Precursor Security
Zero Disruption. OT-Native Expertise. CREST-Accredited.

OT Cyber Security Assessment & IoT Penetration Testing

We test OT environments the way an engineer expects: passive discovery first, active testing only in isolated lab conditions, never blindly scanning live control networks. Specialist SCADA, ICS, and IoT device assessments from engineers with industrial automation backgrounds.

Request a Scoping CallView Methodology
Passive-first methodology, no unsolicited packets to live PLCs
Firmware extraction, hardware hacking, protocol fuzzing
NCSC CAF and NIS Regulations aligned reporting
From £8,000, fixed-price
Scroll
Safety Commitment

We Will Not Break Your Production Environment

The most common concern OT buyers raise before engagement is operational disruption. We have heard the accounts of IT pen testers running nmap against a PLC and halting a production line. We operate by a different protocol entirely.

Passive-Only on Live Networks

PCAP capture and analysis only on live OT environments. Zero active probing, zero unsolicited packets sent to PLCs, RTUs, or HMIs.

Isolated Lab for Active Testing

Active and destructive testing is performed exclusively on lab-equivalent devices or digital twins. Production systems are never directly attacked.

All Traffic Pre-Authorised

Every tool and test script is reviewed and approved by your engineering team before a single packet is sent. No surprises.

Emergency Stop Procedures

Emergency stop procedures are agreed with your operations team before engagement begins. We can abort any test activity within seconds.

Maintenance Window Scheduling

Active testing, where required on live networks, is coordinated with your operations schedule and conducted during agreed maintenance windows.

Hardware & Protocol Analysis

From Silicon to
SCADA Architecture

OT security requires a different methodology from IT penetration testing. Our engineers understand the Purdue Model, the difference between a DCS historian and a SCADA HMI, and why you cannot run a vulnerability scanner against a PLC. We test the full stack: from the network architecture down to the silicon.

Firmware

Firmware Analysis

We extract and reverse engineer device firmware using binwalk and Ghidra to uncover hardcoded credentials, private encryption keys, and exploitable vulnerabilities. Aligned to IoT product security requirements and OWASP IoT Top 10. Reports formatted for PSTI Act and ETSI EN 303 645 compliance documentation.

Hardware

Hardware Interface Testing

Physical interface attacks using JTAG, SWD, UART, SPI, and I2C to dump memory, gain shell access, and bypass secure boot. Chip-off flash extraction across NOR/NAND and eMMC targets on ARM, MIPS, and RISC-V platforms.

Protocols

Industrial Protocol Analysis

Protocol-level testing across Modbus TCP/RTU, DNP3, BACnet/IP, OPC DA/UA, IEC 61850, Profinet, and EtherNet/IP. We test for buffer overflows, command injection, and authentication weaknesses without disrupting live control networks. Configuration review aligned to ICS configuration standards.

Architecture

Purdue Model Architecture Review

Full Purdue Model verification across Levels 0-5. We validate that the Level 3.5 DMZ correctly isolates corporate IT from Level 0-2 OT assets, and that remote access, data historians, and vendor connections do not create uncontrolled pathways into your control network. Findings mapped to IEC 62443 zone-and-conduit requirements. See also: energy and utilities sector assessments.

Wireless

Radio Frequency (RF) Testing

Software-Defined Radio (SDR) analysis of wireless communications: ZigBee, LoRaWAN, BLE 4.x/5.x, Z-Wave, NFC, and proprietary sub-GHz protocols (433/868/915 MHz). We test for replay attacks, weak encryption, unauthenticated commands, and protocol-level vulnerabilities in IoT device wireless stacks.

Compliance

IEC 62443 Gap Analysis

Every OT assessment includes a structured gap analysis against IEC 62443 Component Requirements (CRs) and Foundational Requirements (FRs). Security Level determination, zone-and-conduit architecture review, and a prioritised remediation roadmap formatted for competent authority submission.

Technical Capabilities

Protocol Coverage & Hardware Lab

Named protocols our engineers test across OT, IoT, and RF domains, backed by a dedicated hardware security lab.

OT Protocols
IoT Protocols
RF Protocols
Modbus TCP/RTU
MQTT
ZigBee
DNP3
CoAP
LoRaWAN
BACnet/IP
AMQP
BLE 4.x/5.x
OPC DA/UA
LwM2M
Sub-GHz (433/868/915 MHz)
IEC 61850
DDS
Z-Wave
Profinet
Thread
NFC
EtherNet/IP
Zigbee IP
Proprietary RF

Hardware Lab Capabilities

Our lab is equipped for invasive hardware security testing across embedded platforms.

Chip-Off Extraction

NOR/NAND flash and eMMC memory extraction for offline firmware analysis

JTAG/SWD Debugging

On-chip debugging across ARM, MIPS, and RISC-V targets

UART/SPI/I2C Analysis

Serial interface enumeration and data interception

Logic Analysers

Protocol capture and timing analysis on hardware buses

SDR (RF Analysis)

Software-Defined Radio for wireless protocol analysis and replay attacks

PCB Rework

Soldering stations and hot-air rework for component-level access

Executive Summary

OT/IoT Risk Profile

Operational technology security is a regulatory requirement, not a discretionary exercise. 2,000% increase in ICS attacks since 2020.

Critical
2,000%

Attack Increase

Increase in attacks on industrial control systems since 2020, as OT/IT convergence expands the attack surface for critical infrastructure.

Standard
62443

IEC Standard

The international standard for IACS security, increasingly required by critical infrastructure supply chains and referenced by UK competent authorities.

Regulatory
NIS

UK Regulations

UK NIS Regulations competent authorities are issuing OT-specific improvement notices at increasing frequency. Assessment is the primary compliance mechanism.

Mapped
Controls
IEC 62443IACS Security
NCSC CAFB4, B5, C1
NIS RegsUK 2018
CRESTAccredited
Compliance

IEC 62443 Compliance Assessment

IEC 62443 is the international standard for industrial automation and control system (IACS) security. It is increasingly a procurement requirement for organisations selling into critical infrastructure supply chains, and a framework referenced by UK competent authorities in NIS Regulations assessments.

Asset Owners

Utilities, manufacturers, CNI operators

IEC 62443-2-1 (ISMS requirements) and IEC 62443-3-3 (system security requirements), with zone-and-conduit architecture review.

System Integrators

Control system integrators and OT service providers

IEC 62443-3-2 (security risk assessment) and IEC 62443-3-3 (system security requirements).

Product Manufacturers

IoT and ICS component manufacturers

IEC 62443-4-1 (secure development lifecycle) and IEC 62443-4-2 (component security requirements), including Security Level verification.

What the Gap Report Includes

Security Level determination per zone and conduit
Requirements mapping table (achieved / not achieved)
Component Requirements (CRs) assessment
Foundational Requirements (FRs) coverage
Prioritised remediation roadmap

IEC 62443 gap analysis is included as standard in every OT assessment. No separate procurement required.

Regulatory Alignment

NIS Regulations & NCSC CAF Alignment

For Operators of Essential Services (OES) under the UK Network and Information Systems Regulations 2018, OT security assessment is a regulatory requirement. Competent authorities are issuing improvement notices against organisations whose SCADA and ICS environments are not assessed and documented.

B4: System Security

  • Asset inventory and patch status
  • Vulnerability assessment
  • Access control review
  • Privileged account management

B5: Resilient Networks and Systems

  • Network segmentation validation
  • Purdue Model review
  • DMZ architecture assessment
  • Redundancy and recovery controls

C1: Service Protection Policies

  • Security policy review against IEC 62443
  • CAF requirements gap analysis
  • Contractor and supply chain controls
  • Change management security

Deliverables include a CAF objective mapping table (achieved, partially achieved, not achieved), an executive summary for board and SIRO briefing, and a technical findings annex formatted for engineering and IT teams. Documentation structured for competent authority submission.

Engagement Pipeline

Engagement Workflow

Structured to minimise operational friction and maximise the value of the testing window.

Step 01

Architecture Review

We review network diagrams, P&IDs, and asset inventories to understand the complete flow between your HMI, Historian, PLCs, engineering workstations, and corporate IT network before any testing begins. No tools are run without your engineering team reviewing and approving them.

Step 02

Isolated Lab Testing

For critical devices, we request a lab-equivalent or digital twin to test in our isolated hardware environment. This allows full destructive testing: firmware extraction, hardware interface attacks, and protocol fuzzing without any risk to live production systems.

Step 03

Passive Network Discovery

On live SCADA and ICS networks, we begin with passive PCAP analysis: asset enumeration, protocol fingerprinting, and communication mapping without a single unsolicited packet sent to your control network. Active testing, where required, is conducted only during agreed maintenance windows.

Step 04

Reporting and Compliance Mapping

We deliver reports in three tiers: executive summary for board reporting, technical findings for engineering and IT teams, and a compliance mapping table against IEC 62443 and NCSC CAF objectives. The engagement letter and scope documentation are formatted for submission to competent authorities.

Deliverables

What You Receive

Every OT/IoT assessment includes deliverables structured for three audiences: board-level stakeholders, engineering teams, and regulatory bodies.

Executive summary suitable for board, SIRO, or competent authority briefing
Technical findings with CVSS scores, reproduction steps, and affected asset mapping
NCSC CAF objective mapping table (achieved, partially achieved, not achieved)
IEC 62443 gap analysis with Security Level determination and requirements mapping
Prioritised remediation roadmap with risk scores and implementation guidance
Engagement letter and scope documentation formatted for competent authority submission
Post-engagement debrief with your engineering and IT security teams

Reports are delivered via our real-time penetration testing portal with role-based access. Also available in PDF and DOCX formats for auditor and competent authority submission.

After Testing

Close the Loop.
After the Assessment.

Your OT assessment identifies what is exploitable today. We feed those exact findings into our 24/7 Managed SOC and continuous OT monitoring, building custom detection rules for your industrial environment's specific attack surface and monitoring your IT/OT boundary for lateral movement between annual assessments.

Explore Defensive Services

Cloud Security Monitoring

Continuous monitoring of your cloud and OT-adjacent infrastructure for anomalous activity.

Managed Detection & Response

Custom detection rules tuned to the specific findings from your OT assessment.

Configuration Reviews

ICS configuration hardening reviews against CIS and vendor baselines.

Internal Network Testing

Pair with corporate IT testing for complete IT/OT security posture coverage.

Service Catalogue

Full Penetration Testing Catalogue

Comprehensive penetration testing services tailored to your environment.

Assumed Breach

Internal Testing

Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.

Active Directory AssessmentInternal Network Penetration TestWorkstation Build AssessmentServer Build AssessmentCitrix/VDI Breakout AssessmentAD Password AuditSegmentation TestingFirewall Config AssessmentFirewall Ruleset AssessmentAdversarial EmulationWireless Network TestingDatabase Configuration Assessment
Discuss your requirementsFree scoping call with a CREST-certified engineer.
Ready to Secure

The best time to test your defences is now.

Join the high-growth companies relying on Precursor for continuous offensive and defensive security.

Start Your Assessment
Talk to an Engineer
CREST Triple Accredited|Fixed Price Quotes|Free Scoping Call|UK Based Team

Frequently Asked Questions

Common questions about this service, methodologies, and deliverables.

OT and IoT security assessment pricing typically ranges from £8,000 to £30,000 or more depending on scope, environment complexity, and testing depth. A standard OT architecture review and passive network assessment for a single site averages £8,000 to £12,000. Comprehensive assessments including firmware extraction, hardware hacking, and protocol fuzzing typically cost £15,000 to £25,000. Large industrial environments with multiple sites, complex SCADA/DCS architectures, or safety-critical systems under NIS Regulations scope typically cost £20,000 to £30,000 or more. Device-specific IoT penetration testing (single product, embedded device) starts from £6,000 for firmware analysis and hardware testing. We provide fixed-price quotes after reviewing your architecture diagrams and testing objectives.

IT security tools and methodologies are fundamentally incompatible with OT environments. Standard vulnerability scanners such as Nessus and Qualys can crash PLCs and SCADA systems. We have seen a basic nmap scan take down a production line. IT security teams prioritise confidentiality; OT prioritises safety and availability. Those are different risk hierarchies requiring different expertise. Industrial protocols (Modbus, DNP3, BACnet) require specialist knowledge that IT security teams rarely possess. OT vulnerabilities often exist in proprietary firmware, hardware interfaces, and protocol implementations that IT scanners cannot assess. IEC 62443 and NIS Regulations require OT-specific assessments by qualified specialists. Most organisations use their IT security team for corporate environments while engaging OT specialists for industrial control systems.

Only with extreme caution, and typically only passive analysis. On live SCADA and ICS networks, we use passive PCAP capture: asset enumeration, protocol fingerprinting, and communication mapping without sending unsolicited packets. Active exploitation is performed in a lab environment or during agreed maintenance windows to ensure no impact on safety systems or production continuity. For critical systems, we request a digital twin or test environment that mirrors production.

Yes. True air gaps are rare in modern industrial environments. Most air-gapped networks have some connectivity for remote monitoring, vendor support, or data historians. USB drives and maintenance laptops bridge air gaps (Stuxnet demonstrated this). Wireless protocols such as ZigBee, LoRaWAN, and proprietary RF may provide unintended connectivity. IT/OT convergence initiatives are deliberately connecting previously isolated systems. Even truly isolated systems require security assessment to identify vulnerabilities that could be exploited if the air gap is bridged in future. OT security assessment validates your segmentation controls and identifies risks regardless of connectivity assumptions.

Yes. Our hardware lab is equipped with logic analysers, soldering stations, hot-air rework stations, and chip readers to extract data directly from flash memory and EEPROMs. We perform chip-off NOR/NAND and eMMC extraction, JTAG/SWD debugging on ARM, MIPS, and RISC-V targets, and UART/SPI/I2C interface analysis. The extracted firmware is reverse engineered using Ghidra and binwalk to identify hardcoded credentials, backdoors, and exploitable vulnerabilities.

Yes. Our testers have backgrounds in industrial automation and control systems engineering. We speak Modbus, Profinet, EtherNet/IP, DNP3, BACnet, IEC 61850, and OPC UA. We understand that an unsolicited nmap scan can crash a PLC, and we know how to assess industrial protocol security without causing downtime. We are not IT penetration testers rebranded as OT specialists.

In IT, confidentiality is the priority. In OT, safety and availability come first. That difference drives every aspect of methodology: passive-first on live networks, isolated lab environments for active and destructive testing, engineering-language reporting, and compliance mapping against IEC 62443 and NCSC CAF rather than CVE databases alone. Our methodology is designed by engineers who understand that a misconfigured scan can halt a production line.

Yes. For Operators of Essential Services under the UK NIS Regulations 2018, our assessment methodology maps directly to NCSC CAF Objectives B4 (System Security) and B5 (Resilient Networks and Systems), the two objectives most commonly flagged in OT improvement notices. Our deliverables include a CAF objective mapping table showing achieved, partially achieved, and not achieved status for your OT environment, an executive summary suitable for board reporting, and a technical findings annex formatted for engineering and IT teams. The assessment documentation can be submitted to your competent authority to demonstrate meaningful progress against an improvement notice. We have delivered assessments for Operators of Essential Services in energy, water, and transport sectors.

Yes. The UK Product Security and Telecommunications Infrastructure (PSTI) Act 2024 and ETSI EN 303 645 establish baseline security requirements for consumer connectable products, including default credential prohibition, vulnerability disclosure policies, and minimum software update periods. Our IoT product security assessment evaluates your device against PSTI Act Schedule 1 requirements and ETSI EN 303 645 provisions, covering firmware analysis, hardware interface testing, wireless protocol security, companion app security, and cloud API review. Reports are structured for submission to OEM procurement teams, regulatory assessors, and CE/UKCA certification processes, with CVSS scoring and OWASP IoT Top 10 mapping for engineering teams.