The Case for Specialized ICS Penetration Testing
The New York metropolitan area concentrates critical infrastructure at a density unmatched outside Washington, D.C. Port Newark and the Port of New York and New Jersey move cargo through automated terminal operating systems and marine terminal control networks. The MTA operates one of the largest transit systems in the world, with signaling and train control systems running on industrial communications protocols. New York City's water supply system delivers more than a billion gallons daily through treatment facilities whose chemical dosing and distribution pressure are managed by SCADA controllers. Consolidated Edison and PSEG Long Island serve millions of customers across a power grid whose protective relay systems communicate using industrial protocols designed decades before cybersecurity was a design consideration.
Standard IT penetration testing tools and methodologies are not just ineffective in these environments: they are actively dangerous. An Nmap scan that produces useful reconnaissance on a corporate network can overflow the packet buffers of a 20-year-old PLC, causing an uncontrolled process halt. A password-spraying attack against a SCADA historian can trigger lockout on the engineering workstation account that operators need to respond to an alarm condition. The operational technology environments controlling New York's infrastructure run on hardware designed for reliability and determinism, not for the adversarial traffic conditions that IT pen testing tools generate. Subjecting a live Modbus controller to IT scanning methodology does not identify vulnerabilities; it creates them.
New York organizations operating critical infrastructure face an accelerating regulatory environment that mandates penetration testing as a distinct requirement, not merely a best practice. NERC CIP-010 imposes annual cybersecurity assessment obligations on bulk electric system operators. TSA Security Directive Pipeline-2021-02F requires covered pipeline operators to assess 30 percent of Critical Infrastructure Protection elements annually and 100 percent within a rolling three-year cycle. NYDFS cybersecurity regulations apply to financial sector organizations whose facility management systems sit on building automation networks. The consequence is that ICS penetration testing has moved from a discretionary security investment to a compliance obligation with documented audit trails, and those audit trails require reports that withstand regulatory scrutiny. NYCF's ICS penetration testing practice is structured to deliver both the technical rigor and the forensic documentation quality that New York organizations and their counsel require.
How ICS Penetration Testing Differs from IT Penetration Testing
The most important distinction between ICS and IT penetration testing is not methodological: it is the consequence of failure. In conventional IT environments, an exploit that crashes an application means a service restart and a finding in the report. The same philosophy applied to a live PLC controlling water treatment chemical dosing, or to a protective relay in a power substation, produces physical consequences. A crashed PLC mid-cycle in a chemical treatment process can create a public health incident. A tripped relay at the wrong moment in a high-voltage substation affects grid stability across a region. This asymmetry of consequence defines every decision in ICS penetration testing, from scoping through to reporting.
The availability requirement in OT environments is effectively zero tolerance for production disruption. Critical infrastructure operators cannot accept the possibility of a security test causing an unplanned shutdown, even a brief one. This is categorically different from the IT penetration testing posture, where some service interruption during a controlled test window is an acceptable and often expected outcome. ICS penetration testing accordingly cannot use production systems as the primary test target for active exploitation. Every exploitation phase must occur in a safe environment designed for the purpose, whether that is a digital twin of the client environment, hardware-in-the-loop testing in NYCF's secure lab, or an isolated test network built from decommissioned equipment that matches the production configuration.
Protocol expertise requirements present another fundamental distinction. IT penetration testing requires proficiency in TCP/IP, HTTP, SQL injection, authentication protocols, and operating system exploitation. ICS penetration testing requires all of that, plus deep knowledge of Modbus TCP and RTU, DNP3, OPC UA and OPC-DA, EtherNet/IP and CIP, PROFINET, BACnet, IEC 61850 and GOOSE messaging, and the specific firmware behavior of the PLC, RTU, and HMI platforms running those protocols. Understanding that a Modbus server will accept any read or write command from any device on the network without authentication is not the same thing as knowing exactly which Modbus function codes to test, how to safely replicate that test against a specific Allen-Bradley or Siemens controller in an isolated environment, and how to document the finding in a form that operations engineers can act on. This expertise is not transferable from IT pen testing without specialized training and hands-on OT lab experience.
Safety team coordination requirements in ICS engagements extend well beyond what IT security teams are accustomed to. Every ICS penetration test engagement at NYCF begins with a coordination process that includes the client's operations leadership, safety officers, and control system engineers, not just the security team. Emergency halt procedures are agreed and documented before testing begins. Safety-instrumented systems are explicitly excluded from scope and confirmed out-of-scope in writing. Testing windows are aligned with production schedules to minimize operational exposure. This coordination overhead is not bureaucratic caution; it is the professional standard for responsible ICS testing practice. For the IT portion of engagements involving enterprise networks that connect to OT environments, NYCF's standard penetration testing capability covers those IT-layer assessments with the same rigor applied to our OT practice.
NYCF's ICS Penetration Testing Process
New York law firms retaining NYCF on behalf of critical infrastructure clients, and operations teams engaging directly, receive a structured five-phase methodology that produces technically defensible findings alongside the operational context necessary to act on them. Each phase is documented with sufficient specificity to satisfy both regulatory audit requirements and litigation support needs.
Engagement Scoping and Safety Planning
NYCF works with client counsel, operations leadership, and safety officers to define the precise boundaries of the engagement. Emergency halt procedures are agreed in writing before any technical activity begins. Systems operating under safety-instrumented system (SIS) governance are explicitly documented as out-of-scope. Testing windows are established in coordination with maintenance schedules. Authorization documentation is prepared to the standard required for regulatory audit and legal proceedings. The scoping process for an ICS engagement is materially more extensive than for an IT penetration test, reflecting the higher operational stakes. Clients whose counsel retains NYCF to support anticipated or ongoing litigation receive scoping documentation structured to satisfy attorney-client privilege and work product considerations.
Passive Reconnaissance and Architecture Mapping
NYCF analysts deploy passive network sensors via span ports and network taps to observe OT traffic without injecting any packets into the control network. Traffic analysis identifies every communicating device, maps the communication relationships between them, and documents the protocols in use across each network segment. Purdue Model layer analysis organizes findings according to Level 0 through Level 3.5 architecture, identifying where field devices connect to controllers, where controllers connect to supervisory systems, and where the supervisory layer connects to enterprise IT. IT/OT boundary documentation identifies every pathway between the enterprise network and the operational technology environment, including historian servers, remote access infrastructure, vendor maintenance channels, and any unauthorized or undocumented connections that passive observation reveals. This phase produces no traffic on the control network and carries zero risk to production operations.
Threat Actor Modeling
NYCF analysts build sector-specific threat models calibrated to the client's industry and geographic context. For energy sector clients, threat modeling addresses the VOLTZITE activity group (linked to China's Volt Typhoon campaign), which Dragos has documented targeting US electric utilities and telecommunications operators, exfiltrating GIS data and OT network diagrams as part of pre-positioning for potential destructive operations. For manufacturing clients, ransomware group targeting patterns reflect the reality that manufacturing accounted for more than two-thirds of all industrial ransomware victims tracked by Dragos in 2025, with 119 distinct ransomware groups actively targeting industrial organizations. Assumed-breach scenarios model the attack path from a compromised enterprise IT asset through to meaningful control of OT systems, reflecting the documented finding that 96 percent of OT security incidents originate from IT-level compromises. These scenarios drive the exploitation testing in Phase 4 and ensure that testing activity maps to realistic attacker behavior rather than theoretical vulnerability catalogs.
Controlled Exploitation in Safe Environments
Active exploitation testing occurs exclusively in safe environments designed to replicate the client's production OT environment without placing live operations at risk. NYCF's secure test lab maintains hardware-in-the-loop capability with physical PLCs and RTUs from major industrial vendors, allowing protocol-specific attack execution against actual device firmware rather than software simulations. Digital twin environments replicate the logical architecture of the client's OT network, enabling test scenarios that would carry unacceptable risk on production systems, including destructive exploit chains designed to demonstrate the end-state impact of a successful attacker campaign. Where decommissioned production equipment is available, isolated test networks built from that hardware provide the highest fidelity replication of the specific firmware versions and configurations in the client's environment. Protocol-specific attack execution across Modbus, DNP3, OPC UA, EtherNet/IP, PROFINET, BACnet, and IEC 61850 validates whether identified vulnerabilities are practically exploitable under conditions matching the client's network architecture and security controls.
Forensic Documentation and Remediation Guidance
NYCF's final report is structured to serve multiple audiences simultaneously. The technical findings section documents each exploited vulnerability with the specificity required for an engineer to reproduce the test, understand the mechanism of exploitation, and implement a targeted remediation. Operational impact analysis translates technical findings into business and safety terms that operations leadership and legal teams can evaluate: a finding that a specific Modbus controller accepts unauthenticated write commands is reported alongside its operational consequence if exploited by a threat actor with the demonstrated level of access. Compensating control recommendations address the significant proportion of ICS vulnerabilities where patching is not operationally feasible, providing concrete architectural and configuration mitigations that reduce exploitability within the constraints of production environments. Compliance mapping documents findings against NERC CIP, TSA directive requirements, IEC 62443, and NIST SP 800-82 Rev. 3 in a format suitable for regulatory submission and legal proceedings.
Protocol-Level Security Testing
Industrial protocols represent the most fundamental layer of ICS security risk because their design decisions predate network security as a discipline. Most industrial protocols were created for environments assumed to be physically isolated from adversarial networks. That assumption no longer holds for the majority of New York critical infrastructure environments, which have implemented IT/OT connectivity for operational data visibility, remote monitoring, and enterprise integration. When these protocols operate on networks that are no longer isolated, their absence of authentication and encryption creates attack surfaces that are both broad and trivially accessible to any attacker who reaches the OT network segment. NYCF's analysts examine each protocol present in the client's environment for its specific security characteristics and attack surface.
Modbus TCP and Modbus RTU carry no authentication by design. Any device on the network that can reach a Modbus-enabled controller can issue read and write commands across the full range of coils and registers without presenting credentials of any kind. NYCF tests Modbus deployments for command injection possibilities, register manipulation scenarios, and the network segmentation controls that represent the only realistic defense against unauthorized Modbus access. The test asks whether the protocol's complete absence of authentication is exposed to attacker-accessible network positions, and whether those positions are reachable from the paths documented during Phase 2 architecture mapping.
DNP3 serves water utilities, electric utilities, and pipeline operators as the primary protocol for communication between master stations and outstations. Its original implementation carries no authentication, and even the DNP3 Secure Authentication extensions defined by the standard are not universally implemented in deployed systems. NYCF tests DNP3 deployments for master station spoofing scenarios, where an attacker on the network impersonates the legitimate master to issue commands to outstations, and for the Secure Authentication weakness testing that identifies whether the authentication extensions are implemented, correctly configured, and resistant to the replay and downgrade attacks documented in the research literature.
OPC UA introduced certificate-based authentication and encrypted sessions as a security-conscious improvement over the original OPC-DA specification, but these security features require correct configuration to be effective. NYCF tests OPC UA deployments for certificate validation failures that allow connections from untrusted clients, authentication bypass conditions in specific server implementations, and access control enforcement across the available service endpoints. An OPC UA server whose security mode is set to None, or whose certificate validation accepts self-signed certificates without verification, provides no meaningful security improvement over unauthenticated legacy protocols.
EtherNet/IP using the Common Industrial Protocol (CIP) is the dominant protocol for Allen-Bradley and Rockwell Automation PLC environments, which represent a significant share of New York manufacturing and industrial facility deployments. NYCF tests EtherNet/IP and CIP implementations for unauthorized PLC programming command injection, which allows an attacker on the network to modify ladder logic or function block programs running on the controller. This category of attack represents the highest-severity ICS exploitation scenario: an attacker who can reprogram a PLC can manipulate the physical process it controls while causing the human-machine interface to display normal operating conditions.
PROFINET, used extensively in Siemens-centric industrial environments, is tested for device discovery and manipulation through DCP (Discovery and Configuration Protocol) exploitation, and for configuration attacks that allow unauthorized changes to device parameters. BACnet, the building automation protocol present in essentially every New York commercial office tower and institutional facility, is tested for unauthorized property read and write access to building automation controllers, creating the potential for unauthorized control of HVAC, fire suppression, access control, and electrical distribution systems. IEC 61850 and its GOOSE (Generic Object-Oriented Substation Event) messaging layer, used in electric substation protection and automation, is tested exclusively in NYCF's isolated lab environment with relay test equipment, because spoofed GOOSE messages can cause immediate protective relay operation with direct consequences for power grid stability.
Safe Testing Environments for New York Critical Infrastructure
The central engineering challenge of ICS penetration testing is replicating sufficient fidelity of the production environment to produce meaningful results while maintaining complete separation from live systems. NYCF employs three methodologies, selected based on the criticality of the target environment, the availability of hardware and documentation, and the specific test scenarios required by the engagement scope.
Digital twin environments provide the most flexible testing capability. A digital twin replicates the logical architecture, device configurations, and network topology of the client's OT environment in an isolated virtual or hybrid environment maintained in NYCF's secure infrastructure. This approach allows analysts to execute the complete attack chain documented in the threat model, including scenarios that would be completely infeasible against production systems, without any scheduling constraints tied to production windows. Digital twins are particularly valuable for testing complex multi-step attack paths that traverse from the IT network through the IT/OT boundary into the operational technology environment, replicating the assumed-breach scenarios developed in Phase 3. The technology is in active development across the industrial security industry, and NYCF's practice stays current with hybrid approaches that combine virtual environments for the broader network architecture with physical device representations for the specific controllers at the core of the engagement scope.
Hardware-in-the-loop testing uses physical ICS hardware, including PLCs, RTUs, and HMIs from major industrial vendors, operated in NYCF's secure test lab with simulated process signals providing the input stimuli those devices would receive in production. This approach provides the highest-fidelity testing of protocol behavior and firmware exploitation because the test is running against actual hardware executing actual firmware, not a software simulation of its behavior. Hardware-in-the-loop is the preferred approach for testing specific high-criticality devices, including safety-system-adjacent controllers, protection relays, and PLCs whose firmware behavior cannot be adequately replicated in a pure virtual environment. The limitation is hardware availability: comprehensive hardware-in-the-loop testing requires either NYCF lab equipment matching the client's platform or the client's willingness to make spare hardware available for the test period.
Isolated test networks built from decommissioned production equipment represent the third methodology, applicable where clients have taken legacy equipment out of service and can make it available for security testing. This approach provides the closest possible match to the production environment's specific firmware versions and hardware revision states, particularly valuable for identifying firmware-specific vulnerabilities in older equipment that may not be documented in any public vulnerability database. Clients who have upgraded their OT infrastructure and retained the replaced equipment have an underutilized resource for this type of testing. NYCF coordinates the transport, configuration, and secure handling of decommissioned equipment used in isolated test network engagements.
IT/OT Boundary Testing
The IT/OT boundary is consistently the highest-priority target in ICS penetration testing because it represents the primary path through which attackers reach operational technology systems. Industry data confirms that 96 percent of OT security incidents originate from IT-level compromises. Attackers who establish a foothold in the enterprise IT environment, whether through phishing, exploitation of internet-facing vulnerabilities, compromised vendor credentials, or supply chain intrusion, do not need to defeat the physical security of the industrial facility. If a path exists from the IT network to the OT environment, which it does in the vast majority of New York industrial facilities, that IT-level foothold becomes a stepping stone to ICS access.
NYCF's IT/OT boundary testing examines the controls that are supposed to prevent this traversal and actively attempts to defeat them using the techniques and tools documented in the threat actor models developed in Phase 3. Firewall rule sets at the IT/OT boundary are analyzed for rules that permit broader access than operational requirements justify, including legacy rules added for specific projects and never removed, and rules that permit bidirectional access where unidirectional data flow would suffice. DMZ architecture review evaluates whether the demilitarized zone between IT and OT networks provides genuine security separation or a false sense of isolation, examining whether systems in the DMZ, particularly historian servers and data aggregators, have network access to both sides that creates a traversal path if the DMZ host is compromised.
Jump server security testing addresses the access control and monitoring controls on the administrative systems used by engineers and vendors to reach OT assets from the IT network. A jump server with weak authentication, session logging gaps, or overly permissive outbound access rules is a single-hop path from an IT compromise to full OT access. Vendor remote access channels receive specific attention as a historically persistent vulnerability: third-party access for equipment maintenance is a legitimate operational requirement, but implementations that use persistent always-on VPN tunnels, shared credentials, or unmonitored sessions represent significant risk that NYCF specifically identifies and tests. The documented finding that 46 percent of industrial organizations experienced breaches due to third-party access in the preceding 12 months reflects the systematic risk of vendor access channels that lack the authentication, monitoring, and access-scoping controls that internal access infrastructure applies. For the enterprise IT layer of these engagements, NYCF's penetration testing practice provides the IT-focused testing capability that complements the OT-specific work, producing a complete picture of the attack path from the internet through the enterprise network to the operational technology environment.
Regulatory and Legal Context for New York ICS Security
The regulatory environment governing ICS security for New York organizations has grown significantly more demanding in the last several years, and the trend toward specific, auditable requirements with defined testing cadences is accelerating. Understanding which frameworks apply, what they specifically require in terms of penetration testing and assessment documentation, and how those requirements interact with litigation obligations is essential context for New York law firms advising critical infrastructure clients.
NERC CIP-010, which governs configuration change management and vulnerability assessments for bulk electric system operators, requires documented annual cybersecurity assessment plans and vulnerability assessments of high- and medium-impact BES Cyber Systems. NERC's 2025 CIP Roadmap, published in January 2026, identified supply chain compromise, ransomware, and insider threats as the top-ranked risks facing BES operators, and noted pending standards activity requests that would extend MFA requirements to remote access for low-impact BES Cyber Systems currently outside the stringent requirement set. NERC CIP-013 supply chain risk management requirements, which extend to third-party vendors and software used in OT environments, create documentation obligations that parallel the scope of a comprehensive ICS penetration test. NYCF's assessment documentation is structured to map directly to CIP requirement categories, supporting both initial compliance demonstration and the re-assessment cycles required by the standards.
TSA Security Directive Pipeline-2021-02F, currently effective through May 2026 and expected to renew, requires covered pipeline operators to submit annual Cybersecurity Assessment Plans to TSA and to assess 100 percent of Critical Infrastructure Protection elements on a rolling three-year schedule, with 30 percent assessed each year. The directive explicitly requires zero trust implementation for unauthorized execution and monitoring at the IT/OT boundary, MFA for all access to operational technology systems, and tested incident isolation capability. The annual assessment plan submission creates a structured documentation requirement that NYCF's engagement methodology addresses directly: findings are presented in a format that supports plan submission as well as internal remediation tracking.
NYDFS cybersecurity regulations (23 NYCRR Part 500) apply to covered entities that include financial institutions with facility management systems connected to or accessible from IT infrastructure. The 2023 amended NYDFS regulations expanded penetration testing requirements and introduced Class A company obligations for independent security assessments. Financial sector organizations whose New York facilities use building automation systems on networks with any connectivity to IT infrastructure covered by NYDFS should review the intersection of BACnet-based facility management controls and their NYDFS penetration testing obligations. NYCF's ICS penetration testing practice includes BACnet assessment capability specifically to address this intersection.
IEC 62443 and NIST SP 800-82 Rev. 3, published in September 2023, establish the primary technical frameworks for ICS security assessments across industries. NIST SP 800-82 Rev. 3 updated guidance specifically addresses the IT/OT convergence risks that define the current threat environment, including detailed treatment of cloud-connected OT systems, industrial IoT, and remote access security. NYCF's methodology maps to both frameworks, and assessment reports include explicit framework alignment tables that document how each finding relates to specific control requirements. This mapping is essential for organizations preparing regulatory submissions, conducting vendor audits, or managing ICS security findings through formal risk management processes.
Court-admissible documentation is a core output of every NYCF ICS penetration test engagement. When ICS security failures result in litigation, whether arising from a cyber intrusion causing equipment damage, a production loss dispute, a regulatory enforcement action, or an insurance coverage dispute, the quality of the underlying security assessment documentation directly affects the available legal arguments. NYCF analysts provide expert witness testimony addressing the technical standards of care applicable to ICS security in specific sectors, the exploitability and severity of identified vulnerabilities at the time they existed in the client's environment, and causal analysis connecting specific security deficiencies to the operational losses at issue. New York law firms handling critical infrastructure cyber litigation have engaged NYCF in both plaintiff and defense roles, and NYCF's expert witness analysts are experienced in presenting technically complex ICS security findings to judges, juries, and arbitration panels in terms that are accurate without requiring specialized technical knowledge to evaluate.
NERC CIP Assessment Documentation
Penetration testing and vulnerability assessment documentation mapped to NERC CIP-010 and CIP-013 requirements, structured for regulatory submission and audit support for New York bulk electric system operators.
TSA Directive Annual Assessment Plans
ICS penetration testing supporting TSA SD Pipeline-2021-02F annual assessment plan requirements, covering Critical Infrastructure Protection elements with the testing cadence and documentation detail the directive requires.
NYDFS OT Security Testing
Penetration testing for NYDFS-covered entities whose facility management and building automation systems fall within the scope of 23 NYCRR Part 500 penetration testing requirements, including BACnet and building automation protocol assessment.
Expert Witness Testimony
ICS security standard of care testimony for civil litigation, arbitration, and regulatory proceedings. NYCF analysts address exploitability, causation, and the security posture of ICS environments at the time of alleged incidents or failures.