Glossary

indicator of compromise

An indicator of compromise (IOC) is a technical artifact or data point that suggests a system or network may be breached or maliciously affected.

An indicator of compromise (IOC) is a technical artifact, pattern, or data point that suggests a system, device, or network may have been breached, misused, or otherwise affected by malicious activity. In industrial and regulated environments, IOCs are used by OT and IT security teams to detect, investigate, and respond to potential cyber incidents affecting production systems, corporate networks, and connected equipment.

What an indicator of compromise includes

IOCs commonly refer to observable items such as:

  • Network indicators, for example suspicious IP addresses, domains, URLs, or unusual traffic patterns involving control networks
  • Host-based indicators, such as unknown executables, malware file hashes, modified binaries, unusual services, or unexpected user accounts
  • Log or event patterns, such as repeated failed logins, abnormal protocol use on OT networks, or unexpected configuration changes
  • Email and identity indicators, such as known phishing sender addresses or abused user credentials
  • Industrial-specific signals, such as unauthorized firmware versions on PLCs, unexpected changes to recipes, or unauthorized remote access sessions to HMIs or engineering workstations

In cyber threat intelligence, IOCs are typically considered a form of technical or tactical intelligence, because they can be directly consumed by tools such as firewalls, IDS/IPS, SIEMs, endpoint protection, and OT monitoring platforms.

What an indicator of compromise does not include

The term usually does not refer to:

  • Business-level impacts (for example production downtime metrics or financial loss)
  • High-level threat narratives or adversary motivations, which are more strategic intelligence
  • Vulnerabilities themselves (such as unpatched software) unless there is evidence they are being actively exploited

Operational use in manufacturing and OT

In industrial and regulated environments, IOCs are often:

  • Ingested into monitoring systems to alert on known bad IPs, domains, or file hashes relevant to OT and IT assets
  • Correlated with plant logs (for example historian, MES, or engineering station logs) to identify possible compromise of production equipment
  • Used during incident response to scope which lines, sites, or systems may be affected
  • Maintained in allow/deny or watch lists that are periodically reviewed and updated as threats change

Common confusion

Indicator of compromise vs. indicator of attack (IOA): An indicator of compromise usually reflects evidence that a compromise may have already occurred (for example a known malware hash found on a system). An indicator of attack focuses more on behaviors and sequences of actions that suggest an attack is in progress, even before a clear compromise artifact exists. Many operational security programs use both IOCs and IOAs together.

Relation to cyber threat intelligence (CTI)

Within cyber threat intelligence, IOCs are one of the main outputs of tactical and technical CTI. They translate higher-level knowledge about adversaries and campaigns into concrete, machine-readable items that OT and IT teams can deploy in sensors, gateways, and monitoring tools across industrial environments.

Related Blog Articles

There are no available FAQ matching the current filters.

Related FAQ

Let's talk

Ready to See How C-981 Can Accelerate Your Factory’s Digital Transformation?

{ "@context": "https://schema.org", "@type": "BreadcrumbList", "@id": "https://connect981.com/glossary/indicator-of-compromise#breadcrumb", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Connect 981", "item": "https://connect981.com/" }, { "@type": "ListItem", "position": 2, "name": "Glossary", "item": "https://connect981.com/glossary/" }, { "@type": "ListItem", "position": 3, "name": "indicator of compromise", "item": "https://connect981.com/glossary/indicator-of-compromise" } ] }