The time from the first step of an intrusion into a system to the detection of that intrusion is generally long. In several large attacks on industrial control systems the first step of the intrusion was executed long before the attack phase. It is therefore important to reduce the time from the first intrusion to its detection to minimize its effect, or even better to completely mitigate the attack. In this report, well-known attacks on industrial control systems are analyzed in order to find common properties of the attacks. The report gives an overview of the technical background for chosen incidents, enabling conclusions to be drawn, which in turn establishes a foundation for security recommendations, coursework and technical demonstrators. The results of the study shows that most attacks are initiated through spear phishing and that all attacks in reality generate a deviating behavior or communication pattern of the system. Hence these three properties are important early signs of an attack and should be used to detect intrusions.