SCADA/OT Penetration Test

SCADA (Supervisory Control and Data Acquisition) and ICS (Industrial Control System) penetration tests are a specialized form of security assessment aimed at evaluating the protection of control systems.

Objectives

The goal of a SCADA/ICS penetration test is to assess the resilience of the technical security of the environment, network, or the supervisory and control systems themselves.

Control systems are the core of operations for many organizations, whether in energy, utilities, or industry. Their failure can cause significant damage to the organization, making it essential to test the robustness of the existing setup.

Control and supervisory systems may also fall under critical national infrastructure or be classified as significant information systems (as per the Cybersecurity Act), and thus should be subjected to penetration testing.

SCADA / ICS Security

Penetration testing is a discipline that vividly uncovers weaknesses in networks (active components), servers, and endpoints. In industrial systems, the structure is similar, but endpoints may include PLCs (Programmable Logic Controllers), which do not necessarily communicate via computer IP protocols.

For example, SCADA/ICS systems in the energy sector use protocols for remote control and real-time data transmission based on the IEC 60870 standard, such as ICCP/TASE.2 (Inter-Control Center Communications Protocol / Telecontrol Application Service Element).

The IEC 101 protocol (according to IEC 60870-5-101) is a relatively old standard for remote monitoring and control of electrical systems, upon which most current systems are based.

The extended IEC 104 protocol (IEC 60870-5-104) introduces TCP/IP communication into the world of control systems but still lacks integrated security mechanisms, requiring additional measures.

There are also numerous other protocols used in various industrial sectors (DNP3, Modbus, Profibus, BACnet, etc.).

All of this must be considered when conducting a penetration test, which must be thoroughly prepared to avoid system outages.

Our experience in testing control systems is your assurance that systems will be assessed without causing critical operational disruptions.

Testing Process

Control systems testing is always preceded by consultations with the client to define the scope of tested networks and devices, test scenarios and techniques, tools to be used, and even timing to minimize operational impact. Ideally, testing occurs in test (non-production) environments that mirror production systems, but this is uncommon (due to the absence of such instances).

It is also important to define the test’s specific goals – should it identify vulnerabilities, attempt exploitation and device takeover (and the resulting risks)? Should the test be broad (finding as many vulnerabilities as possible) or deep (demonstrating actual exploitation)? Another goal could be to attempt to impair system functionality through overload (DoS).

Testing then proceeds according to the agreed parameters. The tester leverages their experience to reach goals as efficiently as possible, exploiting technical vulnerabilities in systems and networks. Social engineering is not used, as it is part of other testing types. An audit approach to the organization’s entire control system “ecosystem” may also be considered.

Due to the sensitive nature of the subject, tests are mostly manual, increasing the demand for expertise and time.

Reporting

The result of a penetration test is a final report that includes details of the test process, descriptions and classifications of discovered vulnerabilities, and of course, recommendations for risk mitigation.

For classifying vulnerability severity, we typically use the following scale: Low, Medium, High, and Critical. Upon client request, we also provide CVSS (Common Vulnerability Scoring System) ratings or apply a client-specified classification scheme.

The report is delivered in MS Word and PDF formats and sent to the client securely.

Penetration tests can conclude with an on-site presentation – either a management-level briefing or a technical workshop/discussion based on the final report.

Other Types of Testing

In addition to the tests described above, we also provide our clients with various other types of penetration testing – see Penetration Testing Overview.