Can SCADA testing be done without disrupting operations?

Yes. GDF's SCADA assessments use a passive-first approach that collects and analyzes network traffic without generating any probe packets that could affect operational technology systems. Active testing, where used, is limited to IT-side components and is conducted during agreed maintenance windows in coordination with operations staff. GDF never actively scans PLCs or RTUs without explicit approval and documented safety planning.

What regulations require ICS security assessments?

NERC CIP standards require cybersecurity assessments and vulnerability management for bulk electric system assets. The EPA and America's Water Infrastructure Act require water utilities to conduct risk and resilience assessments covering cybersecurity. TSA cybersecurity directives require pipeline operators to implement testing and validation programs. CFATS covers high-risk chemical facilities. Nuclear operators must comply with NRC 10 CFR 73.54 cybersecurity requirements. GDF's assessments are structured to produce findings that map directly to these frameworks.

How are SCADA systems different from IT systems?

SCADA and ICS systems prioritize availability and deterministic performance over confidentiality, use specialized industrial protocols not found in IT networks, often run on hardware and operating systems that cannot be patched or replaced on IT timescales, and control physical processes where failures can cause safety incidents or environmental damage. These differences require assessment methodologies, tools, and timing that are specifically designed for operational environments rather than adapted from standard IT security practices.

What are the most common SCADA vulnerabilities?

The most frequently identified SCADA vulnerabilities include inadequate IT/OT network segmentation that allows lateral movement from corporate systems to control networks, default or shared credentials on engineering workstations and HMIs, unencrypted industrial protocol traffic carrying commands and data, uncontrolled vendor remote access with persistent always-on connections, and engineering workstations running end-of-life operating systems that cannot receive security patches.

INDUSTRIAL CONTROL SYSTEM SECURITY

SCADA and ICS Security Testing

Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS) control the physical processes that keep critical infrastructure running. GDF's certified analysts assess SCADA environments, PLCs, HMIs, and control networks using non-disruptive methodologies designed for production environments.

OT/SCADA/IoT Security Assessment Framework: Purdue Model, SCADA/ICS assessment areas, and OWASP IoT Top 10

The SCADA Security Challenge

SCADA and ICS environments present security challenges that have no direct parallel in conventional IT security. These systems were designed decades ago, when network isolation provided adequate protection and availability was the overriding engineering priority. Today, as IT/OT convergence, remote monitoring requirements, and supply chain connectivity have eroded traditional air gaps, SCADA environments are exposed to cyber threats that their original architectures were never designed to resist.

The consequences of a successful attack on SCADA infrastructure extend far beyond data theft. Adversaries who gain access to control systems can manipulate physical processes: alter chemical dosing in water treatment facilities, trip circuit breakers in electrical substations, disable safety instrumented systems in industrial facilities, or modify PLC logic to cause equipment damage or personal injury. The incidents at Maroochy Water Services, the Bowman Avenue Dam, and the Oldsmar water treatment facility illustrate the real-world stakes. For critical infrastructure operators, SCADA security is not an IT compliance matter but an operational safety and national security concern. For broader IT infrastructure security, see our cybersecurity and penetration testing services.

SCADA environments also present technical constraints that require specialized assessment methodology. Standard vulnerability scanning tools can crash PLCs, cause HMI lockups, or trigger unintended process states in ways that would be catastrophic in a live production environment. The industrial protocols used in control networks, including Modbus, DNP3, IEC 61850, PROFINET, EtherNet/IP, BACnet, and OPC, require specialized knowledge to assess safely and accurately. GDF's SCADA analysts bring this combination of operational awareness and security expertise, conducting assessments that are thorough without disrupting the processes your operations depend on.

Regulatory frameworks applicable to SCADA environments add further complexity. Electric utilities subject to NERC CIP must demonstrate security controls across specific ICS asset categories. Water utilities operating under America's Water Infrastructure Act and EPA cybersecurity guidance face their own documentation requirements. Chemical facilities under CFATS, nuclear operators under NRC cybersecurity rules, and pipeline operators under TSA cybersecurity directives each face tailored compliance obligations. GDF's assessments are structured to produce findings that map directly to applicable regulatory frameworks, making compliance documentation a byproduct of the security work rather than a separate exercise.

GDF's SCADA Assessment Methodology

GDF's SCADA security assessments follow a phased methodology developed specifically for operational technology environments. The assessment is structured around three core principles: passive-first examination to protect production operations, protocol-aware analysis to correctly interpret ICS-specific traffic and configurations, and documentation rigor to support both technical remediation and regulatory or legal needs.

The assessment begins with a pre-engagement scoping and architecture review. GDF works with the client's operations technology team and information security staff to obtain network diagrams, asset inventories, configuration documentation, and any existing security policies. This review produces an accurate picture of the environment before any active testing begins, allowing the assessment team to plan their approach with full awareness of which systems require additional caution or specialized access controls.

The passive assessment phase uses network tap or SPAN port capture to collect and analyze ICS network traffic without generating any active probe traffic. GDF's analysts use specialized tools including Dragos Platform, Claroty, Nozomi Networks, and Wireshark to passively identify assets, enumerate communications, detect anomalous traffic patterns, and identify insecure protocol configurations. This phase alone frequently reveals significant findings: unencrypted engineering workstation connections to PLCs, unauthorized IT-to-OT traffic crossing segmentation boundaries, outdated firmware versions observable in protocol banners, and unusual external communications that warrant further analysis.

The active assessment phase, conducted only in coordination with operations staff and during agreed maintenance windows where applicable, covers:

Engineering workstation and HMI vulnerability assessment: operating system patch status, application vulnerability assessment, local account hardening, removable media controls, and remote access configuration
SCADA server assessment: historian servers, application servers, data acquisition servers, and communication gateways reviewed for vulnerabilities, configuration weaknesses, and authentication controls
IT/OT network boundary review: firewall rule analysis, DMZ architecture review, data diode validation, and jump server configuration assessment
Remote access assessment: vendor remote access accounts, VPN configurations, cellular modem security, and authentication requirements for remote monitoring connections
Physical security review: control room access controls, engineering workstation physical access, USB port restrictions, and portable device policies
Incident response readiness: logging and monitoring capabilities within the OT environment, backup and recovery procedures for control system configuration, and incident escalation procedures

GDF's findings are delivered in a detailed technical report covering each identified vulnerability with risk rating, affected asset, detailed description, and remediation guidance. A separate section maps findings to the applicable regulatory framework: NERC CIP controls, NIST SP 800-82 guidance, IEC 62443 zones and conduit requirements, or other applicable standards. This mapping enables operations and compliance teams to prioritize remediation in terms of both security impact and regulatory obligation.

SCADA Security in Legal and Regulatory Proceedings

SCADA security incidents increasingly produce legal and regulatory consequences for operators and their technology vendors. Following a control system incident, organizations face potential scrutiny from federal regulators including CISA, the EPA, the NRC, TSA, and FERC, as well as civil litigation from customers, shareholders, and affected parties. The quality of forensic documentation produced in the immediate aftermath of an incident directly affects an organization's ability to demonstrate reasonable security practices, limit liability, and satisfy regulatory reporting obligations.

GDF provides post-incident forensic analysis for SCADA environments, preserving evidence from historian servers, engineering workstations, network infrastructure, and PLC audit logs. For connected IoT devices in the same environment, our IoT security assessment team handles device-level forensics. in a manner that maintains admissibility in both regulatory proceedings and civil litigation. Our analysts document the sequence of events, characterize the attack methodology, identify the initial access vector, and quantify the scope of unauthorized access to control system assets. These findings support insurance claims under cyber liability policies, regulatory submissions, and litigation where the security practices of the owner-operator or a technology vendor are at issue.

GDF also provides expert witness testimony in proceedings involving SCADA security. In vendor liability disputes, our analysts assess whether a control system vendor's product met the security standards represented in its marketing materials and contracts. In regulatory enforcement matters, GDF experts explain the significance of specific technical findings to administrative law judges and hearing panels. In civil litigation involving industrial incidents where cyber intrusion is alleged as a contributing cause, GDF's forensic analysis establishes the technical factual record that attorneys and courts rely on.

GDF has been engaged in SCADA security matters for organizations across the energy, utilities, water, chemical, manufacturing, and transportation sectors. Our analysts hold the security certifications required to work in classified and sensitive critical infrastructure environments. Engagements are available nationwide and internationally. Contact GDF at 1-800-868-8189 for a confidential consultation.

Last updated: April 14, 2026

Non-Disruptive Testing

GDF's SCADA assessments use passive-first methodology and coordinated active testing to deliver thorough findings without disrupting production operations or triggering unintended process events.

NERC CIP Alignment

For electric utilities, GDF structures assessment findings to map directly to NERC CIP reliability standards, supporting compliance documentation and regulatory audit preparation.

Post-Incident Analysis

Following a SCADA security incident, GDF's forensic analysts preserve and examine evidence from control systems with the rigor required for regulatory submissions and civil or criminal proceedings.

Vendor Liability Matters

GDF provides forensic assessment and expert witness support in disputes involving the security of control system products, integration services, and remote access arrangements.

Request a Consultation

All consultations are strictly confidential. GDF works with operations and security teams to design assessments that protect production systems throughout the engagement.

Request Consultation Call 1-800-868-8189

ICS Penetration Testing

Passive assessment and architecture review identify the majority of significant vulnerabilities in ICS/SCADA environments, but some findings require active testing to confirm exploitability and accurately characterize impact. GDF's ICS penetration testing engagements go beyond assessment to execute controlled exploitation in environments designed to protect production operations throughout the engagement. The result is a technically definitive finding set that eliminates uncertainty about whether identified vulnerabilities are genuinely exploitable, supporting prioritization decisions and providing the evidence base required for regulatory compliance documentation and legal proceedings.

ICS penetration testing requires a fundamentally different approach from IT network penetration testing. In an IT environment, the primary concern with active exploitation is data confidentiality. In an ICS environment, the concern is physical: incorrect commands sent to a PLC, unexpected traffic hitting a real-time controller, or disrupted communications between a safety instrumented system and its sensors can cause equipment damage, process shutdowns, or personnel injury. GDF's ICS penetration testing methodology is built around this constraint. Where active exploitation against production systems is not appropriate, GDF uses digital twin environments, isolated lab setups with hardware-in-the-loop configurations, and documented controlled exploitation windows that are planned in detail with operations staff before execution begins.

Digital Twin and Lab Environment Testing

For organizations where testing against production ICS components carries unacceptable risk, GDF can conduct penetration testing against a digital twin or physical lab replica of the target environment. GDF works with the client's engineering team to configure the test environment to accurately reflect the production system's network topology, protocol configuration, PLC logic, and HMI setup. Vulnerabilities identified and exploited in the test environment are documented with sufficient technical detail to confirm that the same exploitation path would succeed against the corresponding production system, without requiring any active probing of live operational assets.

Hardware-in-the-loop configurations use actual PLCs, RTUs, or HMI hardware in the test environment, providing a higher-fidelity test than purely simulated environments. When the client has spare hardware available, this approach allows GDF to execute protocol-specific exploitation techniques against real device firmware rather than software emulation, producing findings that accurately characterize the production device's actual vulnerability to the tested attack technique.

IT/OT Boundary Penetration Testing

The boundary between IT and OT networks is the most frequently exploited attack path in ICS security incidents. Attackers who establish access on the corporate IT network move laterally through inadequately segmented DMZ zones, vendor remote access channels, and engineering workstations that bridge both networks to reach the control network. GDF's IT/OT boundary penetration testing explicitly targets this attack path, testing whether an adversary with IT-side access can reach OT network assets and, if so, what access they can obtain once they arrive.

Boundary penetration testing covers firewall rule validation (testing whether rules documented in policy are actually enforced by the deployed firewall configuration), DMZ architecture testing (verifying that DMZ hosts cannot be used as pivot points to the OT network), jump server security testing (assessing whether administrative access to OT systems through jump servers is adequately controlled), and vendor remote access testing (examining the security of persistent or on-demand remote access channels established by equipment vendors). Findings from this phase frequently identify paths from corporate networks to safety-critical OT assets that the organization's security architecture was intended to prevent.

Protocol-Specific Exploitation

Industrial control systems use specialized protocols that carry commands and data in formats designed for reliability and determinism rather than security. Many of these protocols, including Modbus, DNP3, and OPC UA, were designed without authentication or encryption, operating on the assumption that network isolation provided adequate protection. As OT networks have become connected to corporate infrastructure and the internet, these protocol-level weaknesses have become exploitable by adversaries who can reach the control network.

GDF's protocol-specific exploitation testing uses purpose-built ICS security tools to conduct controlled exploitation of Modbus, DNP3, and OPC UA implementations. Modbus testing covers command injection (sending unauthorized read and write commands to coil and register addresses), addressing scheme reconnaissance (enumerating PLC memory maps to identify control-relevant registers), and replay attacks that capture and retransmit legitimate command sequences. DNP3 testing covers spoofed command injection, unsolicited response flooding, and exploitation of DNP3 Secure Authentication weaknesses where implemented. OPC UA testing covers certificate validation bypass, session hijacking attempts, and exploitation of access control misconfigurations in OPC UA server implementations.

GDF conducts protocol-specific exploitation testing only in lab or digital twin environments, or against isolated test instances of the target devices with explicit written approval from the client's operations and safety teams. Findings document the exact exploitation technique, the tool configuration used, the attacker's required network position, and the operational impact that successful exploitation would produce against production equipment.

Physical-to-Cyber Attack Path Testing

Physical access to ICS facilities creates attack paths that are not visible in network architecture diagrams. Engineering workstations left unlocked, USB ports without media controls, removable devices used to transfer files between air-gapped networks, and maintenance laptops that connect to both IT and OT networks are all examples of physical access vectors that have been used in documented ICS attacks. The Stuxnet attack depended on a USB-based initial access path to cross an air gap. Many industrial ransomware incidents have originated from service technician laptops brought into OT environments for maintenance.

GDF's physical-to-cyber attack path testing examines these vectors with the cooperation of facility security and operations staff. Testing covers USB port access controls on engineering workstations and HMIs (verifying whether device controls prevent execution of unauthorized code from removable media), physical access to network infrastructure (testing whether an adversary with brief physical access to a control room could attach a network device or extract credentials), and portable device policy enforcement (assessing whether service technician and contractor devices are screened before connecting to OT networks). Findings from this phase frequently identify physical attack paths that bypass the network-level security controls the organization has invested in.

ICS Red Team Exercises

ICS red team exercises simulate a targeted, multi-stage attack against an industrial facility, executed by a GDF team operating with attacker methodology and objectives. Unlike individual penetration tests that examine specific systems or techniques, red team exercises test the organization's detection and response capability against a realistic adversary operating across the full kill chain: initial access, persistence, lateral movement through IT infrastructure, IT/OT boundary crossing, and final-stage OT access or disruption.

GDF designs each ICS red team exercise around a specific threat actor model relevant to the client's sector and asset type. Electric utility red team exercises model nation-state actors with documented interest in electric grid disruption. Water utility exercises model criminal actors and ideologically motivated groups documented in public incident reports. Manufacturing exercises model industrial espionage actors seeking production process data alongside ransomware actors seeking to maximize disruption impact. This specificity produces exercise findings that are directly applicable to the client's actual threat environment rather than generic attack scenarios.

Red team exercise reporting documents the complete attack narrative, including the detection opportunities the exercise created and whether existing security monitoring identified them. This provides a direct measure of the organization's detection and response capability against the simulated threat actor, informing both security tool investment decisions and security operations center training priorities.

ICS Penetration Testing Coverage

Digital Twin Testing
Hardware-in-the-Loop
IT/OT Boundary Testing
Firewall Rule Validation
Vendor Access Testing
Modbus Exploitation
DNP3 Protocol Testing
OPC UA Security
Physical-to-Cyber Testing
USB Control Validation
ICS Red Team Exercises
Attacker Kill Chain Simulation