Specialty 02 · Industrial Control Systems
Protocol-aware adversary emulation against the controls that drive the physical process — PLCs, RTUs, SCADA, HMI, historians, and Safety Instrumented Systems. Conducted by testers who handle Modbus, DNP3, Profinet, EtherNet/IP, and OPC-UA without disrupting the process they protect.
Engagement length
3–8 weeks
Process impact
Zero target
SIS testing
Lab-only active
Aligned
IEC 62443
Who this is for
Controls Engineers & OT/ICS Engineering Leads
You own the PLCs and SCADA. You need an independent assessment of controller exposure, project-file integrity, and engineering-workstation hygiene — performed by someone who will not crash your process.
Process Safety & SIS Owners
Plant safety leads, functional-safety engineers, and operators of facilities with formal IEC 61511/IEC 62443 SL targets. We test the boundary around the SIS without touching the safety function itself.
Pacific Northwest Manufacturers & Utilities
Food & beverage processors, semiconductor fabs, paper & pulp mills, metals and aerospace, water and wastewater utilities, hydropower operators, and process-industry facilities across Oregon, Washington, and Idaho.
Cyber Insurance & Audit Stakeholders
CISOs, internal audit, and external auditors who need an ICS-specific penetration test report — not a generic IT pentest with industrial assets in scope — that holds up under underwriter or regulator review.
What's in scope
Our ICS penetration testing covers the controls themselves and the systems that supervise them. Scope is sized to your facility, but these are the standard areas of evaluation.
Allen-Bradley / Rockwell ControlLogix & CompactLogix, Siemens S7, Schneider Modicon, GE PACSystems, ABB, Mitsubishi. Firmware, project-file exposure, write-protection, credential strength, exposed engineering services.
Wonderware/AVEVA, Ignition, Iconics, GE iFIX, Siemens WinCC, Rockwell FactoryTalk View. OS hardening, account hygiene, network exposure, integration with corporate identity providers.
Operator HMI, engineering HMI, mobile HMI. Local credential reuse, USB exposure, Windows hardening baselines, project-file confidentiality, and screen-scraping/recording risk.
OSIsoft PI, AVEVA Historian, GE Proficy. Whether the historian sits in a true industrial DMZ with one-way data flow to corporate, ransomware survivability, backup integrity, and downstream MES/ERP integration boundaries.
SIS exposure review (configuration, network, engineering-workstation access). Active testing only against vendor-spare units in lab. Triconex, HIMA, Yokogawa ProSafe-RS, Siemens S7-1500F, Allen-Bradley GuardLogix.
Modbus TCP/RTU, DNP3, Profinet, EtherNet/IP & CIP, OPC-UA, BACnet, IEC 61850 (substations), HART-IP. Authentication, encryption, replay resistance, and exposed read/write functions.
RSLogix, TIA Portal, Studio 5000, Unity Pro, Control Expert. Project-file confidentiality and integrity, USB exposure, EDR coverage, removable-media policy, local admin scope.
Always-on integrator tunnels, cellular modems on plant floor, vendor jump hosts. MFA enforcement, session recording, per-vendor credential isolation, kill-switch authority.
Plant-floor Wi-Fi, ISA100, WirelessHART, cellular IIoT. Authentication strength, segmentation from corporate Wi-Fi, exposure of management interfaces.
Methodology
Mapped explicitly to IEC 62443-3-3 (System Security Requirements) and IEC 62443-4-2 (Component Security Requirements), with full coverage of MITRE ATT&CK for ICS tactics. Every active test against production has a written rollback and explicit operations sign-off.
Phase 01
Week 1
Joint workshop with controls engineering, operations, and the process safety lead. Detailed inventory of in-scope controllers and protocols. SIS isolation procedures. Documented "do not touch" assets. Emergency stop authority. Nothing else moves until your process safety lead countersigns.
Phase 02
Weeks 1–2
SPAN-port traffic capture across plant network. Passive industrial-protocol parsing (Modbus, DNP3, Profinet, EtherNet/IP, OPC-UA). Asset discovery without active scanning. Identification of unencrypted cleartext credentials, unauthenticated function codes, and exposed engineering services.
Phase 03
Weeks 2–3
Exported PLC programs, SCADA project files, HMI configuration, and historian archive policies reviewed against IEC 62443-4-2 component requirements. Engineering-workstation Windows baseline, EDR coverage, USB policy, and removable-media controls assessed.
Phase 04
Weeks 3–5
Active exploitation, fuzzing, and credential testing performed against vendor-provided spare PLCs and SCADA instances in our lab. Findings demonstrating real exploitability against your specific firmware versions, without ever touching your production controllers.
Phase 05
Week 5
Active testing against the boundary devices that protect ICS — under change-window control with operations present. Vendor remote access pathways exercised end-to-end. Jump host configurations tested for session recording, MFA, and privilege escalation. SIS engineering pathway tested only at the access-control layer, never against the safety function.
Phase 06
Weeks 6–7
Two-tier report. Per-finding writeup mapped explicitly to IEC 62443-3-3 SRs, IEC 62443-4-2 CRs, and MITRE ATT&CK for ICS techniques. Live working session with controls engineering, operations, and process safety to walk every finding, prioritize remediation, assign owners, and lock target dates. Free re-test of remediated criticals within 90 days.
Process safety protocol
ICS penetration testing that takes down your process is not penetration testing — it's an unscheduled outage your insurer will not cover. These are the rules we operate under, every engagement.
No active probing of production PLCs. Production controllers are observed passively. Active exploitation only against vendor-spare units in our lab.
No active testing against the SIS. Safety Instrumented System review is configuration, network exposure, and access-pathway only. Active testing against the safety function itself only happens during a planned shutdown with the SIS vendor present.
No generic IT exploitation tooling on OT segments. Industrial protocol parsers and ICS-specific tooling only. Loud port scans and IT-default Nessus profiles are explicitly excluded from production OT.
Operations holds the kill switch. A single phone call from your operations or process safety lead halts all testing within 60 seconds. We surface our active testing position daily so your team always knows where we are.
Deliverables
Document 01
10–15 page narrative for leadership, the board, and cyber insurance underwriters. Plain-language risk framing tailored to operational and process-safety audiences.
Document 02
Per-finding writeup with severity, evidence, reproduction steps in a lab environment, remediation, and explicit IEC 62443-3-3 SR / 62443-4-2 CR / MITRE ATT&CK for ICS references. Suitable for direct use as audit evidence.
Document 03
90-day, 180-day, and 1-year remediation calendar with effort estimates, owners, and dependencies. Built collaboratively with your controls and operations team.
Document 04
Current-state and recommended-state IEC 62443 zone-and-conduit diagrams. Flagged conduits where access controls are insufficient relative to the security level of the receiving zone.
Session 05
Half-day session with controls engineering, operations, IT, and process safety to walk every finding, agree on owners, and lock in remediation dates.
Re-test 06
Free targeted re-test of any critical or high-severity findings remediated within 90 days, with a brief addendum letter suitable for your auditor or insurer.
Frequently asked
ICS penetration testing is protocol-aware adversary-emulation security testing performed against the industrial control systems that run a physical process — PLCs, RTUs, SCADA servers, HMI workstations, process historians, and Safety Instrumented Systems. It uses tooling that understands industrial protocols (Modbus, DNP3, Profinet, OPC-UA, EtherNet/IP) rather than IT-generic exploitation frameworks that can crash a controller.
No. We never actively probe a Safety Instrumented System on a live process. SIS testing is performed exclusively through configuration review, design review, and lab testing against vendor-provided spare units. Any active testing against the production SIS would only happen during a documented planned shutdown with the SIS vendor and process safety engineer present.
Modbus TCP and Modbus RTU, DNP3 (utilities), Profinet (Siemens), EtherNet/IP and CIP (Rockwell/Allen-Bradley), OPC-UA (modern interoperability), BACnet (building systems), IEC 61850 (substations), and HART-IP. We also handle the legacy serial side via gateways when required.
Yes — that is the point of having a dedicated ICS pentesting practice. Production PLCs are tested using passive observation, configuration review (firmware, ladder logic, project files), and credential and access pathway testing. Any active exploit validation happens against vendor-spare PLCs in our lab, never against the production controller running the process.
Yes. Our methodology is mapped explicitly to IEC 62443-3-3 (System Security Requirements and Security Levels) and IEC 62443-4-2 (Component Security Requirements). Findings include the specific 62443 SR/CR references so they slot into your security level target documentation and any audit evidence package.
Yes. Our ICS penetration testing practice serves Pacific Northwest manufacturers (food & beverage, semiconductor, paper & pulp, metals, aerospace), water and wastewater utilities, hydropower operators, and process-industry facilities across Oregon, Washington, and Idaho.
Yes — that is our companion specialty. OT penetration testing covers Building Management Systems, DCIM, the IT-to-OT boundary, vendor remote access, and the network and identity layers that protect the control system. Many engagements combine both specialties — OT pentesting for the network and identity boundary, ICS pentesting for the controls themselves.
Sister specialty
Enterprise OT: data center BMS, DCIM, IT-to-OT boundary, vendor remote access, segmentation validation.
Scenario playbook
A scenario playbook for IT-to-OT ransomware response in a Pacific Northwest food & beverage facility.
Library
100+ articles on OT and ICS security architecture, threat actors, compliance, and incident response.
Ready to scope an ICS penetration test?