What does OT security assessment cover?

ICS architecture review, SCADA HMI + historian security, PLC firmware + ladder logic, DCS, RTU, protocol analysis (Modbus, DNP3, OPC-UA, Profinet, IEC 61850), segmentation between OT and IT, jump host hardening, and safety system isolation (SIS / SIL).

Do you test live production OT?

No. OT assessments use mirrored testbed, offline configuration review, and passive network capture. Active tests run only on staging or with explicit operations buy-in during scheduled maintenance.

IEC 62443 + NIST coverage?

Yes. Methodology aligned to IEC 62443-3-3 (System Security Requirements) + NIST SP 800-82 (Guide to ICS Security). Report acceptable to IEC 62443 certification body.

OT security testingthat walks the protocols, not the perimeter.

Plant-safe pentests for ICS, SCADA, PLCs, and HMIs. Modbus, DNP3, OPC UA, and S7Comm read by hand. Report mapped to IEC 62443 and NIST 800-82.

Plant-safe by design · Audit-ready reports · Same operators end-to-end

Read a sample OT finding

OT penetration testing surfaces converging across Modbus, DNP3, OPC UA, and the Purdue model from level 0 sensors up through level 3 plant historians.

Plant-safe

Read-only baseline first. Write-tests behind your change control. No PLC writes without sign-off.

Protocol-native

Modbus, DNP3, OPC UA, S7Comm, IEC 60870-5-104, IEC 61850, EtherNet/IP, PROFINET (walked by hand, not by signature).

Re-test included

Same researcher, same chain. PLC firmware patch, segmentation fix, or HMI hardening verified on the line.

Why now

One engineering host with a flat AD trust on the IT side, one Modbus write-coil, one shift lost on the line.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Why IT scans miss the plant

Scanners read banners. OT pentests read function codes.

A network scanner sees a PLC as open ports and a vendor banner. The real attack surface is Modbus function-code 06 accepting unauthenticated register writes, DNP3 unsolicited responses spoofed across the bus, and OPC UA handshakes that silently downgrade to SecurityPolicyNone. We sit on the wire and prove the chain.

How AI fits in OT pentests >

Two columns. Left: IT scanner view of a PLC as three open ports. Right: the same PLC walked over Modbus and S7Comm with function-code abuse and an extracted ladder logic program.

What lands in scope.

Counted, not claimed.

Industrial protocols

Modbus TCP/RTU, DNP3, OPC UA, EtherNet/IP (CIP), PROFINET, S7Comm, IEC 60870-5-104, IEC 61850. Walked by hand, not by signature.

Purdue zones in scope

0 to 5

From sensors and actuators (level 0) through process control (level 2), site operations (level 3), corporate IT (level 4), and the boundary firewall (level 5).

PLC vendors covered

Siemens S7 (300/400/1200/1500), Rockwell Allen-Bradley (CompactLogix, ControlLogix), Schneider Modicon, Mitsubishi MELSEC, ABB AC500.

Re-test after fix

Included

Same researcher, same chain. PLC patch, segmentation change, or HMI hardening verified on the live line.

RECON TO PURDUE.

What a bench operator finds on a plant that an IT scanner cannot see.

01
Passive recon on the bus
Tap the network at the cell switch. Read Modbus, DNP3, and S7Comm traffic for asset inventory, function-code patterns, and master/slave relationships before sending a single packet.
02
PLC enumeration
Identify PLC vendor, firmware build, slot configuration, and protection level over S7Comm, CIP, or Modbus. Pull ladder logic and tag tables where the PLC permits unauthenticated reads.
03
HMI and SCADA chain
Walk Wonderware, GE iFix, Ignition, or FactoryTalk View for default credentials, weak project-file ACLs, and SCADA tag writes that bypass the operator console.
04
Engineering workstation pivot
Test the Windows 7 or stale Windows 10 engineering hosts that sit dual-homed in zone 2 and zone 4. Recover project files, signing keys, and stored RDP credentials to the next zone.
05
Purdue boundary crossing
Walk the jump host or VPN appliance bridging IT (zone 4) into OT (zone 3). Test for split-tunnel, weak MFA, and stale firewall rules that let an IT-side compromise reach the line.

OT methodology.

Eight phases. Boundary to bus.

Threat-modelled to your plant. Not a checklist.

01
Scope & threat-model
02
Passive surface recon
03
Boundary walk
04
Protocol attack surface
05
PLC and engineering workstation
06
HMI and SCADA chain
07
Exploit synthesis
08
Patch verification

Insights

OT & plant Resources.

Real OT engagement notes from the operators who ran them.

Resource

Why scanners miss Modbus

A Modbus PLC looks like three open ports to an IT scanner. The unauthenticated write-coil is invisible until you walk the function codes by hand.

Resource

IEC 62443 mapping checklist

How an OT pentest report lines up with IEC 62443 zones, conduits, and security levels. What auditors actually accept as evidence.

Resource

When IT-side AD compromise reaches the plant

A chain we walk on most engagements: corporate domain compromise to OT VPN to engineering workstation to live PLC, in four hops.

John Dill

vCISO at SecureLayer7

Plant-led

OT engagement model

Modbus to MES

In scope by default

IEC 62443

Report-mapped

John scopes OT engagements against your PLC vendor mix, SCADA platform, and Purdue-zone layout. Runs kick-off, change-control review, and sign-off.

Scopes engagements across manufacturing, energy, utilities, oil and gas (API 1164), and water (TSA Pipeline) against your real safety model.
Owns kick-off, maintenance-window planning, and live review of every protocol, PLC, HMI, and boundary finding.
Drives remediation review and re-test until every chain is closed and the patch is verified on the live line.

SL7 Lab. Published CVE research.