We get this request often:
“𝗖𝗮𝗻 𝘆𝗼𝘂 𝗱𝗼 𝗮 𝗽𝗲𝗻 𝘁𝗲𝘀𝘁 𝗼𝗻 𝗼𝘂𝗿 𝗢𝗧 𝗻𝗲𝘁𝘄𝗼𝗿𝗸?”
Usually from teams who’ve been doing it routinely in IT and assume the same applies to OT.
Let’s clear the air.
𝗣𝗲𝗻𝗲𝘁𝗿𝗮𝘁𝗶𝗼𝗻 𝘁𝗲𝘀𝘁𝗶𝗻𝗴 𝗶𝘀 𝗻𝗼𝘁 𝗿𝗼𝘂𝘁𝗶𝗻𝗲 𝗶𝗻 𝗜𝗧 𝗽𝗿𝗼𝗱𝘂𝗰𝘁𝗶𝗼𝗻 𝗲𝗶𝘁𝗵𝗲𝗿 — 𝗮𝗻𝗱 𝗶𝘁 𝘀𝗵𝗼𝘂𝗹𝗱𝗻’𝘁 𝗯𝗲.
It’s intrusive by design. It simulates an actual attack.
In OT, that can mean downtime, safety risks, or even physical damage.
So why do people still ask for it?
Because decision-makers often apply the IT security template to OT — without understanding the consequences.
Yes — when done right.
It gives deeper insights than passive vulnerability assessments.
But it’s not plug-and-play. It demands timing, context, and maturity.
Here’s when it’s actually okay to do a penetration test in OT:
This is the best time to test your defenses.
You’re not live yet. If something breaks, it’s a lesson — not a crisis.
Use this window to understand what your environment can tolerate
If you’ve got a lab setup that mirrors production — same devices, similar architecture — run your pen test there.
Learn safely. Apply those lessons to your live environment.
Only if you’ve already done passive VA, implemented compensating controls, and understand your system’s behavior.
This is high-risk territory. Proceed only if you’re confident in your processes and device responses.
– If you’re unsure how your systems will react.
– If you don’t have a test environment.
– If you’re doing it just because “IT does it.”
Pen testing in OT isn’t forbidden.
It’s not mandatory either
And always lead with context, not compliance.
Let’s stop copy-pasting IT practices into OT.
Start with understanding.
Test like lives depend on it — because sometimes, they do.
connect@relyblue.com
