Critical infrastructure—spanning power grids, water treatment plants, oil refineries and transportation systems—has become a prime target for adversaries seeking disruption, financial gain, or geopolitical leverage. Unlike corporate IT networks, these environments rely on Industrial Control Systems (ICS) and Operational Technology (OT) that run physical processes where downtime can threaten public safety. Cybersecurity reports indicate that energy and manufacturing sectors remain frequent targets of both nation-state and financially motivated attacks, highlighting the high stakes for critical infrastructure operators. Red team penetration testing provides operators with a controlled but realistic way to measure how adversaries could bypass defenses and gain access to sensitive systems. Instead of relying on automated scans or compliance checklists, a red team mimics the tactics of real attackers, exposing weak detection capabilities and revealing whether security teams can identify and contain sophisticated intrusions before critical processes are impacted.
Why ICS and OT Need Red Team Testing
Organizations running ICS and OT often rely on decades-old technology designed for reliability rather than cybersecurity. Many systems still use outdated protocols like Modbus or DNP3 that lack authentication and encryption. Firewalls and segmentation strategies exist, but they are rarely tested against adversaries who specialize in exploiting misconfigurations or weak points at IT-OT boundaries.
Traditional penetration testing offers value but is limited in scope—it typically identifies vulnerabilities in isolated components. Red team penetration testing, by contrast, evaluates how an attacker could chain multiple weaknesses to disrupt or control industrial processes. For example, in 2021, researchers demonstrated how a weakly secured remote access system in a water treatment plant allowed attackers to alter chemical dosing levels. Red team testing recreates these attack paths under controlled conditions, providing operators with actionable insights into gaps that cannot be revealed through routine scans.
Moreover, ICS environments are attractive to nation-state actors. The infamous TRITON malware incident in 2017 showed that adversaries are willing to target safety instrumented systems directly, which could lead to physical damage and loss of life. In such contexts, tabletop exercises and vulnerability scans fall short. Only a dedicated red team assessment can provide confidence that layered defenses work in practice.
IT vs OT Security in Red Teaming
The differences between IT and OT security are critical for understanding how red team penetration testing is adapted in critical infrastructure. The table below highlights the key contrasts –
| IT Security | OT Security |
|---|---|
| Systems can often be taken offline for patching or updates | Systems must remain operational continuously; downtime can impact critical infrastructure |
| Uses secure protocols like HTTPS, SSH and VPNs | Often relies on legacy protocols without encryption or authentication |
| Advanced intrusion detection and monitoring systems are common | Limited monitoring depth; blind spots are frequent |
| Managed by corporate IT/security teams | Overseen by engineers with limited cybersecurity expertise |
| Standard penetration testing can be performed with minimal operational impact | Interference can disrupt turbines, electricity distribution or manufacturing lines; safety is a priority |
| Cybersecurity knowledge is generally sufficient | Dual expertise in cybersecurity and engineering disciplines is needed to ensure realistic testing without jeopardizing operations |
Threats to Critical Infrastructure Systems
Critical infrastructure is highly exposed due to a mix of aging technology, increased connectivity and geopolitical tensions. Major categories of threats include:
- Nation-state attacks: Groups like Sandworm have previously disrupted power grids, while others attempt long-term infiltration to prepare for sabotage. For instance, the Sandworm attack on a Ukrainian energy company (2022) highlights how state-backed actors target national energy systems.
- Ransomware campaigns: Incidents such as the Colonial Pipeline attack in 2021 and the RECOPE ransomware attack in Costa Rica (2024) demonstrated how financially motivated actors can halt critical supply chains.
- Insider threats: Employees or contractors with access may inadvertently or intentionally create vulnerabilities.
- Third-party risks: Vendors providing remote monitoring solutions or maintenance connections often introduce weak entry points.
- Recent high-profile incidents: The Norwegian Dam Hack (2025) and the Kuala Lumpur International Airport Attack (2025) further highlight the growing global scale and frequency of attacks on critical infrastructure.
Planning Red Team Testing for ICS/OT
Planning is critical because testing in ICS/OT must achieve realism without endangering production. Operators, engineers and security leaders should jointly define objectives and constraints. Key planning steps include:
- Defining objectives: For example, can an attacker pivot from IT into OT, bypass monitoring and attempt process manipulation?
- Setting boundaries: Certain systems, such as safety controllers, may be strictly off-limits for live testing. Simulated environments or digital twins can substitute.
- Approvals and stakeholder buy-in: Senior management and plant operators must understand risks and approve scope to avoid misunderstandings.
- Communication plan: Establishing a chain of command, escalation paths and out-of-band communication channels ensures rapid response in case of unexpected disruptions.
Effective planning transforms red team testing from a risky experiment into a structured exercise that provides measurable insights without downtime.
Rules of Engagement and Safety Controls
Rules of Engagement (ROE) form the backbone of any red team penetration testing in ICS/OT. Without strict ROE, testing could endanger physical processes. Typical ROE include:
- Kill switches: Immediate stop mechanisms that can suspend testing if anomalies occur.
- Out-of-scope assets: Systems like safety instrumented systems (SIS) or life-supporting processes are excluded from live exploitation.
- Time constraints: Testing during low-demand cycles reduces operational risks.
- Monitoring coordination: Security operations center (SOC) teams and plant engineers should monitor simultaneously to ensure activities are distinguishable from real attacks.
CISA guidelines emphasize that safety overrides all red team goals. The intent is not to break systems but to reveal pathways attackers could exploit while ensuring operators retain trust in the testing process.
Red Team Techniques for ICS Security
Red teams working in ICS environments employ specialized techniques distinct from IT testing. These include:
- Passive reconnaissance: Identifying network assets, firmware versions and configurations without sending disruptive packets.
- Protocol analysis: Studying traffic in Modbus, PROFINET or OPC UA to uncover misconfigurations or unprotected command channels.
- Pivoting techniques: Moving from IT networks into OT zones via poorly segmented firewalls or misconfigured VPNs.
- Simulated attacks: Using digital twins or test environments to safely reproduce scenarios like unauthorized command injection.
For example, in a simulated test at a European manufacturing plant, red teamers demonstrated how phishing emails against IT staff allowed pivoting into an OT historian server. From there, they mapped the process network, showing how attackers could eventually manipulate PLCs if left undetected. This revealed gaps in monitoring at the IT-OT boundary and led to segmentation improvements.
Lessons from Critical Infrastructure Red Teaming
Real-world red team engagements consistently reveal recurring issues in ICS/OT environments:
- Weak segmentation: Firewalls often exist but are misconfigured, allowing unnecessary traffic across zones.
- Legacy systems: Devices that cannot be patched remain in use for decades, creating long-term exposure.
- Credential hygiene: Shared accounts, weak passwords or hardcoded credentials are common.
- Limited monitoring: Security teams often detect IT intrusions but fail to notice lateral movement into OT.
One engagement in the Middle East revealed that engineers used default vendor passwords for PLCs across multiple plants. While changing them required coordination, the red team’s findings helped prioritize a phased rollout of secure authentication without production downtime.
Layered Defense Strategies from Findings
Insights from red team testing should directly inform defense strategies. A layered defense approach ensures that even if one barrier fails, others can prevent escalation. Common strategies include:
- Network segmentation: Strict separation between IT, DMZ and OT zones, with only necessary traffic permitted.
- Asset visibility: Maintaining updated inventories of all ICS devices and firmware levels.
- Patch and change control: Applying security patches during scheduled maintenance while using compensating controls for un-patchable systems.
- Anomaly detection: Deploying OT-aware monitoring solutions that understand process protocols and can identify unusual commands.
- Access management: Strong authentication for remote vendors and elimination of shared credentials.
By addressing findings in layers, operators avoid single points of failure and build resilience against both sophisticated and opportunistic attackers.
Reporting and Remediation Guidance
The value of red team penetration testing lies not just in identifying weaknesses but in communicating them effectively. Reports should be tailored for multiple audiences:
- Executives: Clear explanation of risks, business impact and high-level recommendations.
- Engineers and operators: Technical guidance that translates findings into actionable configuration or process changes.
- Security teams: Detailed attack paths, detection gaps and monitoring improvements.
A remediation roadmap should prioritize fixes by criticality, balancing urgency with feasibility. For example, changing default credentials may be addressed immediately, while large-scale segmentation may require phased deployment. Follow-up testing or retesting validates that improvements truly close identified gaps.
Conclusion
Critical infrastructure faces a unique convergence of risks—aging systems, increased connectivity and adversaries willing to disrupt physical processes. Red team penetration testing provides operators with a practical way to assess how well defenses hold against determined attackers without causing operational downtime. From planning and safety rules to attack simulations and layered defense strategies, red team testing transforms theoretical security measures into real-world assurance. By acting on lessons learned and continuously improving defenses, organizations can safeguard vital services while maintaining trust in systems that society depends on every day. Partner with ValueMentor to implement expert red team testing and strengthen your critical infrastructure security today.
FAQs
1. What is red team pen testing of critical infrastructures?
Red team penetration testing is a controlled, simulated attack on ICS and OT systems to identify vulnerabilities and evaluate whether security defenses can detect and respond to real-world threats.
2. How does red team testing differ from ordinary penetration testing?
Whereas pen testing traditionally centers upon individual vulnerabilities, red team testing emulates advanced attacker behavior and links together a string of weaknesses in order to evaluate end-to-end ICS/OT security.
3. Why is red team testing beneficial for ICS and OT environments?
ICS and OT systems regulate important physical processes where downtime has serious ramifications. Red team exercises assist operators in uncovering weaknesses that may elude frequent scans or compliance audits and build resilience more generally.
4. What are the chief risks of red teams exercising in critical infrastructures?
Potential hazards encompass unintended interference with physical operations, activation of safety protocols or periods of inactivity should testing not be meticulously organized. Rigorous engagement guidelines and safety measures serve to alleviate these dangers.
5. How do red teams actually conduct their testing with safety?
Red teams use kill switches, refrain from subjecting sensitive systems to testing, perform attacks during low-cycle demand times and coordinate with SOC and engineering teams to prevent real-world harm.
6. What techniques are applied by red teams during ICS security testing?
Some techniques used are passive reconnaissance, protocol analysis (e.g., Modbus, OPC UA), pivoting from IT networks into OT networks and simulated attacks with digital twins or test environments.
7. Does red team testing disrupt day-to-day operations?
If well planned with due consideration of safety regulations and clearances of relevant stakeholders, red team exercises should actually minimize disruptive operations while yielding real-world insights of possible avenues of attack.
8. How do red teams impact practice through their outputs?
Findings inform multi-layer protection designs with network partitioning, asset insight, anomaly identification, access restriction and remediation priority schedules to bolster ICS/OT security.
9. Who should be involved with the planning of a red team exercise?
Planning should involve operators, engineers, IT/security staff and senior management in defining objectives, scopes and escalation processes so that safe and effective testing can be carried out.
10. How often should critical infrastructures be subjected to red team penetration testing?
Routine exercises—at least once a year or following significant system changes—keep defenses current with changing threats and build upon lessons learned from past tests to improve security on an ongoing basis.
