Module 4 · OT Security Testing Methodology 🔒

Testing OT environments has constraints that don’t exist in IT — every action could affect a physical process. A pentester used to running Burp Active Scan on a live web app would crash a power plant doing the same thing on a SCADA HMI. This module covers the methodology of safe OT testing, scoping considerations, the testing techniques that won’t break things, and the report format that gets read by both plant managers and security teams.

The cardinal rule

Never run automated active scanning against live OT systems unless explicitly authorized and engineering staff are on standby. Documented incidents include:

• Nmap SYN scans causing PLCs to enter fault state
• Vulnerability scanners triggering safety interlocks
• Penetration test in 2006 caused a $50M loss when a power-plant test box was scanned
• Numerous “we just wanted to enumerate” incidents that triggered emergency shutdowns

Get this wrong and lives can be at risk in some sectors.

Scoping conversation — the questions

• What is the target environment — production, staging, or test rig?
• What’s the safety profile? (Process safety, occupational safety, environmental?)
• What protocols are authorized for active testing?
• What times are considered low-impact (planned outages, maintenance windows)?
• Who is the engineering point of contact during testing?
• What’s the abort/rollback procedure if something goes wrong?
• Are physical controls in place that limit damage from unintended commands? (Air gaps, manual overrides, safety instrumented systems)
• Is the customer prepared for a real incident if testing triggers one? (Documentation requirements for downtime claims)

The methodology — phased approach

Phase 1: Documentation review (zero-touch)

• Network diagrams (Purdue level, segmentation, DMZ design)
• Asset inventory (devices, firmware versions, criticality)
• Patch and change management records
• Incident response procedures
• Vendor remote access policies
• Engineering procedures (USB use, contractor access)

You can identify 30-50% of findings just from documentation review without touching any device.