Summary: An OT pentest is a controlled security test of your industrial systems (PLCs, SCADA, HMIs) that exposes vulnerabilities without shutting down production. Unlike a classic IT pentest, the focus is on availability, not confidentiality. Passive analysis always precedes active testing, and aggressive scanning tools such as Nmap are avoided or strictly configured to prevent crashes of sensitive controllers.
Many Flemish manufacturing companies have their office networks tested annually by an ethical hacker. Firewalls are checked, servers scanned, applications scrutinized. But as soon as it comes to the factory floor, the PLCs that control machines, the SCADA systems that monitor production processes, the HMI screens on which operators work, things go quiet. “We can’t touch that, because production must not shut down.” It’s an understandable reflex, but a dangerous one. This article explains exactly what an OT pen test entails, why it works fundamentally differently from an IT pen test, and how to get your operational technology safely tested.
What is an OT pentest and how is it different from an IT pentest?
An OT pentest is a controlled security test that focuses specifically on industrial systems: the controllers, networks and protocols that drive your machines and manufacturing processes. The goal is to identify and validate vulnerabilities without compromising the physical integrity or availability of the production process.
The fundamental difference from an IT pentest is in the priorities. In an office environment, data confidentiality is everything. A server that reboots briefly during a scan? Annoying, but acceptable. In an OT environment, that same moment can crash a PLC (Programmable Logic Controller), force an emergency shutdown and shut down an entire production line. Availability and physical safety are paramount here.
| Criterion | IT test | OT pentest |
|---|---|---|
| Priority | Confidentiality of data | Availability and physical security |
| Asset life cycle | 3 to 5 years | 15 to 25 years |
| Operating Systems | Standardized (Windows, Linux) | Often proprietary, embedded or legacy |
| Protocols | Universal (TCP/IP, SSH, HTTPS) | Industry-specific (Modbus, PROFINET, DNP3) |
| Patch frequency | Weekly to monthly | Only during scheduled maintenance outages |
| Physical impact at fault | Limited to data loss | Potentially destructive: production downtime, damage to machinery |
| Test environment | Redundant or virtually available | Often unique, limited testing facilities |
| Starting Point | Active scans | Always passive analysis first |
That longer life cycle of OT assets is a crucial factor. Many Flemish manufacturing companies are still working with systems designed in an era when cybersecurity was not a consideration. Controllers communicate via protocols like Modbus TCP that, by nature, do not support encryption or authentication. A pentester must take this into account: standard IT scanning tools are often too aggressive for these fragile devices.
Why your OT environment should not go untested
The reasoning “our factory doesn’t hang on the Internet, so we’re safe” is no longer true. The convergence of IT and OT, driven by Industry 4.0, IIoT sensors and cloud-based analytics, has virtually eliminated the separation between office and factory floor in many companies.
The numbers confirm the risk. The Dragos 2026 OT Cybersecurity Year in Review report shows that in 2025 as many as 119 ransomware groups affected 3,300 industrial organizations, up 49% from the previous year. The manufacturing industry was by far the hardest hit, with two-thirds of all victims being manufacturing companies. Ransomware attacks on the manufacturing industry increased 56%, from 937 to 1,466 incidents.
And it almost never starts in the plant itself. In more than half of the ransomware incidents where production was disrupted, the infection started in the IT network and then spread to the OT environment. Consider the ransomware attack on Picanol in Ypres: the malware entered through the IT systems, but the impact on production in Ypres, China and Romania was total. Order management, machine control and logistics were so intertwined that everything was down for days.
An OT pentest validates exactly those transition points. Not testing the plant in isolation, but verifying that an attacker who penetrates the office network can also reach the production floor.
The five phases of a secure OT pen test
A professional OT test follows a five-phase process specifically designed to minimize risks to production. Each phase builds on the previous one, and the step to active testing is not taken until the environment is fully understood.
Phase 0: preparation and risk identification. Before even a single packet passes over the network, the scope is defined in close consultation with process engineers and security managers. Which systems are critical? Which should absolutely not be actively tested? This results in detailed “Rules of Engagement” that determine when testing takes place (preferably during a scheduled maintenance stop) and which systems are within scope.
Phase 1: passive exploration. Here lies the main difference from IT pentesting. Whereas an IT pentester immediately starts with active network scans, an OT pentester always starts passively. Via network TAPs or SPAN ports on switches, traffic is read along without disturbing the communication between PLCs and HMIs. Thus, assets are identified, network topology mapped and protocols analyzed, without a single additional packet entering the network.
Phase 2: validation of network segmentation. Is the separation between the corporate and industrial networks really effective? Researchers look for unauthorized connections: systems hanging in both networks (“dual-homed”), undocumented access paths, or industrial devices that can be accessed directly from the Internet. Dragos research shows that organizations often think their segmentation is in order, but pen tests regularly uncover hidden connections.
Phase 3: controlled vulnerability analysis. Only when the environment is fully mapped, are careful active operations performed. Preferably, this is done on a “digital twin” or in a laboratory environment that mimics the production installation. Should testing be done on live systems, it is limited to configuration reviews, manual checking of firmware versions against known vulnerability databases, and very cautious, protocol-aware interactions.
Stage 4: reporting and recovery advice. The report of an OT pentest translates technical findings into operational risks. Recommendations take into account the limitations of OT: patching is often not directly possible, so compensating measures are suggested such as “virtual patching” via industrial firewalls or tightened network segmentation. More on how to read such a report can be found in our article on interpreting a pen test report.
Typical vulnerabilities an OT pentester finds at Flemish manufacturing companies
Vulnerabilities in OT environments are fundamentally different from what you find in an office network. Here are the five most common findings, based on industry data from Dragos, CISA and Nozomi Networks.
Flat network architecture. The lack of segmentation between IT and OT is the most common critical finding. Malware entering through a phishing email can spread unhindered to the production floor. 45% of the industrial environments surveyed lack sufficient visibility into the OT network to even detect suspicious activity.
Default passwords and missing authentication. PLCs and HMIs still using factory settings are no exception. Protocols like Modbus TCP by their very nature have no authentication layer: whoever can send a command can control a machine.
Insecure remote access. VPN connections for vendors without multifactor authentication (MFA) or unmanaged remote desktop ports are a direct entry point. By 2025, 22% of all industry security advisories focused on vulnerabilities in network peripherals, up from 16% in 2023.
Outdated software on HMI workstations. Windows XP or Windows 7 on operator stations is still the daily reality in many factories. These systems no longer receive security updates, but replacing them is complex because the associated industrial software does not always run on newer operating systems.
Unprotected engineering workstations. Computers with full access to PLC configurations deployed simultaneously for email and Internet use. One compromised workstation gives an attacker direct access to production logic.
The good news: according to Dragos, only 3% of the vulnerabilities found require immediate action. 71% can be addressed with compensatory measures or during the next scheduled maintenance shutdown. The trick is to know what vulnerabilities are out there, and that’s exactly what an OT pentest provides.
OT pentesting and NIS2: is it mandatory for the manufacturing industry?
The Belgian NIS2 law (Law of April 26, 2024) classifies the manufacturing industry as an “important sector.” Companies that meet the size criteria are required by law to demonstrate their cyber resilience. Article 21 requires entities to take “appropriate and proportionate measures” to manage cyber security risks, including regular evaluation of the effectiveness of those measures.
Although the law does not literally dictate how often you must perform a pen test, an OT pen test is one of the most effective methods of proving to regulators that technical controls such as network segmentation actually work. The CCB’s CyberFundamentals (CyFun) framework provides a structured set of controls against which you will be assessed. In doing so, an OT pen test serves as a practical gap analysis: which CyFun controls are adequately implemented, and where are the gaps?
You can read more about the NIS2 obligations for Flemish manufacturing companies in our article NIS2 and the Flemish manufacturing industry. An overview of the complete NIS2 legislation can be found in our NIS2 guide.
The financial threshold need not be an obstacle, by the way. Through the VLAIO cybersecurity improvement track, you can have up to 50% of the costs of an OT security assessment subsidized, with a maximum of €35,000 for larger tracks. An OT pen test fits within the PLUS trajectory (23 days of in-depth support including pen testing).
Frequently asked questions about OT pentesting
Can an OT pentest shut down my production?
No, if performed by specialized OT pentesters who follow the five-phase process. Testing always starts passively, critical systems are identified in advance and excluded from active testing, and where possible, testing is done on a digital twin or during a planned maintenance shutdown. The goal is precisely to find vulnerabilities that could well shut down your production.
How often should I have an OT pen test performed?
For companies covered by NIS2, an annual OT pen test is recommended as part of the mandatory regular review. In addition, a test is required after significant changes to the OT network, such as the introduction of new machines, a firmware upgrade or a change in network architecture.
What is the difference between an OT pentest and a vulnerability scan?
A vulnerability scan automatically checks for known vulnerabilities, but does not validate whether they are actually exploitable. An OT pentest goes further: an ethical hacker simulates realistic attack scenarios, tests whether an attacker can move from IT to OT, and validates whether security measures work in practice. You can read more about this distinction in our article on pentest vs vulnerability scan.
Do my pentesters need specific OT certifications?
Yes. Given the physical risks, it is crucial that pentesters have OT-specific certifications in addition to IT security certifications (such as OSCP). The Global Industrial Cyber Security Professional (GICSP) combines IT security with industrial process knowledge and is considered the standard for OT pentesting. Always check that your pentesting partner has the appropriate certifications.
What does an OT pen test cost?
Costs vary greatly depending on the size of your OT environment, number of locations, and complexity of industry protocols. Through the VLAIO cybersecurity improvement program, you can have up to 50% of the cost subsidized.
My factory is “air-gapped.” Do I even need an OT pen test then?
A complete air-gap (physical separation without any connection) is rare in practice. USB sticks for firmware updates, laptops used both in the office and at the factory, or remote access for vendors create unnoticed connections. An OT pentest identifies exactly these invisible attack paths. Learn more about the difference between IT and OT security in our article IT vs OT security.
The next step
Cyberplan combines IT and OT pentesting in one integrated process. Our ethical hackers understand that a production machine does not deserve the same treatment as an office server, and that your production should not come to a halt. Wondering how your OT environment is doing? Schedule a no-obligation introductory meeting and find out where the vulnerabilities are before someone else does.
