Operational Technology (OT), the industrial control systems (ICS) that power water treatment facilities, energy grids, pipelines, and manufacturing plants, has become one of the most critical, yet most vulnerable, domains of cybersecurity. Unlike IT systems, where patches and updates are a regular cycle, OT networks were designed decades ago to prioritize safety and uptime over cybersecurity. As NIST’s Guide to OT Security (SP 800-82 Rev. 3) explains, the unique performance and safety requirements of these systems often prevent straightforward application of traditional IT defenses. At the same time, attackers, from ransomware groups to state-sponsored operators, have increasingly shifted their focus toward these environments, exposing the huge gaps in how the U.S. safeguards its critical infrastructure.
The risk landscape is worsening. Dragos’ 2025 OT Year in Review reports nearly 1,700 ransomware attacks against industrial organizations in 2024 alone, marking an 87% increase over the prior year. The water sector has been particularly hard-hit: the EPA’s Office of Inspector General recently warned that more than 70% of U.S. water systems were out of compliance with cybersecurity requirements, even as real-world cyberattacks forced utilities to disconnect systems, pause billing, and revert to manual operations. These incidents echo the wake-up calls of earlier breaches: the Colonial Pipeline ransomware shutdown in 2021 that disrupted fuel delivery across the East Coast, or the Oldsmar, Florida water facility intrusion, where an attacker tried to manipulate sodium hydroxide levels via remote access. Federal agencies continue to list critical infrastructure cybersecurity as a “high-risk” area, with hundreds of open recommendations still pending implementation.
To build resilience, asset owners and plant operators must move beyond compliance checklists and embrace a layered approach to testing their OT environments. The Purdue Model provides a useful framework for understanding these environments, breaking OT and IT systems into distinct zones that can be secured individually.
Level 0: Process Zone Physical devices interacting with the real world, such as sensors and actuators.
Level 1: Control Zone Devices like Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs) that send commands to Level 0 devices.
Level 2: Supervisory Zone Systems such as Supervisory Control and Data Acquisition (SCADA) and Human-Machine Interfaces (HMIs) that monitor and control the process.
Level 3: Operations Zone The central data hub for orchestration and management, where patch servers, jump boxes, and control systems converge.
Levels 4 and 5: Enterprise Zone Traditional IT networks, including ERP systems and user computers, which connect to the OT environment.
Each level requires its own tailored testing methodology. At the enterprise and site level, testing should focus on how IT compromises can become bridges into OT. Active Directory misconfigurations, exposed vendor VPNs, and flat networks often provide attackers with lateral movement paths. By validating segmentation between IT and the OT DMZ, testing ensures that ransomware campaigns like Colonial Pipeline cannot cascade into the industrial process.
The operations layer (Level 3 and the industrial DMZ) is where patch servers, jump boxes, and remote access brokers reside. Testing here should emphasize architecture reviews, firewall audits, and validation of one-way data flows through diodes or proxies. Remote access phishing simulations, carefully scoped to legitimate OT users, can reveal whether multi-factor authentication is resistant to modern phishing kits, a control explicitly called out in CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).
At Level 2, where HMIs and SCADA servers live, non-intrusive techniques such as passive protocol analysis or hardening reviews of engineering workstations should be prioritized. This is also where vendor coordination becomes essential: intrusive fuzzing of proprietary protocols on live lines can jeopardize safety, so testing must be confined to lab environments, offline twins, or scheduled outages. For controllers at Level 1, security reviews should examine firmware provenance, signed updates, and governance of logic changes. While the headlines often spotlight zero-day vulnerabilities, many real-world attacks succeed through weak access control and poor change management practices.
Finally, at the physical layer, security becomes inseparable from safety. Penetration testing here does not mean turning pumps or valves on and off, but rather validating that instrumentation, failsafes, and manual overrides are functioning as intended. Tabletop exercises simulating unsafe setpoints can prepare operators to recognize and respond before an attacker forces a real-world incident.
Across all layers, the testing methodology must remain careful and deliberate. Asset inventories and passive discovery should always come first, building a map of devices, firmware, and protocol flows before any active probing. Vulnerability management must consider exposure, not just CVSS scores, while continuously monitoring CISA ICS advisories and vendor bulletins. And resilience is incomplete without testing incident response. Tabletop or purple-team drills that simulate ransomware spreading from IT into OT, or malicious attempts to alter chemical setpoints, can help defenders rehearse the exact detection, isolation, and recovery steps needed when minutes matter.
The reality is sobering: U.S. critical infrastructure is not in a strong position. Reports from the GAO, EPA, and Dragos all converge on the same theme, resources are stretched thin, compliance is uneven, and adversaries are accelerating. But the path forward is clear. Asset owners who build live inventories, harden remote access, track vulnerabilities, and regularly conduct controlled OT security tests will move the needle from fragile to resilient. For water utilities, energy companies, manufacturers, and beyond, this work cannot wait.
At Redbot Security, we bring senior, U.S.-based engineers into the process with plant operators from day one, aligning every test with NIST SP 800-82, ISA/IEC 62443, and CISA’s CPGs. Our methodology is hands-on but safety-first: reviewing segmentation at the enterprise level, auditing DMZs, passively analyzing SCADA flows, validating controller security in labs, and ensuring physical safety interlocks are tested through tabletop scenarios rather than real-world disruption. With clear reporting tied to industry standards, we help organizations strengthen defenses against the threats already probing their networks.
Safeguarding ICS and SCADA environments requires more than compliance checklists, it demands deep expertise, safe hands-on testing, and clear remediation guidance. At Redbot Security, our U.S.-based senior engineers specialize in OT penetration testing that respects safety while uncovering the real-world attack paths adversaries exploit. We align every engagement with NIST SP 800-82, ISA/IEC 62443, and CISA’s Cybersecurity Performance Goals to ensure results are both actionable and defensible. If your organization operates in energy, water, manufacturing, or other critical infrastructure sectors, now is the time to validate your defenses. Contact Redbot Security today to schedule a scoping call and take the first step toward building a resilient, future-ready OT security program.
NIST SP 800-82 Rev. 3 (Guide to OT Security):
https://csrc.nist.gov/publications/detail/sp/800-82/rev-3/final
Dragos 2025 OT/ICS Year in Review:
https://www.dragos.com/year-in-review/
EPA Enforcement Alerts – Cybersecurity in Public Water Systems:
https://www.epa.gov/enforcement
EPA Office of Inspector General (OIG) – Cybersecurity Risks to Public Water Systems:
https://www.epa.gov/office-inspector-general
GAO High-Risk Series – Cybersecurity Challenges:
https://www.gao.gov/highrisk/cybersecurity
CRS Report – Colonial Pipeline: The DarkSide Strikes (2021):
https://crsreports.congress.gov/product/pdf/IN/IN11667
Wired – Oldsmar Florida Water Supply Hack:
https://www.wired.com/story/oldsmar-florida-water-supply-hack/
CISA Cross-Sector Cybersecurity Performance Goals (CPGs):
https://www.cisa.gov/cross-sector-cybersecurity-performance-goals
ISA/IEC 62443 Standards:
https://www.isa.org/isa62443
DOE – Purdue Model for Industrial Control Systems:
https://www.energy.gov/ceser/activities/energy-security/operational-technology
Book a discovery call to discuss Advanced Red Teaming Services by Redbot Security, tailored to your priorities and budget.Â
From manual testing of IT Networks and Web / Mobile Applications to advanced Red Team operations, Cloud Security, and OT-network assessments, Redbot Security delivers laser-focused, senior-level expertise, without breaking the bank.
Choosing the right penetration-testing company can make or break your security program. This comparison highlights service focus, methodology, and reporting quality, showing how Redbot Security’s senior-level team stacks up against larger vendors.
2025 marked a turning point in cybersecurity. From massive credential leaks to supply chain compromise and healthcare breaches, this year revealed how attackers exploit trust, identity, and operational blind spots at scale.
Manual penetration testing remains one of the most effective ways to strengthen your security posture. Learn why human-led testing uncovers real attack paths, contextual risks, and actionable remediation that automated scanners miss.
Dynamic Application Security Testing (DAST) goes beyond tools. Discover how Redbot Security combines automated scanning with expert penetration testing for proven results.
APIs power today’s digital economy but are prime targets for attackers. Redbot Security delivers advanced API penetration testing and compliance-ready reports for PCI DSS, HIPAA, and ISO 27001.
Discover what penetration testing is and why it’s essential for cybersecurity. Learn how pen tests simulate real-world attacks, uncover vulnerabilities, and help protect your organization from breaches. Redbot Security breaks down the phases, tools, and benefits of effective testing.
Penetration testing is a controlled cyber-attack that exposes real-world vulnerabilities and delivers proof-of-concept fixes, learn the phases, tools, and ROI.
Manual vs automated penetration testing, discover the strengths, weaknesses, and ideal use-cases of each approach. Learn why Redbot Security’s hybrid model delivers deeper coverage, faster remediation guidance, and budget-friendly agility for enterprises that refuse to leave vulnerabilities to chance.
The following article is a discussion that explores JavaScript Web Tokens
Rapid7’s tools are great for broad vulnerability scanning, but complex environments demand senior-level, manual testing. Learn how Redbot Security’s U.S.-based engineers deliver deeper findings, safer OT testing, and actionable proof-of-concept reports that automated platforms miss.
GRC Viewpoint magazine spotlights Redbot Security as a Top 10 Penetration Testing Provider for 2023, praising our senior-level engineers and safe, manual approach to securing critical infrastructure and enterprise networks. See what sets us apart.
Over-posting isn’t just a coding mistake, it’s a gateway to privilege escalation and data tampering. This guide shows how mass assignment works, why frameworks are prone to it, and the concrete steps security teams can take to lock it down.
Redbot Social