Loading...

Guides

ICS penetration test: when ICS intrusion testing Is safe

How to conduct ICS penetration tests without disrupting operations. Secure methods and tools for critical environments.

Industrial Control Systems (ICS)

Table of contents

  • What are controlled penetration tests in ICS environments
  • How ICS penetration tests differ from IT penetration tests
  • Steps to conduct a safe ICS penetration test
  • Defensive strategy: testing is part of continuous improvement
  • The role of OT awareness and training
  • When to perform ICS penetration tests
  • Risks to avoid: what never to do in ICS testing

Industrial Control Systems (ICS) are the backbone of critical infrastructure and production processes in sectors such as energy, manufacturing, transportation, water treatment, and healthcare. In an era of escalating cyber threats, controlled penetration tests are essential to assess security without compromising availability.

This article explores how to safely and effectively conduct penetration tests in ICS environments, balancing cyber security needs with the imperative of maintaining operational continuity.

What are controlled penetration tests in ICS environments

A penetration test (or pentest) is an advanced technical procedure that simulates a real cyberattack to identify exploitable vulnerabilities. When it comes to ICS environments, such tests must respect certain constraints:

  • High availability
    ICS systems must remain operational;
  • Legacy technologies
    Many components rely on outdated protocols and firmware;
  • Proprietary architectures
    Often incompatible with standard testing tools.

Therefore, an ICS penetration test must be controlled, meticulously planned, authorized, segmented, and monitored at every step.

How ICS penetration tests differ from IT penetration tests

Compared to traditional IT systems, ICS environments are far more sensitive. Key differences include:

  • Protocol fragility
    ICS devices like PLCs or RTUs may crash if they receive unexpected packets;
  • Non-standard communication
    Protocols like Modbus, DNP3, and PROFINET lack native encryption and authentication;
  • Production impact
    Errors during testing may disrupt or halt entire production lines.

Thus, penetration testing in ICS environments should use non-intrusive techniques or be carried out in simulated environments.

Steps to conduct a safe ICS penetration test

1. Planning and scoping

The process begins with precise planning, including:

  • Identifying components to test (e.g., HMIs, PLCs, industrial switches);
  • Defining exclusions (e.g., critical legacy devices);
  • Setting timeframes (e.g., during planned maintenance);
  • Obtaining clear authorization (from management and OEMs).

A detailed Rules of Engagement (RoE) document is critical for legal protection and operational safety.

2. Passive information gathering

In ICS, a passive reconnaissance phase is strongly recommended:

  • Network traffic monitoring (e.g., Wireshark, Zeek);
  • Configuration file analysis;
  • Asset inventory review using platforms like Nozomi Guardian or Tenable OT Security.

Avoid active scanning tools like Nmap or Nessus unless used in isolated segments.

3. Use of simulation and digital twins

Whenever possible, conduct tests in a safe simulated environment, using:

  • Digital twins of the ICS infrastructure;
  • Virtual ICS sandboxes (e.g., VM-based labs with emulated PLCs);
  • Dedicated OT labs.

Example
You can deploy OpenPLC with ScadaBR for testing:

# Example: OpenPLC running in Docker

docker run -d --name openplc -p 8080:8080 thiagoralves/openplc

4. Controlled test execution

Active tests should:

  • Be conducted only within authorized windows;
  • Start with low-impact probes (e.g., TCP port scans without SYN flooding);
  • Be monitored in real time, with clear rollback procedures.

Recommended tools for safe ICS testing include:

  • GRASSMARLIN for passive network mapping;
  • Wireshark with ICS protocol dissectors;
  • Metasploit (for controlled testing in labs only);
  • Local Shodan scans for identifying known device vulnerabilities.

5. Detailed reporting and mitigation plans

A comprehensive report should include:

  • A summary of discovered vulnerabilities;
  • Potential impact on availability and confidentiality;
  • Remediation options compatible with ICS environments;
  • Recommendations for IT/OT segmentation and system hardening.
OT awareness and training

Defensive strategy: testing is part of continuous improvement

Penetration testing is a means, not an end. It should initiate a continuous security improvement cycle, including:

  • ICS network segmentation and firewalling;
  • IT/OT network isolation (e.g., VLANs and DMZs);
  • Use of ICS-aware intrusion detection systems (e.g., Dragos, Claroty);
  • Patch management and firmware updates;
  • Behavioral monitoring via SIEM and OT log analysis.

The role of OT awareness and training

A frequently overlooked aspect is the training of OT personnel and their involvement in the testing process. Even if the IT department leads cyber security, it’s essential that:

  • OT engineers understand ICS-specific threats;
  • Incident response procedures are shared across departments;
  • Staff are trained on secure communication protocols (e.g., OPC-UA with TLS instead of plaintext Modbus).

A strong IT-OT collaboration is vital for effective testing and sustained operational security.

When to perform ICS penetration tests

ICS penetration testing is recommended:

  • Before deploying new systems;
  • After significant changes to the network or devices;
  • On a yearly basis for critical environments;
  • After any security incident, as part of forensic analysis and future prevention.

Risks to avoid: what never to do in ICS testing

Avoid the following at all costs:

  • High-intensity scans (e.g., nmap -sS -p- -T5) on production systems;
  • Any form of Denial-of-Service testing;
  • Running exploits on live PLCs;
  • Firmware updates or reboots during testing in live environments.

Even a single command mistake could trigger a complete production shutdown and lead to major financial losses.

Conclusion

Conducting controlled penetration tests in ICS environments is no longer optional—it’s a core component of industrial resilience.

However, it requires a careful, coordinated, and skilled approach, grounded in planning, simulation, and cross-departmental collaboration. Only through this balance can we ensure both cyber security and operational continuity, protecting industrial enterprises from ever-growing digital threats.


Questions and answers

  1. What are ICS environments?
    ICS are systems that control automated industrial processes, such as production lines or power plants.
  2. Why are ICS penetration tests different from IT tests?
    Because ICS systems are fragile and critical. Traditional testing methods may crash or disrupt production.
  3. Is it safe to run penetration tests in live production environments?
    Not unless it’s strictly authorized and carefully monitored. Otherwise, it’s highly discouraged.
  4. What tools can be used safely for ICS testing?
    Use passive tools like Wireshark or GRASSMARLIN, or conduct active tests in simulations using OpenPLC and ScadaBR.
  5. How often should ICS penetration tests be conducted?
    At least annually, or after significant changes or incidents.
  6. Can I use real exploits on PLCs in production?
    Never. Exploits should only be used in isolated lab environments to avoid system damage.
  7. What’s the difference between vulnerability assessment and penetration testing in ICS?
    A vulnerability assessment scans for known issues; a penetration test simulates real-world attacks. Both are valuable.
  8. Do penetration tests require executive approval?
    Absolutely. A Rules of Engagement document is necessary to define scope and responsibilities.
  9. Are ICS penetration tests aligned with IEC 62443 standards?
    Yes, they are part of the broader security risk assessment practices outlined in the IEC 62443 series.
  10. Can ICS tests be integrated with a SIEM?
    Yes, but OT device logs and network data must be configured to feed into SIEM platforms appropriately.
To top