A defense suite for an industrial control system (ICS) network is disclosed. The defense suite is installed and executed on a network server hosting the human-machine interface (HMI) function of the network, thereby gaining communication privileges of the HMI server to query and perform other operations with programmable logic controllers (PLCs) and other assets of the network. The defense suite further comprises a network protection engine (NWPE) that alerts a defense suite user of suspicious activity in the network. Normal behavior of the network is obtained by a learning engine, during a learning period. The learning engine can be reactivated after a configuration change in the network. The data suite also comprises an operating system protection engine (OSPE), for preventing removable devices from accessing the HMI server and a preventing execution of unauthorized executables. The OSPE is also trained for which programs are authorized through its own program discovery module.