Table of contents
- What are controlled penetration tests in ICS environments
- How ICS penetration tests differ from IT penetration tests
- Steps to conduct a safe ICS penetration test
- Defensive strategy: testing is part of continuous improvement
- The role of OT awareness and training
- When to perform ICS penetration tests
- Risks to avoid: what never to do in ICS testing
Industrial Control Systems (ICS) are the backbone of critical infrastructure and production processes in sectors such as energy, manufacturing, transportation, water treatment, and healthcare. In an era of escalating cyber threats, controlled penetration tests are essential to assess security without compromising availability.
This article explores how to safely and effectively conduct penetration tests in ICS environments, balancing cyber security needs with the imperative of maintaining operational continuity.
What are controlled penetration tests in ICS environments
A penetration test (or pentest) is an advanced technical procedure that simulates a real cyberattack to identify exploitable vulnerabilities. When it comes to ICS environments, such tests must respect certain constraints:
- High availability
ICS systems must remain operational; - Legacy technologies
Many components rely on outdated protocols and firmware; - Proprietary architectures
Often incompatible with standard testing tools.
Therefore, an ICS penetration test must be controlled, meticulously planned, authorized, segmented, and monitored at every step.
How ICS penetration tests differ from IT penetration tests
Compared to traditional IT systems, ICS environments are far more sensitive. Key differences include:
- Protocol fragility
ICS devices like PLCs or RTUs may crash if they receive unexpected packets; - Non-standard communication
Protocols like Modbus, DNP3, and PROFINET lack native encryption and authentication; - Production impact
Errors during testing may disrupt or halt entire production lines.
Thus, penetration testing in ICS environments should use non-intrusive techniques or be carried out in simulated environments.
Steps to conduct a safe ICS penetration test
1. Planning and scoping
The process begins with precise planning, including:
- Identifying components to test (e.g., HMIs, PLCs, industrial switches);
- Defining exclusions (e.g., critical legacy devices);
- Setting timeframes (e.g., during planned maintenance);
- Obtaining clear authorization (from management and OEMs).
A detailed Rules of Engagement (RoE) document is critical for legal protection and operational safety.
2. Passive information gathering
In ICS, a passive reconnaissance phase is strongly recommended:
- Network traffic monitoring (e.g., Wireshark, Zeek);
- Configuration file analysis;
- Asset inventory review using platforms like Nozomi Guardian or Tenable OT Security.
Avoid active scanning tools like Nmap or Nessus unless used in isolated segments.
3. Use of simulation and digital twins
Whenever possible, conduct tests in a safe simulated environment, using:
- Digital twins of the ICS infrastructure;
- Virtual ICS sandboxes (e.g., VM-based labs with emulated PLCs);
- Dedicated OT labs.
Example
You can deploy OpenPLC with ScadaBR for testing:
# Example: OpenPLC running in Docker
docker run -d --name openplc -p 8080:8080 thiagoralves/openplc
4. Controlled test execution
Active tests should:
- Be conducted only within authorized windows;
- Start with low-impact probes (e.g., TCP port scans without SYN flooding);
- Be monitored in real time, with clear rollback procedures.
Recommended tools for safe ICS testing include:
- GRASSMARLIN for passive network mapping;
- Wireshark with ICS protocol dissectors;
- Metasploit (for controlled testing in labs only);
- Local Shodan scans for identifying known device vulnerabilities.
5. Detailed reporting and mitigation plans
A comprehensive report should include:
- A summary of discovered vulnerabilities;
- Potential impact on availability and confidentiality;
- Remediation options compatible with ICS environments;
- Recommendations for IT/OT segmentation and system hardening.

Defensive strategy: testing is part of continuous improvement
Penetration testing is a means, not an end. It should initiate a continuous security improvement cycle, including:
- ICS network segmentation and firewalling;
- IT/OT network isolation (e.g., VLANs and DMZs);
- Use of ICS-aware intrusion detection systems (e.g., Dragos, Claroty);
- Patch management and firmware updates;
- Behavioral monitoring via SIEM and OT log analysis.
The role of OT awareness and training
A frequently overlooked aspect is the training of OT personnel and their involvement in the testing process. Even if the IT department leads cyber security, it’s essential that:
- OT engineers understand ICS-specific threats;
- Incident response procedures are shared across departments;
- Staff are trained on secure communication protocols (e.g., OPC-UA with TLS instead of plaintext Modbus).
A strong IT-OT collaboration is vital for effective testing and sustained operational security.
When to perform ICS penetration tests
ICS penetration testing is recommended:
- Before deploying new systems;
- After significant changes to the network or devices;
- On a yearly basis for critical environments;
- After any security incident, as part of forensic analysis and future prevention.
Risks to avoid: what never to do in ICS testing
Avoid the following at all costs:
- High-intensity scans (e.g., nmap -sS -p- -T5) on production systems;
- Any form of Denial-of-Service testing;
- Running exploits on live PLCs;
- Firmware updates or reboots during testing in live environments.
Even a single command mistake could trigger a complete production shutdown and lead to major financial losses.
Conclusion
Conducting controlled penetration tests in ICS environments is no longer optional—it’s a core component of industrial resilience.
However, it requires a careful, coordinated, and skilled approach, grounded in planning, simulation, and cross-departmental collaboration. Only through this balance can we ensure both cyber security and operational continuity, protecting industrial enterprises from ever-growing digital threats.
Questions and answers
- What are ICS environments?
ICS are systems that control automated industrial processes, such as production lines or power plants. - Why are ICS penetration tests different from IT tests?
Because ICS systems are fragile and critical. Traditional testing methods may crash or disrupt production. - Is it safe to run penetration tests in live production environments?
Not unless it’s strictly authorized and carefully monitored. Otherwise, it’s highly discouraged. - What tools can be used safely for ICS testing?
Use passive tools like Wireshark or GRASSMARLIN, or conduct active tests in simulations using OpenPLC and ScadaBR. - How often should ICS penetration tests be conducted?
At least annually, or after significant changes or incidents. - Can I use real exploits on PLCs in production?
Never. Exploits should only be used in isolated lab environments to avoid system damage. - What’s the difference between vulnerability assessment and penetration testing in ICS?
A vulnerability assessment scans for known issues; a penetration test simulates real-world attacks. Both are valuable. - Do penetration tests require executive approval?
Absolutely. A Rules of Engagement document is necessary to define scope and responsibilities. - Are ICS penetration tests aligned with IEC 62443 standards?
Yes, they are part of the broader security risk assessment practices outlined in the IEC 62443 series. - Can ICS tests be integrated with a SIEM?
Yes, but OT device logs and network data must be configured to feed into SIEM platforms appropriately.