A Deception Readiness Index for ICS and OT Cybersecurity Programs

Abstract

Deception technology can improve industrial control systems and operational technology cybersecurity by creating high-confidence signals when adversaries interact with assets, credentials, or services that legitimate users should not touch. However, organizations often lack a practical method for determining whether they are ready to deploy deception safely, govern it consistently, and use its alerts effectively. This paper develops a Deception Readiness Index (DRI) for ICS and OT cybersecurity programs. The study uses design science and qualitative document analysis of public cybersecurity standards, OT security guidance, workforce frameworks, and prior deception-technology research. The resulting artifact scores readiness across governance, architecture, monitoring, workforce, and operational safety domains. The index is then applied to three synthetic critical-infrastructure profiles to demonstrate how readiness gaps can be identified before deployment. The results show that deception readiness depends less on tool availability alone and more on the alignment of ownership, safe placement, alert routing, staff capability, and operational approval. The DRI provides a repeatable planning method for organizations seeking to move from initial interest in deception technology to a controlled, auditable deployment.

Introduction

This paper proposes a Deception Readiness Index (DRI) to help organizations operating Industrial Control Systems (ICS) and Operational Technology (OT) environments assess their preparedness for deploying deception technology safely and effectively. ICS and OT systems support critical infrastructure sectors such as water, energy, manufacturing, transportation, and building automation, where cybersecurity measures must prioritize safety, reliability, uptime, and operational continuity.

Background

Deception technology uses fake assets—such as decoys, honey credentials, canary files, simulated services, and monitored engineering artifacts—to detect unauthorized activity. When attackers interact with these deceptive elements, organizations receive high-confidence alerts without directly affecting production systems.

Although previous research has shown the value of deception technology in critical infrastructure, many organizations struggle with deployment readiness. Challenges include:

• Lack of governance and ownership
• Insufficient monitoring and alert handling
• Limited staff training
• Inadequate change management
• Safety and operational concerns

As a result, deception tools may be purchased but fail to become effective security capabilities.

Purpose of the Study

The study introduces the Deception Readiness Index (DRI), a practical scoring framework that helps organizations determine whether they are prepared to deploy deception technology in a controlled, auditable, and safe manner.

Methodology

The research uses a design science approach supported by qualitative document analysis. The DRI was developed using guidance from major cybersecurity frameworks and standards, including:

• National Institute of Standards and Technology Cybersecurity Framework (CSF 2.0)
• National Institute of Standards and Technology
• International Electrotechnical Commission
• Cybersecurity and Infrastructure Security Agency Cybersecurity Performance Goals
• MITRE Corporation
• National Initiative for Cybersecurity Education

The development process involved:

1. Extracting readiness-related requirements from standards.
2. Grouping them into readiness domains.
3. Creating a scoring system.
4. Testing the model on synthetic critical infrastructure profiles.
5. Interpreting results and recommended actions.

Deception Readiness Index (DRI)

The DRI evaluates readiness across five domains, each scored from 0 to 4:

The maximum score is 20 and is converted into a percentage:

DRI = ((G + A + M + W + S) / 20) × 100

Readiness Categories

Results

The DRI was applied to three hypothetical organizations:

Key Findings

1. Technology ownership alone is insufficient.
   • Small utilities need governance, inventory management, and incident-response processes before deploying deception tools.
2. Pilot readiness requires integration.
   • Mid-sized manufacturers can begin limited pilots but need stronger monitoring and OT-response coordination.
3. Safety limits deployment scope.
   • Even highly mature organizations should deploy deception in a controlled and carefully managed manner.

Priority Actions by Readiness Level

• Not Ready: Establish ownership, inventory assets, define safe deployment zones, and identify response contacts.
• Foundational: Use only low-risk lures and document alert-handling procedures.
• Pilot Ready: Conduct controlled pilots, connect alerts to response playbooks, and coordinate with OT personnel.
• Deployment Ready: Expand deception across approved OT zones and integrate with security operations.
• Optimized: Continuously update decoys, measure effectiveness, test resilience, and report outcomes.

Conclusion

Deception technology can provide ICS and OT defenders with high-confidence early-warning signals and clearer evidence of attacker behavior. Its value, however, depends on more than the existence of decoys. Organizations must be ready to govern, place, monitor, interpret, and safely operate deception capabilities. This paper developed a Deception Readiness Index to help organizations assess their readiness before deployment. The DRI scores governance, architecture, monitoring, workforce, and operational safety readiness on a 0 to 4 scale and converts the result into a percentage-based readiness category. Applying the index to three synthetic profiles demonstrated that the model can distinguish between foundational, pilot, and deployment readiness. The index gives critical-infrastructure organizations a practical way to decide whether to defer deception, pilot it narrowly, or integrate it into a mature OT cybersecurity program. The broader contribution is a shift from advocating deception technology to operationalizing it responsibly. In safety-sensitive environments, deception should not be treated as a standalone tool or experiment. It should be deployed as an additive, governed, evidence-producing capability that improves clarity when adversaries interact with assets they should never touch.

References

[1] D. Ward, Enhancing Security: A Comprehensive Study on Deception Technology Integration in Manufacturing and Critical Infrastructure, Ph.D. dissertation, University of the Cumberlands, Williamsburg, KY, USA, 2025. Available: https://www.proquest.com/dissertations-theses/enhancing-security-comprehensive-study-on/docview/3222626522/se-2 [2] D. Ward, “Deception Architecture for Water and Wastewater Operational Technology Environments,” International Journal of Engineering Research & Technology, vol. 15, no. 06, Jun. 2026, doi: 10.5281/zenodo.20745399. Available: https://www.ijert.org/deception-architecture-for-water-and-wastewater-operational-technology-environments-ijertv15is060682 [3] C. Pascoe, S. Quinn, and K. Scarfone, The NIST Cybersecurity Framework (CSF) 2.0, NIST Cybersecurity White Paper 29, National Institute of Standards and Technology, 2024, doi: 10.6028/NIST.CSWP.29. Available: https://doi.org/10.6028/NIST.CSWP.29 [4] K. Stouffer, M. Pease, C. Tang, T. Zimmerman, V. Pillitteri, S. Lightman, A. Hahn, S. Saravia, A. Sherule, and M. Thompson, Guide to Operational Technology (OT) Security, NIST Special Publication 800-82 Revision 3, National Institute of Standards and Technology, 2023, doi: 10.6028/NIST.SP.800-82r3. Available: https://doi.org/10.6028/NIST.SP.800-82r3 [5] Joint Task Force, Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 Revision 5, National Institute of Standards and Technology, 2020, doi: 10.6028/NIST.SP.800-53r5. Available: https://doi.org/10.6028/NIST.SP.800-53r5 [6] International Electrotechnical Commission, IEC 62443-2-1:2024, Security for Industrial Automation and Control Systems - Part 2-1: Security Program Requirements for IACS Asset Owners, 2024. Available: https://webstore.iec.ch/en/publication/62883 [7] Cybersecurity and Infrastructure Security Agency, Cross-Sector Cybersecurity Performance Goals, Washington, DC, USA, 2026. Available: https://www.cisa.gov/cybersecurity-performance-goals [8] R. Petersen, D. Santos, K. Wetzel, M. Smith, and G. Witte, Workforce Framework for Cybersecurity (NICE Framework), NIST Special Publication 800-181 Revision 1, National Institute of Standards and Technology, 2020, doi: 10.6028/NIST.SP.800-181r1. Available: https://doi.org/10.6028/NIST.SP.800-181r1 [9] MITRE ATT&CK, “ATT&CK for ICS Matrix,” version 19.1, MITRE, 2026. Available: https://attack.mitre.org/matrices/ics/ and https://attack.mitre.org/resources/versions/ [10] J. Franco, A. Aris, B. Canberk, and A. S. Uluagac, “A survey of honeypots and honeynets for Internet of Things, Industrial Internet of Things, and cyber-physical systems,” IEEE Communications Surveys & Tutorials, vol. 23, no. 4, pp. 2351-2383, 2021, doi: 10.1109/COMST.2021.3106669. Available: https://doi.org/10.1109/COMST.2021.3106669 [11] M. Lucchese, F. Lupia, M. Merro, F. Paci, N. Zannone, and A. Furfaro, “HoneyICS: A high-interaction physics-aware honeynet for industrial control systems,” in Proceedings of the 18th International Conference on Availability, Reliability and Security, 2023, doi: 10.1145/3600160.3604984. Available: https://doi.org/10.1145/3600160.3604984

Copyright

Copyright © 2026 Daniel Ward. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.