Redbot Security has extensive experience in performing penetration assessments on industrial control and critical infrastructure systems. Our expertise and hands on project experience allow us to identify OT vulnerabilities and provide effective solutions to bolster a company’s security. This article discusses many of the common vulnerabilities found within these systems along with exploring access control.
Addressing these concerns can do a lot to improve the security posture of ICS and critical infrastructure, but it is just the beginning. Security Engineers in the ICS/SCADA field should already be aware of the above top five. Proactive Remediation , along with ongoing diligence and adaptation is key. Firstly, we should never consider an environment to be fully remediated, mitigating these top 5 issues is a constant process that needs consistent effort and awareness to stay ahead of the curve. Once proper mechanisms are in place it is imperative to keep in the fight by expanding that list of risks to mitigate, along with scheduled annual, biannual, or quarterly security testing.
In the multitude of ICS penetration tests, conducted by Redbot Security, we often find an issue that has the potential to be overlooked, but if left alone can introduce a critical level of risk. The weakness is so prolific that if you asked your OT or even some IT folks about it, they could describe it to you without even realizing the huge security risk it comes with. This flaw is simply lack of access control on guides, instructions, and training materials.
ICS networks can often be very complex. There are lots of moving parts with many different applications, protocols, and more, many of which are incredibly old and no longer have any sort of support beyond an owner’s manual from what can sometimes be as old as the 1980s. For this reason, many individuals who work in the field use guides and instructional material for themselves and their peers and to assist in training new personnel. These instructional materials play a crucial role in stewarding the profession and curating the knowledge and skills necessary for supporting operations. However well-meaning team members often do not account for the enormous level of risk that can be introduced through these documents. Often these use guides include information such as passwords, networking information, remote access details, and much more. In the hands of a malicious actor, these could incur devastating damage to an organization, including a halt in operations, physical damage, compromise of the domain administrator, deployed ransomware, and more.
On various ICS/SCADA tests it is not uncommon to discover internal websites which do not require authentication. The information found typically will include sensitive information; passwords for applications, credentials for an account with local admin privileges on most machines in the network, details for accounts with RDP access into certain environments, and much more. And many times, this disclosure of sensitive information is completely unknown to the security team managing the environment. Malicious Actors can leverage these materials to perform an attack chain which potentially will lead to eventual compromise of the domain administrator account.
Operations teams may sometimes take the initiative and develop these training materials without first informing the security team. It is likely that in their minds creating use guides is necessary to facilitate operations, and they are entirely correct in thinking so, but they may lack the perspective and awareness of how the information can be used by malicious actors.
So, what are some ways to ensure materials like this are not just floating around in your network without any form of access control? How can your security team find and mitigate any potential instances of this potentially critical security issue?
The first and most expedient method is to simply ask your operations(and possibly your IT) team “How do you store and disseminate information on how to maintain, connect to and administer your devices and applications?.” Chances are this will start a productive conversation that will result in your security team having a greater awareness of whether or not this information is handled in a secure manner.
Scan your IT environment for web (HTTP and HTTPS) ports using a tool like nmap. Some common web ports include 80, 443, 8080, 8443, 4443, and 8081. An example of an nmap scan could look like this:
nmap -iL <file-with-IP-Ranges> -p 80,443,8080,8443,4443,8081 --open -oA output-file
The tool should identify open web ports in your network. After the command has completed, the next step is to use a tool like eyewitness to capture a screenshot of the home page of each open web port. We can take the XML output of the nmap scan and use it as input for eyewitness with the command:
eyewitness -x output-file.xml
Eyewitness will then go through all the ports discovered by nmap, screenshot them and generate a report that can be scrolled through. You and your team can evaluate each of the screenshots and even navigate to the page using the links beside the image. This way you can have a clear picture of what is hosted on web pages within your network. It is likely you will find an internally hosted website with instructional information on it. Additionally, you may find other sensitive information hosted on various web pages including passwords, network information, employee phone directories and more.
Redbot Security has identified numerous instances of instructional and other sensitive information being hosted in this way.
Another check that can be done is to verify permissions on Server Message Block (SMB) file shares throughout the network. A quick way to check this would be to use a tool like netexec. You can enumerate file shares throughout the network and check the permissions on them. Ensure permissions are granted only to authenticated users. A quick way to do this is to enumerate shares using null authentication.
netexec smb <File-With-IP-Ranges> -u ‘ ‘ -p ‘ ‘ –shares
The result of the command should tell you a list of machines which permit null authentication and whether a null account has read/write permissions on the file share. Look for potentially sensitive file shares, particularly those which pertain to operational instructions and training.
Sometimes checking for the top five security flaws or performing vulnerability scans can miss the grave nature of a lack of proper access controls to sensitive materials such as instructions and use guides. It is critically important that security teams have strong situational awareness of exactly what is hosted on their networks. Only by maintaining communication with operations teams, and regularly checking what is hosted in the environment can a security team ensure that there are not sensitive materials exposed for potential malicious actors to capitalize on.
Conner is part of Redbot Security's OT testing team and is a U.S. Army Veteran supporting the Department of Defense and Intelligence Community. Conner has served as a Cyber Operations Specialist with the work roles of Special Activities Team (SAT) Technician, Expeditionary Cyber Operator (ECO), Information Operations Operator, and Pilot Operator.
Book a discovery call or request a rapid quote for services, tailored to your priorities and budget.
From manual testing of IT Networks and Web / Mobile Applications to advanced Red Team operations, Cloud Security, and OT-network assessments, Redbot Security delivers laser-focused, senior-level expertise, without breaking the bank.
2025 marked a turning point in cybersecurity. From massive credential leaks to supply chain compromise and healthcare breaches, this year revealed how attackers exploit trust, identity, and operational blind spots at scale.
Physical security failures were a major factor in 2025 healthcare breaches. With HIPAA’s proposed 2026 updates making physical safeguards mandatory, organizations must strengthen facility controls, workstation protections, and device security. Redbot Security’s physical penetration testing helps identify real-world risks and prepare for upcoming regulatory requirements.
The OWASP Top 10 is no longer enough to defend modern applications. In 2026, attackers are exploiting API logic flaws, cloud misconfigurations, serverless components, and real-world multi-step attack chains that scanners can’t identify. This article breaks down the real threats facing web apps today—and why manual testing is essential.
Broken Object Level Authorization is the most exploited API vulnerability and a primary cause of modern breaches. This article explains how BOLA works, why APIs are exposed and how manual testing uncovers hidden authorization flaws that automated tools fail to detect.
Manual penetration testing remains one of the most effective ways to strengthen your security posture. Learn why human-led testing uncovers real attack paths, contextual risks, and actionable remediation that automated scanners miss.
America’s critical infrastructure faces rising cyber threats while legacy OT systems and shrinking federal support leave operators exposed. This article explores how Redbot Security uses Purdue and NIST methodologies to deliver safe, manual, and holistic OT network testing that protects ICS environments from real-world disruption.
SOC 2 compliance is now essential for building trust with clients. This step-by-step guide explains the process and how consulting services accelerate success.
Dynamic Application Security Testing (DAST) goes beyond tools. Discover how Redbot Security combines automated scanning with expert penetration testing for proven results.
Zero Trust requires strict verification of people as well as technology. Allowing foreign or crowdsourced hackers into your environment opens the door to sanctions violations, insider threats, and export-control breaches. Learn why U.S. companies should restrict penetration testing to vetted U.S.-based experts.
Redbot Social