Skip to content

Services, Wiki-Artikel und Blog-Beiträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

OT Security & IoT

OT Security: Penetration Testing for Industrial Controls & IoT
Protect production. Minimize attack surface.

OT Security requires different methods than classical IT Security. We test ICS/SCADA systems, PLCs, HMIs, and IoT devices per IEC 62443 - with a Safety-First approach that never puts your production at risk.

Request OT Pentest View Purdue Model
IEC 62443 Critical Infrastructure Experience ISO 27001 Fixed price in 24h

Trusted by our clients

Pentests completed
500+
Expertise
ICS/SCADA
Fixed-price quote
24h
Experience
KRITIS

Understanding OT Security

OT Security is not IT Security

Industrial control systems follow different principles than office IT - with physical consequences when things go wrong. Security audits must account for this.

IT Security

Office networks, servers, cloud

  • Priority: Confidentiality - CIA Triad with Confidentiality first - data protection and access control in focus.
  • Regular patching - Updates can be applied quickly, maintenance windows are short and frequent.
  • Standard protocols - TCP/IP, HTTP/S, TLS - well documented, broad tool support for security testing.
  • Short lifecycles - Systems are replaced every 3-5 years, new security features can be introduced promptly.
  • Digital consequences - Data loss, operational disruption - serious, but without immediate physical danger.

OT Security

ICS, SCADA, PLC, field devices

  • Priority: Availability & Safety - AIC Triad - Availability and Safety override confidentiality. Downtime is not an acceptable state.
  • Patching barely possible - 24/7 operations, lack of vendor patches for legacy systems, impact on certifications.
  • Proprietary protocols - Modbus, PROFINET, OPC UA, BACnet, DNP3 - many designed without authentication or encryption.
  • Lifecycles of 15-25 years - PLCs and control systems operate for decades. Security problems accumulate over time.
  • Physical consequences - Machine damage, production downtime, environmental harm, risk to personnel - real consequences demand different testing methodology.

OT Security requires fundamentally different testing methods. Classical IT pentest tools can crash OT systems. AWARE7 exclusively uses OT-specialized tools and methods - passive, coordinated with your OT engineers, Safety-First.

OT Network Segmentation

Purdue Enterprise Reference Architecture: Where We Test

The Purdue Model defines the network hierarchy in industrial facilities. We test at all levels - and in particular check whether the boundaries between them are truly secure.

Level 5

Enterprise Network

Systems

External internet, WAN connectivity, remote access infrastructure

AWARE7 Tests

Firewall rules, VPN configuration, external attack surface, internet exposure

Level 4

Business Planning & Logistics

Systems

ERP systems, MES, production planning, historian servers

AWARE7 Tests

Database access, ERP interfaces, remote desktop services, historian security

Critical Boundary Zone
Level 3.5

Demilitarized Zone (DMZ)

Systems

Data historian, jump server, data diodes, remote access gateway

AWARE7 Tests

DMZ configuration, data diode implementation, jump server hardening, inbound communication rules

Level 3

Site Operations

Systems

Site-wide SCADA servers, historian, OT domain controller

AWARE7 Tests

SCADA server hardening, Active Directory OT integration, protocol compliance, network segmentation

Level 2

Area Supervisory Control

Systems

HMI stations, SCADA workstations, engineering workstations

AWARE7 Tests

HMI web interfaces, engineering station access rights, Modbus/OPC UA security, HMI OS hardening

Level 1

Basic Control

Systems

PLCs, Remote Terminal Units (RTU), Distributed Control Systems (DCS)

AWARE7 Tests

Authentication, default credentials, firmware version, Modbus/PROFINET communication, CPU stop protection

Level 0

Process

Systems

Sensors, actuators, valves, pumps, drives - physical process

AWARE7 Tests

Communication to field devices, unsecured fieldbus protocols, physical access, tamper protection

Testing Areas

What we test in your OT environment

Four core areas, systematically analyzed - from field device firmware to network segmentation.

ICS/SCADA Security Testing

Systematic security analysis of industrial control systems - from the protocol level to the application layer.

  • Protocol analysis: Modbus TCP, OPC UA, PROFINET, BACnet, DNP3
  • PLC authentication and access rights
  • HMI web interfaces for web vulnerabilities (XSS, SQLi, Auth Bypass)
  • SCADA server hardening and OS security
  • Engineering workstation security
  • Historian database access and permissions

IoT Device Penetration Testing

Complete security analysis of IoT devices - hardware, firmware, communication, and cloud backend.

  • Firmware extraction via JTAG, UART, SPI flash, or update channel
  • Firmware analysis: hardcoded credentials, CVEs, cryptography
  • Hardware interfaces: JTAG debugging, UART console, I2C/SPI
  • Wireless protocols: BLE, Zigbee, LoRa, Z-Wave, WiFi (802.11)
  • Cloud backend and API security
  • Update mechanism: signature verification, downgrade attacks

OT Network Segmentation

Testing whether your IT/OT separation truly prevents exploitable lateral movement.

  • IT/OT boundary: validation of firewall rules and ACLs
  • VLAN isolation and inter-VLAN routing checks
  • Data diode verification and unidirectionality testing
  • Remote access security: VPN, jump servers, remote maintenance
  • DMZ configuration per IEC 62443 Zone/Conduit model
  • Lateral movement simulation: from IT into the OT network

Firmware Reverse Engineering

Deep binary analysis of embedded firmware - from simple IoT devices to PLC firmware.

  • Binary analysis: Ghidra, Binwalk, FACT_core, Radare2
  • Hardcoded credentials: passwords, API keys, certificates
  • Known CVEs in deployed libraries (Busybox, OpenSSL, etc.)
  • Bootloader security: Secure Boot, JTAG protection
  • Update signature verification and downgrade protection
  • Cryptographic implementations and key management

Critical Infrastructure

Critical Infrastructure Operators: OT Security as a Legal Obligation

NIS-2 Directive Article 21 and sector-specific regulations require operators of critical infrastructure to implement demonstrable security measures - OT penetration tests are a central instrument for this evidence.

Energy

Power supply, gas pipelines, district heating, fuel distribution networks

Water

Drinking water supply, wastewater treatment, water quality monitoring

Healthcare

Hospitals, laboratories, medical device manufacturers, pharmaceutical companies

Transport

Rail, airports, ports, traffic management systems

Digital Infrastructure

Data centers, CDN, DNS resolvers, internet exchange points

Food

Food production, distribution, logistics above threshold values

NIS-2 Article 21 Requirements

NIS-2 Directive (2022/2555) significantly expands the circle of affected entities. Organizations must implement appropriate and proportionate technical and organizational security measures, report significant incidents within 24-72 hours, and regularly assess their security posture.

Sector-Specific Obligations

Critical infrastructure operators must demonstrate "appropriate organizational and technical precautions," report significant incidents, and conduct security audits at regular intervals. Our reports are tailored to these evidence requirements and support you with supervisory authorities.

Our Critical Infrastructure Value

AWARE7 has successfully supported several critical infrastructure operators from the energy, water, and healthcare sectors through OT assessments. Our reports are aligned with regulatory requirements and help document your compliance with NIS-2 and sector-specific standards.

IEC 62443

IEC 62443 Security Levels: Our Testing Framework

IEC 62443 is the international standard for the security of industrial automation and control systems. We map all findings to this standard.

SL 1

Casual / Unintentional

Protection against unintentional or accidental violations - basic security mechanisms

SL 2

Intentional / Simple

Protection against simple, targeted attacks with general knowledge and limited resources

SL 3

Advanced

Protection against attackers with specific ICS knowledge, moderate resources and motivation

SL 4

State-Sponsored / APT

Protection against highly motivated, state-sponsored actors with extensive resources

Zone & Conduit Model

IEC 62443 defines security zones and the communication channels between them (conduits). We verify whether your zone/conduit definition matches reality and whether conduits meet the defined security requirements.

  • Zone boundary verification: do firewalls match the zone definition?
  • Conduit security analysis: TLS, authentication, authorization
  • Inter-zone communication: only allowed protocols and ports?
  • Undocumented connections: expose direct IT/OT connections

Component & System Tests

IEC 62443 distinguishes between security requirements for individual components (Component Level) and the overall system (System Level). We test at both levels.

  • Component level: PLC, HMI, SCADA server per IEC 62443-4-2
  • System level: overall facility per IEC 62443-3-3
  • Security Assessment Report with IEC 62443 mapping
  • Recommendations for SL uplift per zone and component

Typical Findings

What we regularly find in OT environments

These vulnerabilities are present in the majority of ICS/SCADA environments we analyze - regardless of industry or plant size.

Critical CVSS 10.0
IEC 62443-3-3 SR 3.1

Unencrypted Modbus Communication Allows Process Manipulation

Modbus TCP is deployed without authentication and without encryption in the production network. Any attacker who gains access to the OT network can write arbitrary holding registers, thereby manipulating setpoints, control parameters, and process variables - without login, without logging. In the documented case, this could have led to uncontrolled pressure increase in a cooling circuit.

# Modbus Write Multiple Registers - without authentication
$ python3 modbus_write.py --host 10.0.1.50 --register 40001 --value 9999
[+] Written: Setpoint Override successful - no auth required
Critical CVSS 9.8
IEC 62443-4-2 CR 1.1

Default Credentials on PLC Web Interface

The integrated web interface of a Siemens S7-1500 PLC is reachable with factory credentials (admin/admin). Through this interface, the PLC program can be completely replaced, the CPU stopped, and all I/O outputs manually controlled. The PLC controls a conveyor system with 200 tonnes daily throughput. Operational disruption, equipment damage, and risk to personnel are possible consequences.

High CVSS 8.6
IEC 62443-3-3 SR 5.1

Missing IT/OT Segmentation Enables Lateral Movement

Firewall rules between IT and OT networks allow broad network ranges instead of specific host-to-host communication. From a compromised office PC, we were able to directly access SCADA workstations, engineering stations, and through these, PLCs. A typical ransomware scenario would thus have direct access to the production control system.

High CVSS 7.5
IEC 62443-4-2 CR 3.3

Outdated Firmware with Known Vulnerabilities on IoT Gateway

The deployed IoT gateway (firmware v2.1.3, end of support since 2021) contains several known vulnerabilities in outdated libraries (including OpenSSL, Busybox) for which public exploits are available. The gateway forms the bridge between the production network and cloud backend. Remote code execution without authentication is possible via the unpatched components.

Pricing & Packages

Transparent Fixed Prices for OT Security

No hourly overruns, no hidden costs - your budget is plannable.

IoT Device Assessment

from 8,000 EUR

5-10 business days

  • 1-5 IoT devices (same type)
  • Firmware extraction & analysis
  • Hardware interface tests (JTAG, UART)
  • Wireless protocol analysis
  • Cloud backend & API security
  • Detailed final report
Request Quote
Most chosen

OT Network Assessment

from 15,000 EUR

10-15 business days

  • 1 production site
  • Network analysis (passive + active)
  • ICS/SCADA protocol testing
  • PLC & HMI security analysis
  • IT/OT segmentation verification
  • Purdue Model compliance check
  • IEC 62443 mapping in report
Request Quote

Critical Infrastructure Full Assessment

from 25,000 EUR

15-25 business days

  • Multiple sites / large facilities
  • Full ICS/SCADA + IoT testing
  • Firmware analysis of all relevant devices
  • Red team: attack simulation incl. social engineering
  • Critical infrastructure compliance evidence report
  • IEC 62443 Security Level Assessment
  • Executive briefing for CISO/management
Request Quote

Individual Assessment

Multiple sites, specific plant types (energy supply, water treatment, hospitals), combined IT/OT assessments, or retainer models - we will provide you with a tailored quote.

Free consultation

Safety-First Methodology

No test ever endangers your production

OT penetration testing requires the utmost care. AWARE7 has developed its own methodology that enables security-effective tests without endangering operations.

01

Passive Network Reconnaissance

All tests begin with passive analysis: we listen to network traffic and map devices, protocols, and communication relationships without sending active packets. No requests, no active scans - purely passive via packet capture and protocol analysis. This can also be performed on a mirror port of the switch, without direct network participation.

WiresharkZeekNozomi NetworksClaroty
02

Test Environment Validation

Where possible, we first conduct critical active tests in a test environment or on dedicated test devices before testing in the production environment. For Siemens S7, a separate PLC test stand can be set up. If no test stand is available, we define with your OT engineers which tests can safely be conducted in production.

Test EnvironmentDevelopment PLCSimulation
03

Coordinated Maintenance Windows

Active tests in the production environment are conducted exclusively in agreed maintenance windows - typically at night or on weekends, when the plant is stopped or running at minimum capacity. OT technicians and plant operators are on-site throughout the entire test period. All tests are approved in writing in the test plan beforehand.

Change ManagementMaintenance WindowOT Technicians
04

Rollback & Recovery

Before each active test, we document the baseline state of the affected systems (firmware version, configuration, program backup). A defined rollback procedure is established for each test step. In the unlikely event of an unintended disruption, we can restore the baseline state within minutes.

System BackupConfiguration SnapshotRollback Plan
05

OT-Specialized Tools

We exclusively use OT-compatible tools. Classical IT pentest tools such as Nessus, Metasploit, or aggressive Nmap scans can damage or crash OT systems. Instead, we use specialized OT security tools designed for industrial environments that understand the specific protocols.

ClarotyNozomi NetworksTENABLE.OTSCADAguard

In-house Development · Open Source

Open Operational Technology Testing Guide

AWARE7 has developed the OOTTG - an open security testing standard specifically for OT environments. The guide defines systematic testing procedures for industrial control systems and forms the methodological foundation of our OT penetration tests.

Read OOTTG

Why AWARE7 for Your OT Security

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

Referenzen aus der Praxis

Pentesting & Schwachstellenscans

Sill Optics GmbH

Feststellung der Angriffsfläche bei Sill Optics GmbH

Pentesting & Schwachstellenscans

XignSys GmbH

Whitebox-Penetrationstests eines Authentifizierungsdienstes als Mobile- und Web-Anwendung

Pentesting & Schwachstellenscans

TWINSOFT GmbH & Co. KG

Externer Penetrationstest einer iOS-Applikation

Process

Three steps to your OT Security Assessment

01

Initial Consultation & Scope Definition

In a free initial consultation, we discuss your plant, the systems and protocols in use, your critical infrastructure relevance, and jointly define the exact test scope with you and your OT engineers - including safety constraints and maintenance windows.

02

Fixed-Price Quote in 24 Hours

Based on the scope document, you will receive a binding fixed-price quote within 24 hours. No hourly overruns, no additional charges - your budget is securely plannable.

03

OT Pentest with Safety-First Approach

We conduct the test following our Safety-First approach: passive, coordinated with your OT technicians, in agreed maintenance windows. The result: a comprehensive report with IEC 62443 mapping and critical infrastructure compliance documentation.

Schedule Free Initial Consultation
OT Security (Operational Technology Security) refers to the protection of industrial control systems - including PLCs, SCADA, DCS, HMIs, and networked field devices. The key difference from classical IT Security lies in priorities: while IT security places data confidentiality first (CIA Triad: Confidentiality first), in the OT world availability and physical safety come first (Availability > Integrity > Confidentiality). An attack on a PLC in a production facility can have real-world consequences - machine damage, production stoppages, environmental harm, or even risk to human lives. These physical effects require fundamentally different testing methods.
No - if carried out professionally. AWARE7 takes a Safety-First approach to OT pentests: we always start with passive network reconnaissance and non-invasive analysis before conducting active tests in a defined maintenance window. All active tests are coordinated in advance with your OT engineers and plant operators. We never test uncontrolled on production systems - critical active checks are first performed in a test environment or a dedicated maintenance window. With this methodology, we have never caused an unintended operational disruption.
ISO 27001 is a general information security management system designed for IT environments, focusing on confidentiality, integrity, and availability of information. IEC 62443 is specifically developed for industrial automation and control systems (IACS) and addresses the special requirements of OT environments: safety integration, lifecycle management of components, zone-and-conduit model, and security levels (SL 1-4). For critical infrastructure operators, IEC 62443 is the more relevant standard as it addresses the specific risks of industrial systems. Many organizations pursue a combination of both standards.
Under NIS-2 Directive Article 21, operators in critical sectors (energy, water, health, transport, digital infrastructure, finance, food) must implement appropriate technical and organizational measures to protect their IT and OT systems. This includes: mandatory incident reporting within 24-72 hours, regular security audits and penetration tests, implementation of security measures proportionate to the risk, and documentation of an information security management system. Our OT penetration tests help you meet and document these requirements.
Our Safety-First approach encompasses four phases: First, passive network reconnaissance (read-only, no active scanning) via packet capture and protocol analysis. Second, test environment validation - where possible, in a staging environment or on test systems. Third, coordinated active tests in agreed maintenance windows (typically nights or weekends) with OT technicians on-site. Fourth, rollback preparation: we document the baseline state of all systems and define recovery procedures in advance. This methodology ensures your production is never put at risk.
We analyze all common industrial communication protocols: Modbus TCP/RTU, PROFINET, PROFIBUS, OPC UA, OPC DA, DNP3, IEC 60870-5-104, BACnet, EtherNet/IP, HART, Zigbee, LoRaWAN, MQTT (Industrial), and proprietary protocols from leading manufacturers such as Siemens S7, Allen-Bradley (Rockwell), Schneider Electric, and ABB. For each protocol, we conduct authentication, integrity, and availability tests - always in line with our Safety-First methodology.
Duration depends on scope: A focused IoT Device Assessment (1-5 devices) takes 5-10 business days. An OT Network Assessment of a medium-sized facility (1 site, 1-2 production lines) takes 10-15 business days. For a comprehensive Critical Infrastructure Full Assessment covering multiple sites or large networks, plan for 15-25 business days. For time-critical projects, we offer a prioritized approach that addresses the greatest risks first. All timelines include report production.
During firmware analysis, we first extract the firmware - either via official update channels, hardware interfaces (JTAG, UART, SPI flash), or network sniffing. We then analyze the filesystem for hardcoded credentials, SSH keys, certificates, and configuration files. We analyze binaries for known CVEs (via Binwalk, FACT_core), insecure cryptography, and unsecured bootloaders. Finally, we review the update mechanism for signature verification and man-in-the-middle vulnerability. The result is a complete security assessment of the firmware with prioritized recommendations.
OT network segmentation refers to the physical and logical separation of production networks (OT/ICS) from office IT networks and the internet. The Purdue Enterprise Reference Architecture model defines 5 levels with clear communication rules. Without segmentation, an attacker who enters the office network can directly access PLCs and SCADA systems - exactly this attack vector was used in the 2015 attack on the Ukrainian power grid, where attackers moved from compromised IT systems into the OT network and disrupted power supplies. We test whether your segmentation measures comply with defined security policies and whether the IT/OT boundary is truly impenetrable.
Costs depend on scope. An IoT Device Assessment for 1-5 devices starts from EUR 8,000 (5-10 days). An OT Network Assessment for a single site starts from EUR 15,000 (10-15 days). A full Critical Infrastructure Assessment starts from EUR 25,000 (15-25 days). All prices are fixed prices - no hidden costs, no hourly overruns. We provide an individual quote within 24 hours of a free initial consultation. Given the potential costs of an OT security incident (production downtime, property damage, reputational loss), a professional security assessment is one of the most important investments for manufacturing organizations.

Aus dem Blog

Weiterführende Artikel

Your production is too valuable to wait

Every second industrial organization lacks a dedicated OT Security strategy. A single successful attack on your control systems can mean weeks of production downtime. Let us minimize your attack surface together.

Request OT Security Assessment

Kostenlos · 30 Minuten · Unverbindlich

IEC 62443

Testing Framework

ISO 27001

Certified

NIS-2

Art. 21 Compliant

KRITIS

Experience

OSCP

Certified Testers

ICS/SCADA

Specialized