OT/ICS Penetration Testing

Florida Water Treatment Plant - Hacker Increased Chemical Concentration

In February 2021, an attacker remotely gained access to SCADA at a water treatment plant and increased sodium hydroxide concentration to toxic levels. The operator noticed the change and manually reversed it - the attack could have ended in tragedy.

Without OT penetration testing:

• Critical vulnerabilities remain unknown until attack
• Standard IT pentests are too aggressive for sensitive OT systems
• No prioritization - you don’t know what to patch first
• Risk of production downtime during “unexpected” security test
• Non-compliant with NIS2 and IEC 62443 testing requirements

OT Pentests Without Production Risk

We use methodology adapted to industrial environment specifics. We know which tests are safe for SCADA, PLC and industrial protocols. We don’t stop production.

What you get:

• Passive OT system inventory (network mapping without interference)
• Industrial protocol analysis (Modbus, Profinet, OPC UA, etc.)
• Safe SCADA/HMI vulnerability tests
• IT/OT network segmentation verification
• Permissions and access control testing
• Attack simulation on unencrypted protocols
• Report with risk assessment and priorities
• Support during fix implementation
• Optional retest after implementation

Who Is It For?

This service is for you if:

• You use SCADA, DCS, PLC systems in production
• You need to meet NIS2 or IEC 62443 security testing requirements
• You’re concerned that standard IT pentest could stop production
• You need to verify IT/OT segmentation effectiveness
• You’ve implemented security controls and want to check if they work

Our Methodology

Production Safety is Priority

OT pentests differ from IT tests - we can’t allow downtime. Our approach:

1. Pre-engagement

• Detailed scope and limitations discussion
• Defining “red lines” - what we DON’T test
• Communication plan with maintenance team
• Time window and alarm procedures

2. Passive Reconnaissance (Tier 1)

• Network traffic sniffing (without sending packets)
• Topology analysis and asset identification
• Documentation and configuration review
• Safe for production: YES

3. Active Scanning (Tier 2)

• Port and service scanning
• SCADA/PLC system fingerprinting
• Vulnerability detection (CVE)
• Requires: OT coordination, time window

4. Exploitation (Tier 3)

• Controlled exploitation of selected vulnerabilities
• Test on test environment or after system shutdown
• Requires: isolation or downtime

5. Reporting & Remediation

• Detailed report with risk assessment
• Prioritization by production impact
• Workshop with team
• Optional retest

Test Scope

What We Test in OT Environment

Network Segmentation:

• IT/OT routing
• Industrial firewalls
• VLANs and ACLs
• DMZ for HMI/SCADA

SCADA/HMI Systems:

• Authentication and authorization
• Application vulnerabilities (CVE)
• Hardcoded credentials
• Remote access (VPN, RDP)

Field Devices (PLC, RTU, IED):

• Industrial protocols (Modbus, DNP3, IEC 104, etc.)
• Firmware and versions
• Default credentials
• Engineering workstations

Communication Protocols:

• Missing authentication
• Missing encryption
• Replay attack possibility
• Man-in-the-middle

Physical Security:

• Control cabinet access
• Unsecured Ethernet ports
• USB and Serial
• Engineering laptops