ICS Unicorn

ICS Unicorn: Slaying ICS Mythical Creatures, Part 1

Ron Fabela, SynSaber CTO & Co-founder
Ron Fabela

We had the privilege of attending and speaking at S4x22 this year, and for myself and much of the community, it was a homecoming.

As evident at this year’s conference, the ICS security community continues to grow in numbers, expertise, and passion. I wanted to take the opportunity to be retrospective on where we’ve come and how we can move forward.

So here came the ICS Unicorn and other Mythical Beasts: those myths that we tell ourselves and our community that inhibit growth. But this isn’t a judgment on the past so much as it’s a look to the future. For each mythical creature, we’ll take the same approach:

  • The Creature: What it represents
  • The Reason: Why it was necessary in the past
  • The Manifestation: What this beast has become now
  • The Actions: 3 things you and I can do to create a better future

Falling Iguanas

⚠️ Disclaimer ⚠️

This isn’t about any one person or any group’s mascot.

This is about calling out the myths that no longer serve us, and the actions we need to take in order for our industry to grow and move forward.

Time to Slay ⚔️ The ICS Unicorn

An impossibly unique and special creature, the Unicorn, through its rarity, is thought to have magical powers. In the not-so-distant history of cyber security within ICS, it seemed every person, organization, attack, or process was a unicorn, rare and full of magic.

ICS Unicorn

And there was a reason for that: anything new seems magical. Naturally, there were not a lot of ICS cyber security practitioners in the beginning, and the concept of security in ICS wasn’t really respected or accepted (even today).

So let’s start with the three main reasons why the industry (and its members) all turned into the mythical ICS Unicorn.

The Reason

Before they became harmful, these myths and the magical ICS Unicorn served somewhat of a purpose and existed for several reasons.

ICS Unicorn Reasons

Young & Hungry

Cyber security in my ICS? There wasn’t a lot of guidance, industry meetings, or conferences. S4 started back in 2007, and in the early days, it was 30 nerds in a conference room (scroll about halfway down this S4 blog post to see some of the aforementioned nerds).

But we were passionate, and we saw a future where threats could move from theoretical to reality.

It was ok to be unique and special because we were.

Need for Recognition

This industry fought hard to be recognized as a ~real issue~. As a consultant in the 2000s, I spent most of my time convincing leadership, customers, and operators that vulnerabilities and attack paths were, in fact, real and that these issues may be exploited by threats in the coming years.

Much of the community went through the same struggle in their own organizations. The need for recognition wasn’t just selfish because…

Critical Mission

There is a tremendous sense of mission — not one I’ve felt since the military. We were few, unique, and on a worthy mission. As you can imagine, while we started on sure footing (sure hoofing?), the dark side of the force was tempting.

The mythical unicorn started to manifest itself into some very real negatives that have held our industry back.

The Manifestation

The ICS unicorn eventually turned evil. We weren’t just “special,” we were “more special than you.” Any time an event happened: a breach, a new malware, or an outage, instead of lending a helping hand, there was an “I told you so.”

Here are the myths that need to be slain if we want the community to grow beyond its current state.

ICS Unicorn Manifestation

Skills Gap

We’ve heard it for a decade now. There’s a skills gap, a job shortage, and a barrier to creating more unicorns. In fact, that’s the last thing we need. There has never been more documentation, training, conferences, and communities, and the need for people unicorns is dwindling.

If there’s a skills gap at this point, it’s because the community wants it there to protect their unicorn status.


It’s tough when you’re no longer unique. The unicorns of the industry, many of which we could each individually thank today, are no longer unique. As should be. But within people and organizations, there is the innate feeling of protecting one’s status.

You hear these echoes often: “Oh, that incident responder is not a real engineer; they don’t understand OT. That OT operator has a sticky note with their HMI password on it, they don’t understand cyber.” It’s time to open the gates, and let others in.

“There Can Be Only One”

Unicorns could be rare and powerful, if they existed. But the idea that you are “best in the world,” “global leader in X,” and other stack rankings continues to present itself in the industry. Today, on the operational vendor side, there are numerous OEMs, building controllers, relays, HMIs, and all the workings that keep humanity running.

With security, we see the same: some generalists, some specialists, but all working together for a common goal, something that unicorns on their own could never reach.

The Actions

So what can we do to slay the mythical ICS unicorn? I like to keep things in three’s so I can remember them. 😊

ICS Unicorn Slaying Actions


We have an awesome community that is well connected on social media, community groups, and ISACs. There has never been an easier time to connect with fellow ICS security nerds. Post online or in your community what you can help with.

For instance, I’m particularly good at OSINT information on industrial targets. Or, post where you need help so others can assist. This is the first step in building a better community instead of protecting the unicorns.

Next Week: EXPAND

Outside of general help/assist requests, look within your organizations. Whether vendor, consultant, or operator, there are people and processes you are aware of that could use assistance. Seek out individuals and offer assistance, even if you don’t think it would benefit you personally.


Find your tribe, contribute, support, and attend. You bring something important to the table. Your time and assistance are valuable at any level, so go out and find a group or organization to support. The real unicorns. The real rarity? Consistent action.

ICS Unicorn Myth: In Summary

👏 Exclusion and Gatekeeping Must Stop in Order for Our Community to Mature 👏

Yes, we were young and hungry, a community that until recently wasn’t taken seriously or making headlines. As we move forward and mature, there’s a need to let go of the old ways and slay the unicorn.

The real power, the real influence, is not the continued struggle to remain the hero, but to be a hero maker. Go out there today and find out how to help others more than yourself.

I think we’ll all find more joy and purpose in the ICS security community by lifting others up and creating a future that is better for everyone, not just the self-proclaimed unicorns.

Next week we’ll slay another ICS mythical creature — the dreaded Basilisk.

~Ron 💜🚀