ICMP provides network diagnostics (ping, traceroute). Security risks: ICMP flood (DDoS), ICMP tunneling (covert C2 channel), ping sweep (reconnaissance), ICMP redirect (routing manipulation).
Many orgs block outbound ICMP. ICMP tunneling is detectable by inspecting payload — non-empty ICMP replies are suspicious. Disable ICMP redirects on routers. Ping sweep (-sn in Nmap) maps live hosts without port scanning.