Skip to Content
OT / ICS Security

Industrial networks.
Secured from
the inside out.

OT security assessments, ICS penetration testing, OT/IT segmentation design and compliance support for critical infrastructure. IT expertise applied to industrial environments.

Energy
Manufacturing
Healthcare
Transport
Utilities
Book an assessment What we cover
PURDUE MODEL — OT/IT NETWORK ARCHITECTURE client: manufacturing facility · scope: full OT/IT segmentation assessment bithost-ot · live LEVEL 5 — ENTERPRISE NETWORK Corporate IT · ERP / email / internet · standard IT security controls apply OK FIREWALL · IT / OT BOUNDARY — BITHOST ASSESSMENT SCOPE BEGINS HERE LEVEL 4 — SITE BUSINESS PLANNING Historian · MES · Site engineering workstations · remote access gateway FINDING INDUSTRIAL DMZ · segregated zone between L4 and L3 · patching / data transfer · configured by Bithost LEVEL 3 — SITE OPERATIONS (OT NETWORK) SCADA server · DCS server · OT historian · network management station · operator workstations FINDING LEVEL 2/1 — CONTROL SYSTEMS PLC controllers · DCS nodes · HMI screens RTU devices · field device network (Modbus, Profibus) ⚠ FLAT NETWORK — NO ACL LEVEL 0 — FIELD DEVICES Sensors · actuators · transmitters Safety instrumented system (SIS) · field buses SIS NETWORK SEGREGATED ✓ ASSESSMENT FINDINGS CRITICAL Remote access gateway — no MFA, direct to L3 CRITICAL L2/L1 flat network — any PLC reachable from any node HIGH Engineering WS — outdated OS, internet-connected HIGH Historian accessible from corporate email VLAN INFO SIS network correctly air-gapped ✓ SEGMENTATION PLAN ✓ Industrial DMZ designed and deployed ✓ Remote access via jump server + MFA enforced ◎ L2/L1 VLAN segmentation in progress ○ OT patch management process (scheduled) ○ IEC 62443 gap analysis report (in progress) Framework: IEC 62443-3-3 · NERC CIP in scope
Findings this engagement
2 Critical
4 High · 6 Medium · all remediated
Compliance scope
IEC 62443 NERC CIP SIS segregated
OT Security Assessment ICS Pen Testing OT/IT Segmentation IEC 62443 NERC CIP Compliance SCADA Security Industrial DMZ Design SIS Audit Remote Access Security OT Network Monitoring Vulnerability Management Purdue Model Review OT Security Assessment ICS Pen Testing OT/IT Segmentation IEC 62443
Why this is not ordinary IT security

OT environments break
different rules.

Standard IT security tools, methodologies and timelines do not apply when a vulnerability can trigger a physical consequence. We know the difference and we work within the constraints of live industrial environments.

Legacy systems running for decades

Equipment with 10 to 20 year certification cycles cannot be patched on a standard IT schedule. We assess and compensate around the constraints of what cannot be changed.

Proprietary industrial protocols

Modbus, DNP3, Profibus, HART and others require specialist knowledge to assess correctly. We understand the traffic and can identify anomalies that generic tools miss.

Regulations require human auditors

IEC 62443, NERC CIP, IEC 61511 and sector-specific regulations require documented human assessment and sign-off. Automated scanning alone does not satisfy these obligations.

Availability over confidentiality

In OT the priority order is reversed. A process that goes down costs more than data that is exposed. Every recommendation accounts for operational continuity first.

Vendor relationships matter

Reaching Siemens, Rockwell, Schneider or ABB support when something needs coordinated disclosure or a security patch is an industrial-specific skill that requires prior relationships.

One vulnerability means physical risk

In industrial environments a security gap is not just a data breach risk. It is a process safety risk. Our assessments are written with that consequence front and centre.

Sectors we work in

Every industry
with critical infrastructure.

Each sector has its own regulatory framework, its own protocol stack and its own risk profile. We scope every engagement to the specific environment.

Energy and Power

SCADA systems for grid management, substation automation, generation control networks. Remote access security for distributed infrastructure across large geographies.

NERC CIPIEC 62351IEC 61850

Manufacturing

PLC and DCS networks on factory floors, MES connectivity, historian security, OT/IT convergence in Industry 4.0 environments where IT systems now touch production.

IEC 62443NIST SP 800-82ISA/IEC

Water and Utilities

Treatment plant control systems, pumping station remote access, distribution network SCADA. Systems where a compromise can affect public health at municipal scale.

AWIA 2018ICS-CERTNIST CSF

Healthcare and Pharmaceuticals

Building management systems, medical device networks, laboratory automation, HVAC control in cleanroom environments where a disruption has patient safety implications.

IEC 80001FDA CybersecurityISO 27799

Transport and Logistics

Rail signalling systems, port terminal automation, airport ground systems. Networks where availability guarantees and safety case requirements constrain every change.

TS 50701IEC 62280NIS2

Oil, Gas and Chemicals

Pipeline SCADA, refinery DCS, safety instrumented systems. Process environments where a cybersecurity event can escalate to a process safety event within minutes.

IEC 61511ISA-99API 1164
Our IT services

Four specialized
consulting streams.

All services are IT and software focused. We assess, design and consult on the network, protocol and system configuration layer. No hardware installation or physical field work.

01

OT Security Assessment

End-to-end review of your OT network architecture against the Purdue Model and IEC 62443 zones and conduits. We identify misconfigurations, unprotected remote access paths, flat network segments and protocol-level vulnerabilities. Deliverable is a prioritised finding report with remediation guidance written for both IT and OT audiences.

Purdue model reviewNetwork topologyProtocol analysisRisk register
02

ICS Penetration Testing

Controlled, non-disruptive penetration testing of ICS and SCADA networks. We test what an attacker could reach from the IT network, from a compromised engineering workstation or from a compromised Level 3 system. All testing is coordinated with your operations team and scheduled to avoid production impact. No testing on live safety systems.

SCADA pen testNetwork pivotingProtocol fuzzingOSCP methodology
03

OT/IT Segmentation Design

We design the network segmentation that separates your OT network from enterprise IT using the industrial DMZ pattern. This includes firewall rulesets, VLAN architecture, jump server configuration and secure remote access design. We produce the architecture document and can review the implementation against it.

Industrial DMZFirewall rulesVLAN designRemote access
04

Safety System Certification Support

We support your IEC 62443 or IEC 61511 compliance process with gap analysis, documentation review and the technical evidence required by auditors. We prepare the security level assessment for each zone and conduit and work with your certification body to answer technical questions during the audit process.

IEC 62443IEC 61511SL assessmentGap analysis
How an engagement works

Safe, scheduled,
zero disruption.

01
Scope and safety review

We review your network diagrams, system inventory and any existing documentation before arriving onsite. Nothing is tested until we understand what is safety-critical and what the operational boundaries are.

02
Passive assessment first

We begin with passive network monitoring and architecture review. We identify what we can see without sending a single packet to a control system, and use that to plan any active testing carefully.

03
Controlled active testing

Active testing against agreed targets only, coordinated with your operations team and scheduled during planned maintenance windows. No testing on live safety systems under any circumstances.

04
Report and remediation plan

A prioritised finding report with every issue rated by exploitability and consequence. Remediation steps written for OT constraints such as no reboots during production, no automatic patching, and vendor-specific workarounds where patches are not available.

Phase 1 — Scope and safety review Example engagement
Pre-engagement checklist — agreed before we arrive
Network diagrams reviewed and annotatedPurdue model mapping confirmed. 3 undocumented connections identified in received diagrams before arrival.
Safety-critical systems listed and excluded from active testingSIS network, emergency shutdown systems and live production PLCs added to the no-touch list.
Operations team briefed and on-call during assessment windowContact name and escalation number confirmed for immediate halt if any concern arises.
Maintenance window scheduled for any active scanningSaturday 02:00 to 05:00 agreed. Production traffic at minimum during this window.
Existing firewall ruleset requested for pre-reviewStill awaiting from client IT team. Assessment start delayed until received.

We do not start until everything on this list is confirmed. The additional two days of pre-engagement preparation prevents the kind of surprises that can disrupt operations or miss critical scope.

Passive assessment — discovered without sending packets
Network segments
8 found
Undocumented hosts
14
Remote access paths
3
Unencrypted protocols
Modbus/FTP
Properly segmented
SIS only

14 undocumented hosts on the control network is a common finding. Devices added during maintenance over the years that were never recorded. Every one is a potential entry point that nobody is monitoring.

Active testing — conducted during agreed maintenance window
Remote access gateway — no MFA, direct reach to Level 3Vendor VPN with shared credentials. Any compromised vendor credential reaches the SCADA server directly.
Engineering workstation reachable from corporate email VLANNo firewall between L4 and corporate IT. Phishing email to any engineer = direct OT access.
L2 network flat — all PLCs on same broadcast domainCompromising any one PLC gives visibility of all others on the segment.
SIS network correctly air-gapped — not reachable from testing machineThis is the one thing done right. The safety system is genuinely isolated.

All active testing halted at agreed scope boundary. The two critical findings were confirmed without sending a single packet to a live control device. Exploitation was simulated in a documented exercise only.

Remediation plan — OT-safe recommendations only
Industrial DMZ designed and deployed in week 2Two-firewall model with a demilitarised zone between enterprise and control network. Data flow controlled in one direction only.
Remote access via jump server with MFA enforcedAll vendor access routed through an audited jump host. Session recording enabled. Shared credentials revoked.
L2/L1 VLAN segmentation in progressScheduled during next planned shutdown window. Device-level ACLs applied as interim compensating control.
IEC 62443 zone and conduit documentationIn progress. Estimated 3 weeks. Required for certification audit scheduled in Q3.

Both critical findings remediated within 14 days without a single production window required. The DMZ and jump server changes were made in the IT network layer without touching any OT device.

Regulatory frameworks we support
IEC 62443

Industrial cyber security for automation and control systems

NERC CIP

Critical infrastructure protection for bulk electric systems

IEC 61511

Functional safety for safety instrumented systems

NIST SP 800-82

Guide to industrial control system security

NIS2

EU network and information security directive for critical entities

ICS-CERT

Advisory-aligned assessment methodology for ICS vulnerabilities

FAQ

Before we discuss
your environment.

Yes. The majority of our assessment work is passive. We capture network traffic, review architecture and analyse configurations without sending any packets to control devices. Any active testing is scoped, scheduled during agreed maintenance windows and coordinated with your operations team before it begins. We have a clear no-touch policy for live safety systems under all circumstances.
A flat network where IT and OT share the same broadcast domain is the most common finding we encounter. We start with an assessment to map what you have and identify the highest risk exposure points, then design the segmentation architecture from there. We do not prescribe a particular firewall vendor or product. We design the architecture and rule logic and you implement it with your preferred tools or we can advise on the implementation review.
Yes. We produce the zone and conduit analysis, the security level assessment for each zone and the gap analysis between your current state and the target security level. We write the technical documentation in the format that certification bodies expect and can attend technical review sessions with your auditors to answer questions. We do not act as the certification body itself but we prepare everything the certification body needs to complete their review.
Compensating controls. When the vulnerable device cannot be patched we design the network segmentation and monitoring around it to reduce the attack surface to a minimum and detect any anomalous behaviour. This is standard OT security practice. We document the compensating control for each unpatched system and include it in your risk register so it is visible to auditors and management as a tracked accepted risk rather than an unknown one.
Our services are IT consulting and security services only. We assess, design, document and advise. We do not install hardware, configure physical switches or perform any field engineering work. We produce detailed implementation documentation that your IT team or your OT integrator can execute. Where needed we can review the implementation against the design and confirm it meets the intended security architecture. We can recommend trusted OT system integrators for the physical implementation work if you do not have one.

Critical infrastructure
deserves
serious assessment.

Tell us your sector, your regulatory obligations and what you know about your current OT network. We will scope an engagement from there.

Request an assessment
OT assessment · ICS pen testing · OT/IT segmentation · IEC 62443 support