Specialty 01 · Operational Technology
Specialized penetration testing for operational technology environments across the Pacific Northwest. We test the systems that keep data centers cool and manufacturers running — Building Management Systems, DCIM, the IT-to-OT boundary, vendor remote access, and the flat networks that let ransomware reach the plant floor — without disrupting production.
Engagement length
3–10 weeks
Production impact
Zero target
Methodology
Safety-first
Region
Oregon · WA · ID
Who this is for
Data Center Directors & Critical Facility Managers
Hyperscale, colocation, and enterprise data centers across the Pacific Northwest corridor — Hillsboro, Prineville, Boardman, Umatilla, The Dalles, Quincy. We test the BMS, DCIM, leak-detection, fire-panel integration, and the segments your operational technology shares with corporate IT.
VPs of Operations & Plant Managers
Pacific Northwest manufacturers — food & beverage, semiconductor, paper & pulp, metals, aerospace, agriculture & processing. We test plant-floor network architecture, the IT-to-OT boundary, MES & ERP integration, and vendor remote-access pathways.
IT Security Leads owning OT scope
CISOs and security directors who have inherited responsibility for OT and need an independent, framework-aligned assessment for the board, the auditor, or the cyber-insurance underwriter.
What's in scope
Every OT penetration test we run covers the systems and pathways that real adversaries use to move from corporate IT into operational environments. Scope is sized to your facility, but these are the standard areas of evaluation.
Niagara, Tridium, Honeywell, Johnson Controls Metasys, Siemens Desigo, Schneider EcoStruxure. Supervisor host hardening, controller exposure, integrator access pathways.
Power, cooling, environmental sensors. PDU and ATS exposure. UPS monitoring. Whether the DCIM stack shares network with the corporate domain or sits in a true industrial DMZ.
Firewall rule audit. Inter-VLAN routing review. Industrial DMZ design validation. Whether the boundary holds against simulated lateral movement from a compromised IT host.
Jump hosts, VPN concentrators, vendor-managed always-on tunnels. MFA enforcement. Session recording. Per-vendor credentialing vs. shared-account legacy patterns.
EDR coverage. USB policy. Removable media controls. Local admin scope. Whether engineering laptops are the soft underbelly that bridges corporate phishing to plant-floor ransomware.
AD trust between corporate and plant domains. Service account hygiene. Kerberoasting and DCSync exposure paths into OT-adjacent identity providers.
PI, Wonderware, IP.21. Whether one-way data flow to corporate is enforced architecturally or merely policy. Backup, replication, and ransomware-survivability of historian data.
Camera systems on the OT network. RFID/badge controllers. Plant-floor Wi-Fi and cellular modem exposure. Loading-dock physical access scenarios.
Whether OT segments produce telemetry an MSSP or internal SOC can act on. SIEM coverage of plant networks. The gap between an alert firing and an operator being notified.
Methodology
Our OT penetration testing methodology is mapped to NIST SP 800-82 Rev. 3, MITRE ATT&CK for ICS, and IEC 62443. Every phase has documented entry criteria, exit criteria, and a written rollback plan.
Phase 01
Week 1
Joint workshop with operations, IT, and integrators. Documented zone-and-conduit map. Defined "do not touch" assets. Signed change-window calendar. Emergency stop procedures and escalation tree. Nothing else moves until this is countersigned by your operations lead.
Phase 02
Weeks 1–2
SPAN-port traffic capture. Asset discovery via passive listening (no active scanning of OT segments). Configuration review of edge firewalls, switches, and jump hosts. Identity and AD reconnaissance from the corporate side of the boundary only.
Phase 03
Weeks 2–4
Assumed-breach scenario from a typical phishing landing. Lateral movement, credential harvesting, escalation toward OT-adjacent identity. We measure how close an adversary can get to the OT boundary and whether the segmentation holds. All testing on the corporate network, never crossing into production OT.
Phase 04
Weeks 3–5
Active testing against the IT-to-OT boundary devices themselves — under change-window control. Vendor remote access pathways exercised end-to-end. Jump host configurations tested for session recording, MFA, and privilege escalation. Active exploitation of any controllers only in a controlled lab against vendor-spare units, never against production.
Phase 05
Weeks 5–6
Two-tier report: an executive narrative for leadership and the board, and a technical findings package mapped to NIST 800-82, MITRE ATT&CK for ICS, and IEC 62443 controls. Live working session with your team to walk through every finding, prioritize remediation, and identify owner and target date for each. Free re-test of remediated criticals within 90 days.
Safety-first protocol
This is the single non-negotiable that separates legitimate OT penetration testing from IT pentesting applied to industrial environments.
No active scanning of production OT. Passive observation only against live segments. Active probing happens only against test devices in a lab.
No generic exploitation frameworks against OT. Metasploit, NMAP aggressive scans, default Nessus profiles — not used against production OT under any circumstance.
Change windows for everything that touches production. Boundary device testing is scheduled with operations, has a documented rollback, and is tested against backout time before execution.
Operations holds the kill switch. A single phone call from your operations lead halts all testing within 60 seconds. We surface our active testing position daily so your team always knows where we are.
Deliverables
Document 01
10–15 page narrative for leadership, the board, and cyber insurance underwriters. Plain-language risk framing, business impact, and prioritized recommendations.
Document 02
Per-finding writeup: severity, evidence, reproduction steps, remediation, and explicit mapping to NIST SP 800-82, MITRE ATT&CK for ICS, and IEC 62443 controls. Suitable for direct insertion into audit evidence.
Document 03
90-day, 180-day, and 1-year remediation calendar, with effort estimates, owner assignments, and dependencies. Built collaboratively with your team in a working session.
Document 04
Current-state and recommended-state network diagrams for the IT/OT boundary, vendor-access pathways, and any segments where we recommend architectural change.
Session 05
Half-day session with your operations, IT, and security teams to walk every finding, agree on owners, and lock in remediation dates.
Re-test 06
Free targeted re-test of any critical or high-severity findings remediated within 90 days of report delivery, with a brief addendum letter suitable for your auditor or insurer.
Frequently asked
OT penetration testing is adversary-emulation security testing performed against operational technology systems — Building Management Systems, DCIM platforms, plant networks, the IT-to-OT boundary, and vendor remote access pathways. Unlike IT pentesting, OT pentesting requires safety-first methodology, passive reconnaissance against production, and protocol-aware tooling because the assets under test are running real production processes.
IT pentesting can use loud, generic exploitation frameworks against systems designed to fail safely under network stress. OT pentesting cannot. A Building Management System will not gracefully reject a malformed packet. A vendor remote-access jump host that crashes can lock out the integrator who needs to respond to an alarm. Our OT testing uses passive reconnaissance, vendor-spare lab devices for any active exploitation, formal change windows, and rollback plans for every test.
No. We design every engagement around production continuity. Active exploitation only happens in a controlled lab against representative test devices, never against production controllers. Testing against production segments is passive — observation, traffic analysis, and configuration review. If we identify a vulnerability that requires active validation, we agree on a change window and rollback procedure with your operations team before proceeding.
Yes. We are an Oregon-based OT cybersecurity practice serving the Pacific Northwest hyperscale data center corridor (Hillsboro, Prineville, Boardman, Umatilla, The Dalles, Quincy WA) and Pacific Northwest manufacturers. On-site engagements anywhere in Oregon, Washington, and Idaho are standard scope.
Our methodology is mapped to NIST SP 800-82 Rev. 3 (Guide to Operational Technology Security), MITRE ATT&CK for ICS, and the IEC 62443 series. Findings are reported with framework-specific control references so they slot directly into your SOC 2, PCI DSS, or audit evidence packages.
A typical OT penetration testing engagement is 3 to 6 weeks of active work, plus a 1 to 2 week reporting and remediation-planning phase. Smaller scopes (a single BMS environment, for example) can be completed in 2 to 3 weeks. Hyperscale data center campuses or multi-site manufacturers typically run 6 to 10 weeks.
Yes — that is our second specialty. ICS penetration testing covers PLCs, SCADA, HMI, historians, and Safety Instrumented Systems with industrial-protocol-aware tooling (Modbus, DNP3, Profinet, OPC-UA). Many engagements combine both specialties — OT pentesting for the network and identity boundary, ICS pentesting for the controls themselves.
Sister specialty
Process-control deep-dive: PLCs, SCADA, safety systems, Modbus / DNP3 / Profinet / OPC-UA.
Scenario playbook
A 14-week playbook for moving a hyperscale BMS off a flat corporate network into a fully segmented OT enclave.
Library
100+ articles on OT security architecture, threat actors, compliance, and incident response.
Ready to scope an OT penetration test?