PenTesting for Critical Infrastructure | ICS and SCADA Cybersecurity

Introduction

In a world increasingly reliant on interconnected systems, critical infrastructure such as water supplies, power grids, and transportation networks are facing new levels of cyber threats. The rise in ransomware attacks and state-sponsored hacking has placed industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments in the crosshairs.

This blog is designed for cybersecurity professionals, infrastructure managers, IT teams, and decision-makers in both public and private sectors. Understanding how penetration testing applies to these complex systems is vital in today’s rapidly evolving threat landscape.

Understanding Penetration Testing for ICS and SCADA Systems

Penetration testing, often referred to as PenTesting, is the process of ethically simulating cyber-attacks to evaluate the security of a system. When applied to ICS and SCADA environments, it involves testing the digital and physical systems that manage industrial processes. These environments are different from typical IT networks and require specialised approaches.



ICS refers to systems that control physical processes, such as those used in water treatment or electricity distribution. SCADA systems, a subset of ICS, allow centralised control and monitoring of these processes across distributed locations.

Imagine a factory production line that can be monitored and adjusted remotely. SCADA software allows operators to see if temperatures are too high or motors are overheating. If a malicious actor gained access, they could cause physical damage or safety hazards.

This matters now more than ever. Cyberattacks targeting ICS and SCADA systems have escalated due to increased connectivity and ageing infrastructure. In 2021, the Colonial Pipeline attack in the US demonstrated how ransomware could cripple energy infrastructure. Although the attack was on IT systems, its effect cascaded into operational technology (OT), causing fuel shortages.

ICS and SCADA systems must now be treated as high-value targets that demand proactive protection. Penetration testing is one of the best ways to identify vulnerabilities before attackers can exploit them.

The Risks of Inaction in ICS/SCADA Environments

The security challenges facing ICS and SCADA systems are not only complex but also potentially catastrophic if left unaddressed. Penetration testing acts as a vital defence strategy, and failing to implement it can leave infrastructure exposed to serious threats. Below are the key risks associated with ignoring security testing in these environments:

1. Threat Actors and Attack Types

Critical infrastructure is an attractive target for a wide range of threat actors. These include nation-state groups with political motives, organised cybercriminal gangs seeking financial gain, and hacktivists aiming to make a statement. Attacks on ICS and SCADA systems differ from typical IT breaches. Instead of stealing data, threat actors can cause physical harm, such as shutting down a power grid or contaminating a water supply. In some cases, attacks may be designed to remain undetected for long periods, silently manipulating processes until a precise moment. This form of cyber warfare can destabilise regions or cause loss of life. Without proactive testing, organisations may never detect the vulnerabilities that these attackers exploit.

2. Outdated Technology

Many ICS and SCADA systems are based on legacy hardware and software that were never designed with modern cyber threats in mind. These systems often lack encryption, have default credentials, or use outdated communication protocols. Compounding the problem is the fact that many cannot be easily patched or upgraded without interrupting essential services. As a result, known vulnerabilities can remain open for years. Cybercriminals actively seek out these weaknesses, knowing that defenders may struggle to fix them quickly. Penetration testing helps identify these outdated elements and allows teams to implement compensating controls, even when full updates are not feasible.

3. Lack of Network Segmentation

One of the most common vulnerabilities in ICS/SCADA environments is poor network segmentation. In too many cases, IT systems (such as office networks or email servers) are directly connected to OT systems that manage physical processes. This means that if malware or ransomware infects a staff member’s workstation, it can easily spread into the operational environment. Real-world attacks, such as NotPetya and WannaCry, have demonstrated how this kind of lateral movement can occur. Segmentation is critical, and penetration testing can highlight areas where improved boundaries between networks are urgently needed.

4. Third-Party and Supply Chain Vulnerabilities

Most ICS systems rely on external vendors for maintenance, software updates, or hardware replacements. These third parties often connect remotely to critical systems. If an attacker compromises the vendor's credentials or laptop, they can gain access to the ICS environment. The infamous Target breach began this way, and similar tactics are now aimed at infrastructure operators. Testing should include supply chain exposure assessments to understand how third-party access could become a backdoor into sensitive systems.

Real-World Example: Triton Malware

In 2017, the Triton malware targeted the safety systems of a petrochemical facility. Unlike most attacks, Triton focused on disabling emergency shutdown functions designed to prevent explosions or toxic releases. The implications were severe, had it succeeded fully, lives could have been lost. This case underscored how traditional cyber defences are insufficient against advanced threats aimed at industrial environments.

ICS and SCADA environments require a unique and proactive approach to cybersecurity. The cost of inaction is far greater than the cost of preparation. Environmental destruction, financial penalties, reputational ruin, and human casualties are all on the line. Penetration testing provides a controlled way to uncover and resolve these risks before they are exploited.

Prioritising Physical Safety in Security Assessments

When performing penetration testing on ICS/SCADA systems, safety must always be the highest priority. These systems often control equipment that cannot be taken offline easily, and testing must be carefully planned.

Step One: Asset Identification

Before testing begins, it is crucial to understand the full environment. Mapping out all devices, connections, and data flows ensures the testing will not inadvertently disrupt operations.

Step Two: Safety Protocols

Testing must be designed to avoid physical consequences. Simulated attacks should never put human life at risk. This includes coordinating with engineering teams and setting up out-of-band simulations where possible.

Step Three: Fail-Safes and Rollbacks

Any changes made during testing must be fully reversible. Systems should have backups and failover plans ready in case a test causes unexpected results.

Step Four: Stakeholder Involvement

Facility managers, OT engineers, and safety officers should be involved in all stages of testing. This collaborative approach ensures awareness and reduces risk.

By treating safety as a core component of cybersecurity, organisations can perform effective PenTesting without endangering their operations or personnel.

Differentiating OT and IT Testing Approaches

Testing an office network is very different from testing an industrial system. Here is how the approaches differ:

OT Systems (Operational Technology)

• Prioritise availability and safety
• Often rely on proprietary protocols
• May include fragile legacy systems
• High risk of physical consequences
• Limited opportunity for system downtime

IT Systems (Information Technology)

• Prioritise confidentiality and data integrity
• Use standard protocols like TCP/IP
• Easier to patch and upgrade
• More resilient to disruption
• Often includes remote access and cloud elements

Testing Considerations

PenTesting on OT systems must be passive wherever possible. This means observing and analysing rather than actively probing. For example, using read-only network traffic captures rather than sending test traffic that might interfere with operations.

IT testing can be more aggressive and automated, using vulnerability scanners and exploit frameworks. OT environments, however, may crash if subjected to the same intensity of scans.

Understanding the distinction between IT and OT environments is essential for conducting effective and safe penetration testing. While IT systems can typically withstand active probing and automated scans, OT systems are often fragile and highly sensitive to disruptions. This sensitivity is due to their direct role in controlling physical processes, where even minor disturbances could lead to operational downtime or safety hazards.

In an OT setting, the emphasis must always be on safety and availability. Penetration testing must take a cautious and passive approach, relying on observation, analysis, and minimal interaction with live systems. Using non-intrusive tools such as read-only packet capture and passive scanning allows testers to gather insights without disrupting operations. Conversely, IT systems are more resilient and can handle more assertive techniques, including active exploitation frameworks and vulnerability scans.

By clearly separating OT and IT testing strategies, organisations can avoid applying generic or harmful testing methods to critical infrastructure. This tailored approach ensures that testing provides valuable security insights while preserving the integrity and safety of essential services. As infrastructure becomes more interconnected, adopting this disciplined methodology is not just best practice; it is a necessity for protecting both digital and physical assets.

Tools and Frameworks for PenTesting ICS/SCADA

Several established tools and standards guide effective PenTesting of industrial systems.

NIST Framework

The National Institute of Standards and Technology provides detailed guidelines for securing ICS environments. The NIST SP 800-82 publication is a must-read for anyone in this field.

Cyber Essentials

In the UK, Cyber Essentials certification helps businesses implement basic protections against cyber threats. While it does not fully address ICS environments, it sets a strong foundation.

Specialised Tools

• Wireshark for network analysis
• GRASSMARLIN for passive ICS network mapping
• Metasploit with ICS modules for controlled exploit testing
• Snort or Suricata for intrusion detection

Cybergen’s Role

Cybergen recommends using a combination of passive analysis and controlled testing to evaluate ICS and SCADA systems. Our approach is tailored, non-intrusive, and aligned with industry best practices.

For further detail, explore Cybergen’s penetration testing services.

Summary

Penetration testing for ICS and SCADA systems is no longer optional. As critical infrastructure becomes more connected and exposed, so too does the risk of cyberattacks with physical consequences.

This blog has explored the threats, challenges, and best practices surrounding the security of operational technology. We have discussed how OT testing must be treated differently from IT, and how physical safety must remain the highest priority.

Organisations must act now. By partnering with specialists like Cybergen, you can uncover hidden vulnerabilities, train your staff, and develop a proactive security culture. Visit our penetration testing services to take the next step in securing your infrastructure.

Your systems protect millions of lives. Let us help you protect them.

Ready to strengthen your security posture? Contact us today for more information on protecting your business.