← All industries
Manufacturing · Discrete · Process · OT/ICS

Test the plant
without taking it down.

OT and ICS penetration testing for discrete and process manufacturers. Purdue-model zoning, IEC 62443 conformance, NIST SP 800-82 reference architecture and MITRE ATT&CK for ICS — delivered with engineering-replica testing and outage-window planning so the line keeps running.

IEC 62443
FR1–FR7 · SL1–SL4
NIST 800-82 r3
Purdue zoning
ATT&CK for ICS
adversary simulation
Engineering replica
zero line downtime

Pain points the CISO and the plant manager actually argue about

Flat IT/OT network

Engineering workstations dual-homed to corporate AD and the plant LAN. Phishing an engineer = direct route to the historian, then to the PLCs. The dominant root cause across every public ICS incident from 2017 onwards.

Unsupported legacy controllers

Siemens S7-300, Rockwell ControlLogix L6x, Schneider Modicon Quantum still running 10–20 year old firmware with no vendor-supported patch path. Compensating controls only — network segmentation, allow-listing, deep-packet protocol inspection.

Vendor remote access

OEM integrators with always-on VPNs, shared service accounts, no session recording. The Verizon DBIR consistently ranks third-party-access misuse in the top three OT intrusion vectors.

Ransomware lateral movement IT → OT

Conti, LockBit, BlackCat, Akira, Cl0p — every major ransomware crew has hit a manufacturer through corporate IT and pivoted to halt production. Norsk Hydro, JBS, Colonial Pipeline, Brunswick, Clorox, MKS Instruments, Boeing — the public-record list is long.

Safety system exposure

Triton / Trisis (2017) demonstrated that safety-instrumented systems are themselves targetable. Pipedream / Incontroller (2022) generalised the tooling. The plant manager is right to be nervous about anything that touches the SIS.

M&A integration risk

Acquired plants arrive with unknown asset inventories, unknown patch state, unknown vendor remote-access lists. Day-one segmentation between the parent estate and the acquired plant is rarely in place.

Compliance frameworks the engagement maps to

IEC 62443 — Industrial Automation & Control Systems Security

link ↗

The international standard for IACS security. Part 2-1 (asset-owner programme), 2-4 (service-provider requirements), 3-2 (risk assessment, zones and conduits), 3-3 (system security requirements and Security Levels SL1–SL4), 4-1 (secure product development for component suppliers) and 4-2 (component-level technical requirements). Engagement reports findings per Foundation Requirement (FR1–FR7) per zone.

NIST SP 800-82 Rev. 3 — Guide to OT Security

link ↗

Reference architecture for ICS, SCADA, DCS, PLC and IIoT environments. Purdue Enterprise Reference Architecture overlay, defence-in-depth zoning, OT-specific risk-management lifecycle. Used alongside IEC 62443 as the technical playbook for the assessment.

MITRE ATT&CK for ICS

link ↗

Adversary technique matrix for industrial control systems — tactics Initial Access, Execution, Persistence, Privilege Escalation, Evasion, Discovery, Lateral Movement, Collection, Command and Control, Inhibit Response Function, Impair Process Control, Impact. Adversary simulation exercises the relevant techniques against the achieved SL.

NIS2 Directive (EU 2022/2555)

link ↗

Brings most large EU manufacturers into scope as essential or important entities. State-supervised cybersecurity risk-management obligations under Article 21, 24-hour early-warning and 72-hour incident notification (Article 23), management-board accountability and personal liability for non-compliance.

SEC Cybersecurity Disclosure (Item 1.05 of Form 8-K)

link ↗

US-listed manufacturers must disclose material cybersecurity incidents within four business days (Item 1.05 of Form 8-K) and describe their cyber risk-management, strategy and governance annually (Item 106 of Reg S-K). The engagement deliverable includes a materiality checklist tuned to manufacturing operational impact.

CISA Cross-Sector Cybersecurity Performance Goals (CPGs)

link ↗

Voluntary baseline of high-impact security practices for critical infrastructure, including manufacturing sub-sectors. Mapped per-finding alongside IEC 62443 for US plants under CISA voluntary guidance.

Sample attack scenarios exercised

Three scenarios commonly run in a manufacturing adversary-simulation engagement. Each is drawn from a public-record incident pattern and mapped to MITRE ATT&CK for ICS techniques.

Scenario 1 — Phishing engineer to PLC parameter drift
Initial Access via spear-phishing of a control-system engineer with corporate-AD privileges (T0865). Lateral movement from the engineering workstation across the Level 3.5 Industrial DMZ into the plant-control LAN. Use of the engineer's legitimate HMI session to issue a Modify Parameter (T0836) against a non-safety PLC setpoint within tolerance. Observation of historian and SCADA alarms to test detection. No safety system touched; no batch scrapped.
Scenario 2 — Vendor remote access abuse
Third-party integrator account with always-on VPN access into the plant. Credential reuse from a public breach corpus, MFA bypass via a shared service account, session pivot into the engineering workstation. Spoof Reporting Message (T0856) replay to test whether the SOC and plant operators distinguish a tampered Modbus / OPC UA telemetry stream from genuine sensor data. Reset to baseline before shift change.
Scenario 3 — Ransomware-style IT → OT halt
Corporate-IT initial access (commodity phishing payload, no real ransomware deployed). Enumeration of cross-zone trusts: shared AD, shared file servers, shared backup infrastructure. Demonstrate the path an actual ransomware crew would take to encrypt the engineering-workstation file shares and force a production halt without ever touching the PLCs directly. Maps to the Norsk Hydro 2019, JBS 2021 and MKS Instruments 2023 incident patterns.

Case study

Redacted reference — available under NDA

Tier-1 automotive supplier, three EU plants. 14-week engagement covering Purdue Level 2–4 across stamping, body-in-white and final-assembly lines. Findings: flat L3/L4 routing on two of three plants, 47 dual-homed engineering workstations, four vendor VPNs with shared credentials, unsupported S7-300 firmware on a non-critical conveyor.

Outcome: Industrial DMZ rolled out plant-by-plant over six months, vendor access centralised through a single bastion with session recording, segmentation backlog tracked against IEC 62443 SL2 target. Zero production minutes lost during the engagement; zero safety incidents.

Full redacted report and reference call available under mutual NDA. Request via the scoping form →

Related work

Services
Reading
Sibling industries

Frequently asked questions

Can you pentest a live production plant without taking it down?+

Yes — that is the entire reason the engagement model differs from a corporate-IT pentest. Default posture on Level 0–2 of the Purdue model (field devices, basic control, area supervisory) is passive: span-port packet capture, asset enumeration from engineering-station configuration files, vendor manual review, and read-only protocol inspection. Active testing is reserved for engineering replicas, factory-acceptance-test rigs, or planned outage windows agreed with the plant manager. Rules of Engagement always exclude anything that could cause a safety system to mis-trip, a setpoint to drift, or a batch to scrap. The plant's safety-instrumented system (SIS) is never in scope.

How does IEC 62443 actually shape the engagement?+

IEC 62443-3-3 defines seven Foundation Requirements (FR1 Identification & Authentication Control, FR2 Use Control, FR3 System Integrity, FR4 Data Confidentiality, FR5 Restricted Data Flow, FR6 Timely Response to Events, FR7 Resource Availability) and four Security Levels (SL1–SL4) per zone and conduit. The engagement starts with a zone and conduit diagram against the Purdue model, picks the target SL for each zone (typically SL2 for plant control LANs, SL3 for safety-critical conduits), and tests each FR against the achieved level. Findings are written per FR, per zone, per SL gap. The deliverable supports an IEC 62443-2-4 service-provider conformance review and the asset-owner's IEC 62443-2-1 IACS security programme.

What about NIS2 in EU plants and the SEC cyber-disclosure rule for listed manufacturers?+

NIS2 (Directive (EU) 2022/2555) brings most large EU manufacturers into scope as "essential" or "important" entities with state-supervised cybersecurity risk-management obligations, 24-hour early warning and 72-hour incident notification timelines, and management-board accountability. The SEC's 2023 cybersecurity disclosure rule (Item 1.05 of Form 8-K, Item 106 of Reg S-K) forces US-listed manufacturers to disclose material incidents within four business days and to describe their cyber risk-management process annually. The AxVeil report ships with the NIS2 incident-classification mapping and the SEC 8-K materiality checklist as separate appendices so the CISO does not have to re-derive them under pressure.

Why MITRE ATT&CK for ICS instead of the enterprise matrix?+

Because the actual incidents on the public record — TRITON / TRISIS against Schneider Triconex safety controllers, Industroyer / Industroyer2 against grid substations, the 2021 Oldsmar water-treatment intrusion, Pipedream / Incontroller toolkits — used techniques that the enterprise ATT&CK matrix does not describe. ATT&CK for ICS adds tactics like Inhibit Response Function, Impair Process Control and Damage to Property, with techniques such as Modify Parameter (T0836), Spoof Reporting Message (T0856), Loss of Safety (T0880), and Manipulation of Control (T0831). Adversary simulation against an OT estate exercises those ICS-specific techniques against the achieved IEC 62443 SL of the relevant zone.

We have a flat IT/OT network. Where do we start?+

A flat network is the single most common finding in the first AxVeil manufacturing engagement and the highest-impact remediation by a wide margin. The starting point is an asset inventory, a Purdue-model overlay, and a segmentation roadmap that introduces an Industrial DMZ between Level 3 (operations) and Level 4 (enterprise IT). Quick wins: jump-host enforcement, removal of dual-homed engineering workstations, vendor-remote-access brokering through a single bastion, and unidirectional gateways for historian data egress. The engagement deliverable includes a phased segmentation plan ordered by exploitability and outage risk, not a wish list.

Scope a manufacturing engagement

Send the plant count, the Purdue-level zones in scope, the OEM stack (Siemens / Rockwell / Schneider / Yokogawa / Honeywell / ABB), the target IEC 62443 SL and the next regulator milestone (NIS2, SEC, CISA CPG). We respond with a fixed-fee proposal and a redacted reference under NDA.

Request a scoping call