The Case for Safer, Smarter ICS Penetration Testing

What Happens When a PenTester Walks Into a Power Plant?

About a decade ago, I started working for an electric power utility in the Pacific Northwest of the United States. I had many years of experience as an offensive security professional, and I was excited about the opportunity to help build an internal PenTest and red team program for the company that kept the lights and heat on at my Seattle home.  

I knew I was doing impactful work, but it still took nearly two years for the proverbial lightbulb moment when I realized I needed to shift focus away from enterprise business systems and toward the critical infrastructure functions that comprised the company’s core mission and powered local communities and the economy. Even after realizing that our power generation, transmission, and distribution systems should be the primary focus of the offensive security program, I still made the mistake of applying traditional IT penetration testing techniques and attitudes to systems that required a unique ICS-focused approach.  

I was doing IT PenTests in an OT environment.  

I knew this wasn't the right approach, but at the time, I couldn't find any resources to guide or redirect me. I distinctly recall attending a Consequence-driven Cyber-informed Engineering (CCE) workshop at Idaho National Lab (INL), and when I asked the instructor where I could go to learn more about the offensive techniques we were discussing, I was told there were only a few people in the world with that knowledge and that it was too advanced to share. That frustrated me, but it also fired my dedication to figuring it out on my own.  

Now, a decade later, and many PenTests and security assessments in industrial environments behind me, I am absolutely convinced that there is a right way to apply offensive security assessment techniques in industrial environments. If done with respect and awareness of the uniqueness and sensitivity of ICS systems, it can be done safely and effectively.  

To be honest, I didn't end up figuring all of this out on my own. I've had mentors, colleagues, leaders, and peers who guided my growth and taught me the lessons I now get to share. ICS security is a community, and the ICS613 course demonstrates this well – the class combines the perspectives and lessons from three authors who all have unique but complementary ICS offensive security backgrounds. We each bring different perspectives to the classroom, but at the end of the day, all three of us share the same core conviction: offensive security assessments can and should be done in ICS environments; they can be done safely and effectively; and it's important to equip the ICS security community with the skills and experience to do so.

Why The Industry Needs ICS613 Now

The Threat Landscape Has Fundamentally Shifted

Regulatory Pressure is Mounting

Governments and regulatory bodies are catching on, and regulatory and compliance pressures are mounting. Regulation like NERC-CIP, the TSA Pipeline Security Directive, and emerging international standards now mandate regular vulnerability assessments of critical systems.  

Asset owners need assessors who understand the unique challenges of cyber-physical systems where a single mistake could trigger safety systems or disrupt essential services.

The Skills Gap is Real

Most penetration testers excel in traditional IT environments but lack the specialized knowledge to safely and effectively assess industrial control systems. 

How can an asset owner evaluate the skills and abilities of the penetration tester or assessor they hire to test their critical systems? How can they be confident the testing will be conducted safely, or that the outcomes will be accurate, actionable, tailored to enhancing operational resilience?  

How do they know they're getting an ICS PenTest, not just an IT PenTest in an OT environment?  

The ICS613 course bridges this gap with a methodology specifically designed for operational technology environments.

What Makes ICS613 Different

This course introduces four key differentiators that make it uniquely valuable compared to other offensive security training:

1. Safety-first ICS-focused assessment priorities
2. Living-off-the-Land techniques
3. Top-Down/Bottom-Up assessment methodology
4. Hands-on labs in a realistic ICS range

Safety-First Assessment Priorities

Students learn to plan and execute safe, effective, and valuable penetration tests and security assessments using both passive and active techniques. The methods prioritize safety, efficiency, and ICS relevance, ensuring that engagement outcomes are laser-focused on the asset owner's organizational and operational security objectives.

Living-off-the-Land Techniques

Students learn how to use existing system utilities, vendor tools, and built-in functionality to achieve assessment goals. LOTL techniques are emphasized for two reasons.

1. Traditional penetration testing tools may introduce unacceptable risk into a critical infrastructure environment or may be blocked by existing security controls
2. Real-world ICS adversaries are increasingly relying on LOTL techniques to achieve their campaign objectives.

This focus ensures that assessments are not only safer and more effective but also realistic and representative of the types of threats assets owners face in the wild.

Top-Down/Bottom-Up Assessment Methodology

This revolutionary methodology is tailored to ICS environments and goes beyond traditional security assessments. It’s mapped to the ICS Cyber Kill Chain, ensuring an adversary- and process-centric approach.

The Top-Down focuses on how adversaries could gain access to key ICS systems and information necessary to execute an ICS-specific attack.

The Bottom-Up methodology equips students with a passive analysis framework to develop realistic ICS attack scenarios and identify effective mitigations to support operational resilience.

Hands-On Labs with Real Industrial Hardware and Systems

The course provides students with hands-on labs using actual programmable logic controllers (PLCs) and a fully functional ABB 800xA Distributed Control System (DCS) emulating a liquified natural gas (LNG) processing plant. Students get practical experience applying techniques in a safe, controlled lab environment. The labs cover:

• Scoping and engagement preparation
• Benchtop industrial device testing
• Passive host, network, and domain vulnerability assessments
• Network protocol manipulation
• Privilege escalation, lateral movement, and pivoting across security boundaries
• Industrial process enumeration
• ICS attack scenario development and demonstration
• Accurate and actionable reporting with prioritized mitigations

The ICS613 Roadmap: What You Will Learn

This course begins with key concepts, assessment types, and industry frameworks. It introduces passive and active ICS vulnerability assessment techniques and guides students through a complete Top-Down/Bottom-Up engagement targeting a simulated LNG facility.

Section 1: ICS Assessment Types and Concepts

Exercises

• Build and program the PLC student kit
• Leverage industry frameworks and threat intel
• Identify and exploit operator workstation services
• Develop custom scripts for process discovery and manipulation
• Validate tools and techniques before using them in production environments

Topics

• Identify and define assessment goals and outcomes
• Choose assessment approaches aligned with industry directives, standards, and guidelines
• Apply frameworks and threat intelligence to security assessments
• Understand concepts, terminology, and resources related to ICS penetration testing and security assessments
• Analyze consequences and impacts to physical equipment and its operations from assessments and threat group activities

Section 2: ICS Assessment Engagements

Exercises

• Collect and analyze documentation to define engagement scope and objectives
• Use common tools and custom scripts to analyze communications and generate targets
• Identify unknown industrial protocols to develop enumeration capabilities
• Automate system security posture assessments using existing OS tools
• Perform adversary-in-the-middle attacks and manipulate device communication to demonstrate loss of control scenario

Topics

• Outline a phased assessment methodology that includes planning, scoping, targeting, and passive and active analysis
• Coordinate with engineering, operations, administrators, and cybersecurity teams
• Understand the importance of documentation, communication, and daily status reports
• Align assessment activities with the SANS Five ICS Cybersecurity Critical Controls
• Master network capture, analysis, replay, and spoofing techniques

Section 4: Top-Down Active Methodology

Exercises

• Exploit Active Directory Certificate Services to escalate privileges in an enterprise domain
• Abuse credential reuse across IT/OT boundaries to pivot into the operational technology (OT) DMZ
• Transfer tools to compromised systems and exfiltrate data using living-off-the-land binaries
• Use existing system utilities to hijack operator sessions and gain access critical control network assets
• Assess command and control (C2) capabilities in ICS environments
• Bypass endpoint hardening controls and escape restricted operator environments
• Enumerate control networks using built-in functionality and vendor tools

Topics

• Align engagement scoping and reconnaissance with the ICS Cyber Kill Chain
• Understand how Crown Jewel Analysis (CJA) aligns with targeting activities in the ICS Cyber Kill Chain
• Understand why OT penetration test should follow an assumed breach scenario
• Understand process enumeration techniques essential for realistic ICS attack scenario development
• Identify key targets and tactics, techniques, and procedures (TTPs) for process enumeration, regardless of industry sector

Section 5: Bottom-Up Passive Methodology

Exercises

• Use vendor tools to enumerate DCS systems
• Deploy and configure shadow human machine interfaces (HMIs) to enumerate industrial process information
• Identify and develop realistic ICS attack scenarios against DCS targets with expected physical consequences
• Demonstrate an ICS attack on a safety system in a controlled lab environment

Topics

• Collaborate with asset owners to identify realistic ICS attack scenarios
• Focus on Attack Delivery and Attack Execution applicable to their defense readiness to identify the most effective mitigation identification
• Identify the most relevant targets and TTPs for effective attack scenario development in ICS penetration tests
• Structure accurate, actionable penetration test reports
• Provide appropriate context to findings
• Identify different mitigation options balanced across cost, effectiveness and time

Day 5: Capstone and Reporting

Exercises

• Apply skills learned throughout the course
• Assess operational weaknesses and vulnerabilities
• Identify and prioritize recommendations

Topics

• Conduct an ICS assessment in a real-world scenario
• Understand the impact associated with vulnerabilities and weaknesses identified in the DCS environment
• Evaluate and prioritize security recommendations to enhance ICS defenses

What Students Are Saying

We've been lucky enough to teach this course during two Alpha runs, each with a talented cohort representing the full spectrum of the ICS security community, including defenders, asset owners, and vendors. Their feedback has helped us refine the course, and we're incredibly grateful for their participation and insight.

Feedback has been overwhelmingly positive, but one review stood out:

"ICS613 provides realistic, practical OT assessment and PenTesting scenarios that can be safely applied in sensitive industrial environments. The emphasis on low-risk, real-world engagements—conducted in close partnership with OT stakeholders—reflects the caution and collaboration that is absolutely essential when working with cyber-physical systems. The course is industry-agnostic, making it broadly applicable across diverse OT sectors. The OT/ICS community had a clear need for this kind of training, and SANS delivered."

Conclusion

If you've taken the ICS515 course, you'll remember the core lesson: "defense is doable." And so is offense.

Critical infrastructure deserves a dedicated offensive security methodology and mindset. The industry and the communities that rely on it deserves true ICS assessments, not repurposed IT PenTests in OT environments.

The ICS613 course drives home the point that offensive security assessments in ICS environments can be done safely and effectively.

After attending, you will leave with the skills and knowledge to execute meaningful, safe, effective, and valuable offensive security assessments in any industrial environment you’re tasked with protecting.

We look forward to seeing you in class!