#insights

As systems, networks, and applications become increasingly interconnected, the cyber threat landscape continues to evolve. Organisations today face risks not only from sophisticated external attackers but also from insider threats, supply chain vulnerabilities, and system misconfigurations. Penetration testing has emerged as a critical activity for validating defences, uncovering vulnerabilities, and improving resilience.

While penetration testing in IT is widely recognised as a proactive measure to identify vulnerabilities before they can be exploited, the unique nature of OT/ICS/IACS, where availability, safety, and reliability are paramount, has led to greater caution. Many worry that penetration testing could disrupt sensitive systems or critical operations, leading to some question whether it should be done in these environments at all. This has long been debated among SMEs.  

However, as cyber adversaries increasingly target critical infrastructure such as energy, healthcare, transport, and water, the demand for greater visibility into OT security risks is growing. Penetration testing, when carefully scoped and executed with an understanding of operational constraints, can help uncover security gaps, validate existing controls, and provide actionable insights without compromising availability.

This raises the question: Should penetration testing be considered a mandatory part of the OT cybersecurity lifecycle, balancing the need for operational safety with the urgency of defending against ever evolving cyber threats?

Why Penetration testing

System testing within Operational Technology / Industrial Control Systems (OT/ICS) environment should be formally verified and validated by the system owner. The aim of validation testing is to demonstrate, through appropriate techniques and procedures, that the management, operational, and technical countermeasures are implemented correctly, are effective in practice, and security measures meet defined requirements. These types of tests may include a range of requirement tests, as well as passive and active tests such as penetration testing.

Penetration testing involves authorised individuals attempting to breach a system’s defences to expose weaknesses and vulnerabilities that could be exploited for access or control.

Through a combination of advanced tools, manual techniques, and proven methodologies security gaps shall be identified, effectiveness of existing controls shall be evaluated, and clear, actionable recommendations for improvement shall be provided.

What Makes OT/ICS Penetration Testing Different?

Penetration testing in OT/ICS environments is markedly different from testing in traditional IT systems. The key distinction lies in:

• Priorities: IT testing is generally concerned with confidentiality, integrity, and availability of data, whereas OT testing places safety, reliability, and continuous operation above all else.
• Complexity of OT system: OT environments often include legacy devices, systems of systems, proprietary protocols, and systems that were never designed with security in mind. Many Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) and Safety Instrumented Systems (SIS) systems lack basic protections such as authentication or encryption, meaning penetration testers must work with older technologies while respecting operational sensitivities.
• Impact on operational services: During testing, disruption is not merely inconvenient; it can compromise human safety, damage expensive assets, break safety functions, or interrupt critical services.
• Organisational differences: In many businesses, IT and OT teams operate separately, with distinct priorities and cultures. In addition, each critical infrastructure industry has its own requirements, which can vary across different geographies. Penetration testing in OT requires close collaboration between cyber security specialists, control engineers, and operations teams. Testers must understand not only how to exploit vulnerabilities but also how these vulnerabilities might impact safety systems, physical processes, and compliance obligations.
• Regulatory and standards considerations: Some international and local standards highlight the role of penetration testing in validating that countermeasures achieve the required security levels, and some provide detailed guidance on safe testing approaches. These frameworks remind us that penetration testing in OT is not purely a technical exercise but part of a wider governance and assurance processes, driven by specific industries and local jurisdictions.

Tailored testing for OT/ICS

Because of these unique constraints, OT penetration testing cannot adopt the same aggressive methods often used in IT. Instead, it requires a carefully planned and highly controlled approach, where every test is risk assessed against the potential impact on operational systems. Unlike IT systems that can often be rebooted or patched with minimal consequences, many OT systems operate continuously and have uptime requirements measured in years, not hours.

While such testing is common in traditional IT, finding specialists who fully understand the unique demands of OT can be more difficult. The combination of legacy equipment, proprietary protocols, and strict availability requirements means that only experienced professionals with both cybersecurity expertise and OT experience can carry out these tests safely and effectively.

Therefore, comprehensive penetration testing must be designed to proactively identify these vulnerabilities before they can be exploited. This requires cybersecurity professionals simulate real-world attack scenarios while also conducting detailed security configuration reviews, assessing environment from both internal and external perspectives.

Testing Pillars

The following key tests should be considered when designing a tailored penetration test for an OT environment. Together, they provide a comprehensive approach to identifying and addressing vulnerabilities before they can be exploited by adversaries.

• Internal Infrastructure Penetration Testing: Insider threat scenarios are simulated within the internal network to identify weaknesses in user access controls, system configurations, and application deployments.
• External Infrastructure Penetration Testing: Internet facing systems such as remote access, cloud connected assets are assessed to uncover vulnerabilities that external attackers could exploit, such as exposed services, outdated software, and weak perimeter defences.
• Web Application and Web Service Assessment: In depth evaluations of web applications and APIs focus on vulnerabilities including SQL Injection, Cross-Site Scripting (XSS), authentication flaws, and insecure configurations.
• Wireless Network Security Assessment: Wireless deployments are examined to detect weak encryption standards, rogue access points, and segmentation issues that may expose internal resources.
• Internal and External Vulnerability Assessments: Automated and manual testing is performed to identify vulnerabilities across both internal and external systems, producing a prioritised list for remediation.
• Server Security Configuration Review: Server settings, access controls, patch levels, and logging practices are reviewed to ensure alignment with secure configuration baselines.
• Database Security Assessment: Database security is evaluated with a focus on encryption methods, access management, and patching strategies aimed at protecting sensitive data.
• Industrial Protocol Security Assessment: Industrial protocols including properties used protocols are tested for weaknesses such as lack of encryption, authentication gaps, or susceptibility to replay attacks.
• Firewall and Network Device Configuration Review: Firewall rules, access lists, and network device settings are audited to identify weaknesses and confirm adherence to recognised best practices.
• OT Device Security Configuration Review: The security posture of critical OT systems is reviewed, with verification of configurations, patch levels, and access protections to safeguard operational technology.
• Network Segregation Assessment: Network segmentation is assessed to ensure critical assets are properly isolated, reducing the risk of lateral movement by attackers.

Key Considerations for Effective Delivery

By following this structured approach, organisations can move beyond desktop and passive risk assessment and prioritise security improvements based on real world evidence.

• Discovery and Mapping: Effective testing should begin with comprehensive discovery and mapping. Passive and active information gathering techniques help to chart systems, networks, and applications, establishing a baseline threat landscape. In OT environments, this step is critical, as it also identifies legacy components and critical dependencies that could otherwise be overlooked.
• Development of Rules of Engagement: Following discovery, it is essential to establish clear Rules of Engagement (ROE). This stage defines the scope and boundaries of the test, the methods and tools to be used, and the agreed work method statement and procedures. In OT environments a well-defined ROE ensures that testing is conducted responsibly, minimising the risk of unplanned disruption.
• Vulnerability Assessment: A thorough vulnerability assessment should be conducted using a combination of automated scanning and manual verification. This dual approach ensures both breadth and depth, revealing not only surface-level weaknesses but also deeper issues such as misconfigurations, weak authentication, and unpatched systems that present significant risks. Automated scans must be carried out with extreme care to avoid disrupting sensitive systems or processes.
• Exploitation and Validation: Identified vulnerabilities should then be tested through controlled exploitation. This validates risks in practice and demonstrates how they could be leveraged by attackers. In OT, exploitation must always be performed under strict safeguards to prevent disruption to critical operations.
• Post Exploitation and Lateral Movement Analysis: Testing should also consider how an attacker might act once inside the environment. Analysing privilege escalation, lateral movement, and potential data exfiltration provides insight into attack paths and the resilience of existing controls. This stage is particularly important in OT, where attackers may attempt to pivot from IT networks into operational systems.
• Clear and Actionable Reporting: Reporting in OT should go beyond simply listing vulnerabilities. Findings must be prioritised by severity and aligned with organisational or project risk, with clear and actionable recommendations for remediation. Since not all identified vulnerabilities can be fixed immediately, reporting should also consider the potential impact on system functionality. Vulnerabilities should be categorised by potential impact to enable effective prioritisation. Strong reporting translates technical insights into business language, giving leadership the clarity and confidence to act, while also feeding into a proper roadmap for remediation and security uplift.

Takeaway

Penetration testing in OT environments is not simply a technical exercise; it is a carefully managed process that balances security with safety, reliability, and operational continuity. By adopting a structured approach, carefully planning and designing for each environment and relying on experienced SMEs, organisations and projects can provide resilience against cyber threats. The ultimate value lies not only in uncovering vulnerabilities but also in translating findings into actionable improvements that strengthen defences, support compliance, and build long term operational resilience. In this way, penetration testing becomes a strategic enabler for both OT security and business continuity.