AssessPenetration Testing

Scoping OT Remote Access Pen Tests: Key Considerations

By July 10, 2026No Comments

Penetration testing for OT remote access infrastructure demands more than a standard methodology—it requires operational awareness, protocol fluency, and a disciplined approach to rules of engagement. Done wrong, a pen test can disrupt the very systems it is meant to protect. Done right, it reveals the real exposure in your remote access layer before an adversary does.

Establishing Clear Rules of Engagement

Before any testing begins, defining the rules of engagement is essential to prevent operational disruptions and ensure stakeholder alignment. A successful OT pen test must open with a detailed scope that names stakeholders, test windows, escalation contacts, required PPE or safety training, and critical assets. For remote access infrastructure specifically, this means identifying which systems are in scope—such as remote terminal units and SCADA servers—and which are explicitly excluded, such as safety-critical or life-safety devices.

Permitted testing types must also be defined up front. The line between passive network analysis and active enumeration is not academic in OT environments—it determines whether a fragile endpoint survives the assessment window. Operators should document fragile endpoints that require special handling. A Siemens SIMATIC system may need specific constraints during testing, while a Rockwell PLC can be sensitive to unexpected broadcast traffic or network congestion. Embedding these details in the rules of engagement prevents unintended consequences and keeps the engagement operationally safe.

Passive Discovery Before Any Active Testing

Passive discovery is the appropriate first move in any OT assessment, and pen tests are no exception. By analyzing network traffic, configuration files, PCAPs, and flow logs without interacting directly with devices, the testing team can map remote access pathways and identify misconfigurations before a single active packet is sent.

This approach is especially valuable in environments with legacy systems or incomplete documentation—both of which are routine in industrial operations. Passive analysis can expose unsecured remote access ports such as Modbus TCP on port 502, unencrypted OPC UA communications, or third-party vendor tunnels that bypass standard access controls. According to NIST SP 800-82, passive monitoring is a foundational technique for characterizing ICS network behavior without introducing operational risk.

Passive discovery alone is not sufficient, however. It must be combined with manual validation and engineering context to translate findings into operational risk. A vulnerability in a DNP3 server has very different implications depending on whether that server sits behind a hardened firewall or is reachable via an unsecured remote access tunnel.

Active Testing: Rate-Limited and Protocol-Aware

Active testing confirms vulnerabilities and assesses exploitability, but in OT environments it must be approached with deliberate restraint. Testing must be rate-limited and adapted to the sensitivities of industrial protocols and device types. Flooding an OT network with scan traffic that would be unremarkable in an IT environment can cause PLCs to miss cyclic updates or HMIs to lose controller communication.

For remote access infrastructure, active testing should be tailored to the protocols in use. Testing an OPC UA remote access server requires understanding its secure channel negotiation and endpoint certificate validation. Testing a Modbus-based system may focus on checking for unauthenticated access over unencrypted channels. In both cases, testing should be scheduled during approved maintenance windows to minimize production impact.

Third-party remote access deserves focused attention during active testing. Many industrial incidents originate through vendor remote access channels that carry weaker authentication or broader network access than internal policies would permit for employees. Testing should verify that remote access solutions are enforced with strong authentication—including multi-factor authentication—and that tunnels use TLS 1.2 or higher. The MITRE ATT&CK for ICS framework documents initial access techniques that frequently exploit exactly these vendor-facing gaps.

Standards and Vendor-Specific Considerations

Scoping a pen test for OT remote access must incorporate applicable industry standards alongside platform-specific guidance. IEC 62443 provides the clearest framework for segmentation and access control in industrial environments, establishing security zones and conduits as the structural basis for containing remote access. A pen test should validate that remote access systems are isolated within defined security zones, with firewall rules and protocol-aware boundaries enforced at zone boundaries.

NIST SP 800-82 recommends secure remote access using multi-factor authentication and encrypted tunnels as baseline controls. These should be confirmed during testing rather than assumed. NERC CIP requirements impose additional obligations for bulk electric system operators, and the pen test scope should reflect any applicable CIP controls governing electronic access points.

Vendor guidance adds another layer. Siemens recommends SIMATIC NET for secure remote access with certificate-based authentication. Rockwell advises configuring PlantPAx systems with role-based access controls and network segmentation between the enterprise and control zones. Where vendor-specific configurations are in place, the pen test should verify those configurations match vendor hardening recommendations—not just generic security baselines.

Validate Remediation Without Compromising Operations

Identifying vulnerabilities is only half the work. Every remediation applied after a pen test finding must be validated to confirm that controls meet their design objectives without degrading operational performance. This validation step is frequently skipped under schedule pressure, and it is where new risk is often inadvertently introduced.

For remote access infrastructure, post-remediation validation might include confirming that updated firewall rules correctly enforce zone boundaries, that MFA enforcement does not break legitimate vendor sessions, and that segmentation changes have not disrupted communications between the control system and historian or HMI layers. If a DNP3 server was segmented behind a new firewall rule following a pen test finding, validation should confirm the rule is enforced and that the polling relationship between the master and RTU remains intact.

Treating validation as a required phase—not an optional follow-on—is what separates a pen test engagement that reduces risk from one that simply generates a findings report. Controls that are deployed but not confirmed functional provide a false sense of security that can be more dangerous than no control at all.

Reporting That Supports Operational Decision-Making

A pen test report for OT remote access infrastructure must do more than list findings. It should give operators the information they need to make prioritization decisions under real constraints: which vulnerabilities are exploitable from outside the network, which require existing access to trigger, which have compensating controls already in place, and which remediation actions can be implemented without a maintenance window.

The report should include an executive summary for leadership, a prioritized finding list with operational risk rationale, and replication details sufficient for the engineering team to validate each finding. Findings should be ordered by exploitability, potential operational consequence, and exposure—not by CVSS score alone. A critical-rated CVE on an air-gapped historian carries less immediate urgency than an authentication bypass on a vendor-facing remote access server reachable from the internet.

Conclusion

Scoping a penetration test for OT remote access infrastructure requires a deliberate balance between thoroughness and operational safety. Establishing clear rules of engagement, leading with passive discovery, applying active testing with protocol awareness and rate limiting, integrating applicable standards, and validating every remediation are the steps that make a pen test genuinely useful rather than potentially harmful. Each element of the scope shapes whether the engagement produces actionable intelligence or operational disruption—and in industrial environments, the margin for error is narrow.

Ready to scope a penetration test that fits your OT environment? Contact Red Trident to discuss how we approach remote access testing in industrial operations without putting production at risk.

author avatar
Emmett Moore