HomeServicesPenetration Testing

OT / ICS Penetration Testing

We respectfully challenge your defences to see if they hold up when an adversary gets creative. Adversarial emulation uses real-world ICS attack patterns to test whether your controls actually work under pressure.

Book a ConsultationAll Services

Adversarial Testing Built for Industrial Environments

OT penetration testing is not IT penetration testing with a different target list. Industrial control systems require testers who understand the operational consequences of their actions, the proprietary protocols in use, and the difference between a finding that matters and a finding that looks dramatic on paper.

NEXUS conducts OT penetration tests using MITRE ATT&CK for ICS as our adversary emulation framework. We replicate the techniques, tactics, and procedures of threat actors who target industrial environments — not generic IT attackers. Where most firms use ATT&CK as a checklist of techniques to demonstrate coverage, we use it differently: we start from the threat actor's objective — what they are trying to cause in your environment — and work backwards to select the techniques most likely to achieve it. The result is a test that reflects actual attacker intent, not a catalogue of executed procedures.

What We Test

  • IT/OT boundary controls — can an IT breach reach OT?
  • Remote access paths — VPN, remote desktop, vendor connections
  • Engineering workstation security — pivot points into the OT network
  • SCADA and HMI access controls — authentication and session management
  • PLC and controller access — can we reach and modify device configuration?
  • Historian and data server exposure
  • Wireless network security in OT zones

Stop Conditions Are a Safety Signal, Not a Project Management Clause

Every NEXUS penetration test is governed by pre-agreed stop conditions — specific thresholds at which the test pauses immediately, regardless of what a finding might reveal. These are not bureaucratic constraints. They exist because an OT environment under test is still an operational environment. A stop condition triggered mid-engagement is not a failure — it is the safety model working exactly as it should. We define these conditions with you before any testing begins, and we hold to them without exception.

Our Testing Methodology

01
Scope & Rules of Engagement
Define precisely what is in scope, what techniques are approved, and what constitutes a stop condition. Safety is not compromised for a finding.
02
Reconnaissance & Initial Access
Using approved techniques to gain initial access to the target environment — replicating the methods used by real OT threat actors.
03
Lateral Movement & Impact Demonstration
Attempt to move from initial access to OT impact — demonstrating the realistic consequence of a successful intrusion without causing actual harm.
04
Reporting & Debrief
Full exploitation chain documented with evidence. Remediation roadmap prioritised by operational risk. Debrief session with your engineering and security team.

Deliverables

  • Executive summary — risk-rated findings mapped to business impact
  • Technical report — full exploitation chain documentation
  • Remediation roadmap — prioritised, operationally feasible fixes
  • Debrief session with your engineering and security team
  • 30-day follow-up to verify remediation effectiveness

Engagement Types

  • Black Box — no prior knowledge
  • Grey Box — partial network access
  • White Box — full documentation
  • Red Team — extended simulation

Frameworks Covered

  • MITRE ATT&CK for ICS
  • IEC 62443-3-3
  • NIST SP 800-82
  • NERC CIP
  • NIS2

Sample Report

See what a real Penetration Test report looks like — including attack chain documentation, exploitation evidence, and remediation roadmap.

View Sample Report

Test Your Defences

Talk directly to a NEXUS engineer — no sales process, no junior intake call.

Book a Consultation
Related Services

You May Also Need