with gap findings and remediation commitments

Explore the Full Regulatory Toolkit Library

Skyhigh exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

🏛️ CISA CTEP ⚡ NERC CIP 🇪🇺 NIS2 Directive 🇺🇸 NIST CSF 2.0 ⚙️ IEC 62443 🏭 NIST SP 800-82 🏦 DORA ✈️ TSA Directives 🏥 HIPAA / HC3 🛡️ CMMC 2.0 🌐 ISO 27001 🔴 CISA CPG

Start Building Your NIST SP 800-82 ICS Exercise Program

SP 800-82 Rev 3 IR-3 requires documented ICS incident response testing. Skyhigh is purpose-built for OT/ICS. Free to start.

Start Free Today → View Pricing Contact Sales