Do you actually test live production, or just a lab?

Both, depending on risk tolerance. Greenfield projects and HMIs / historians at Level 3 are usually safe to test live. Level 1/2 PLC and SIS testing is normally done on a representative bench, on a sister unit during planned outage, or via vendor-supported lab — we'll recommend the right mix during scoping.

Which frameworks do you align reports to?

IEC 62443-2-1 / 2-4 / 3-2 / 3-3, NIST SP 800-82r3, MITRE ATT&CK for ICS, NIS2 (EU), NCA-ECC OT controls (KSA), India CEA cyber security guidelines for power utilities, and CERT-In OT advisories. Output is mapped so a single engagement produces evidence for multiple audits.

Do you also assess connected products and medical devices?

Yes — product-side IoT, IoMT (medical), connected-vehicle and smart-meter assessments are a large part of this practice. Scope typically covers firmware extraction + reverse engineering, hardware interfaces (UART, JTAG, SPI), wireless (BLE, Zigbee, LoRa, cellular), companion mobile app, cloud back-end and OTA update pipeline.

ICS / SCADA · IEC 62443 · NIST SP 800-82 · Purdue-aware

IoT & OT Security Assessment in India & UAE — ICS, SCADA, smart products.

OT-aware penetration testing for industrial control systems, smart meters, BMS, medical devices and connected products. We test live without tripping safeties, map IT→OT pivot paths, and report in language your plant manager and your auditor both accept.

Request a quote See methodology

IEC 62443NIST SP 800-82r3MITRE ATT&CK ICSNIS2 OTNCA-ECC OTCEA cyber guidelines

HMI · station-04 · live

5 active alarms

612kPa

Pressure

287°C

Temperature

142L/min

Flow

Findings stream

10:42:18OT-MOD-001

PLC-04 · S7-300

Unauthenticated write to DB10.DBW0 from EWS-12 outside change window

10:42:17OT-AUTH-014

HMI-02 · WinCC

Default supervisor account · last password change > 1100 days

10:42:11OT-NET-022

RTU-19 · IEC-104

ASDU spoof simulation accepted — no Secure-Auth handshake observed

10:41:58OT-BAC-007

BMS-Gw1 · BACnet

Broadcast write-property from guest VLAN 412 → setpoint 22→34 °C

10:41:42OT-DMZ-003

Vendor-RDP

Always-on tunnel · shared account · no MFA, no session recording

7 nodes · 312 tags

IEC-62443 SL2 baseline

Why OT is not just IT with PLCs

Wrong tooling on a process network trips real things.

A misfired Nmap run can drop a turbine. We treat OT engagements with the same safety mindset your reliability engineers do — written envelope, passive-first, ICS-validated tooling, stop signals.

Different priorities

IT optimises for confidentiality. OT optimises for safety and availability — in that order.

A 30-second outage on Modbus is a process incident, not a ticket
Engineering changes follow MoC, not Jira tickets
Devices are rated for 20-year service · patching is rare

Fragile protocols

Modbus, S7, DNP3 and IEC-104 were designed for serial buses inside a fence. Now they ride Ethernet.

Most field protocols have no authentication at all
Generic scanners crash banner-less ICS stacks
Even read-only probing can change asset state

Physical impact

An OT finding maps to a process consequence — pressure relief, valve drift, generator trip.

Findings must read in physics + safety language
Risk is measured against PHA / HAZOP — not CVSS alone
Mitigations have to clear MoC + commissioning windows

Purdue model

Five layers, one pivot path.

The Purdue reference model is how every OT auditor thinks about your plant. We assess every layer — corporate IT, the industrial DMZ, operations, supervisory control and the process — and demonstrate how an attacker walks from a phishing email to a setpoint change.

Tiered admin model + jump-host audit
OT zone & conduit diagram per IEC 62443-3-2
Engineering workstation hardening review
IT→OT pivot demonstration (read-only by default)
Safety-instrumented-system isolation validation

L5/L4

Enterprise zone

Corp IT · ERP · email · Active Directory

M365 · SAP · AD DCs · file shares

L3.5

Industrial DMZ

Jump hosts · historian replicas · patch + AV servers

Jump · WSUS · vendor RDP gateway

Operations / manufacturing

Historians · MES · engineering workstations · plant AD

OSIsoft PI · Wonderware · Step 7 EWS

L2 / L1

Supervisory + control

HMIs · SCADA servers · PLCs · RTUs · safety logic

WinCC · iFIX · Siemens S7 · Allen-Bradley · GE Mark VIe

Process / physical

Sensors · actuators · transmitters · valves · drives

4-20 mA loops · HART · Profibus · 802.15.4

Protocol attack surface

Twelve protocols we see on every plant floor.

Each one carries a different blast radius. We carry the ICS-specific tooling and the operator-side know-how to validate which ones are exposed — without bricking the device under test.

Modbus TCP

Field · L1/L2

high

Unauthenticated function-code writes

:502

S7Comm

Field · Siemens

crit

Plaintext stop/start CPU + program upload

:102

DNP3

Utility telemetry

high

Secure Auth often disabled · replay

:20000

IEC 60870-5-104

Power · SCADA

crit

No authentication · spoofable ASDU

:2404

IEC 61850 GOOSE

Substation L1

crit

Multicast L2 · trip-command spoofing

Profinet

Field · L1/L2

high

DCP discovery + unauthenticated writes

BACnet/IP

BMS · HVAC

high

Broadcast write-property · setpoint manip

:47808

OPC UA

L2/L3 broker

med

Cert pinning skipped · self-signed trust

:4840

MQTT

IoT broker

med

Wildcards + missing ACLs · anon publish

:1883

LoRaWAN

IoT field RF

med

AppKey reuse · downlink injection

Zigbee 3.0

IoT mesh

med

Touchlink commissioning + key leakage

HART-IP

Process L0/L1

med

Instrument config + calibration spoof

:5094

Connected products

Hardware. Firmware. Radio. Cloud.

Product-side IoT testing is its own discipline. We extract firmware, walk JTAG / UART / SPI, replay BLE pairing, fuzz LoRa downlinks and test the cloud back-end and OTA pipeline — because a fielded device gets attacked at every layer the vendor forgot.

Smart metersMedical (IoMT)Connected vehiclesWearablesSmart-home gatewaysIndustrial IoT sensorsANPR / CCTVEV chargers

Hardware

▸Debug interfaces: UART, JTAG, SWD, SPI flash dump
▸Glitching / fault-injection on secure boot
▸Voltage rail probing + clock-edge analysis
▸Tamper-evidence + sticker / seal review

Firmware

▸Binwalk extraction + Ghidra reverse engineering
▸Hard-coded creds, private keys, debug back-doors
▸Insecure update / OTA signature bypass
▸Cryptographic primitive misuse (ECB, static IV)

Wireless

▸BLE pairing replay + GATT enumeration
▸Zigbee touchlink + key extraction
▸LoRaWAN AppKey reuse · downlink injection
▸Sub-GHz / 802.15.4 / NB-IoT SDR capture

Cloud + companion app

▸MQTT / CoAP broker ACL bypass
▸Cross-account device-claim takeover
▸Companion-app pinning + provisioning flow
▸OTA bucket exposure + update-server abuse

Why this matters now

The OT/IoT bill is coming due.

Power, water, oil & gas, manufacturing and connected-product makers are now inside the regulatory frame in both India and the GCC. The question is no longer if OT will be audited — it’s whether the report passes.

Avoid the headline-grade incidents (Colonial, Oldsmar, Stuxnet-class) before regulators force the question
Satisfy IEC 62443, NIS2, NCA-ECC OT controls and India's CEA cyber security guidelines for power utilities
Quantify IT→OT pivot risk concretely — not as 'air-gap assumed'
Build the OT asset inventory + network baseline that compliance keeps asking for

62443

Zone & conduit SLs assessed end-to-end

Process trips caused on a Macksofy OT engagement

60d

Free retest window on high / critical findings

20+

OT protocols carried in our active toolset

OT-aware methodology

How a Macksofy OT engagement actually runs.

Six stages, three-to-five weeks for a typical site assessment. Built around your reliability and safety engineers — not around our toolkit.

01
Safety envelope & scoping
Site walk-down with reliability + safety. PHA review. Zone & conduit map. Stop-test signals.
3–5 days
02
Passive discovery
SPAN / TAP capture for Modbus, DNP3, S7, Profinet, OPC UA, BACnet, IEC-104. Asset inventory build.
5–7 days
03
IT / OT boundary
DMZ + jump-host audit. EWS hardening. Vendor / remote-support exposure mapping.
3–4 days
04
Targeted active testing
ICS-aware validation. HMI + historian auth. Firmware reverse-engineering. Wireless audit.
5–8 days
05
Pivot simulation
Read-only IT→OT lateral path demonstration. EWS → PLC capability. SIS isolation validation.
2–3 days
06
Report & retest
IEC 62443 + MITRE ATT&CK ICS mapping. Plant-manager + CISO summary. 60-day retest.
4–5 days

Why Macksofy for OT & IoT

We don’t just bolt OT onto a pentest service line.

OT requires operator-grade discipline plus offensive-security tradecraft. Here’s what makes a Macksofy industrial engagement different.

CERT-In + OT-trained

CERT-In empanelled auditor with operators carrying IEC 62443 cybersecurity practitioner credentials alongside OSCP.

Zero process trips

Passive-first, written safety envelope, ICS-validated tooling. No Nessus storms on a Modbus segment.

Operator language

Findings are mapped to process consequence, PHA / HAZOP categories and MoC realities — not just CVSS.

60-day free retest

Fix it, ship it, ping us. We re-test every High / Critical free of charge and issue a closure letter your auditor will accept.

Engagement snapshot

What we found inside real OT estates.

State Electricity Utility (India)

220 kV substation SCADA + RTU fleet

Finding · Engineering workstation reachable from corporate AD with cached domain creds → PLC logic-modification capability across three substations

Critical — IT→OT pivot path closed via jump-host + tiered admin model before the next CEA audit cycle

Risk severity · Critical

LMHC

GCC Refinery Operator

DCS + safety instrumented system review

Finding · Vendor remote-support VPN terminated inside Level 2 with no MFA + shared service account

High — replaced with broker-mediated session + per-engineer credential within the engagement window

Risk severity · Critical

LMHC

Smart Building / Data Centre (Mumbai)

BMS + CCTV + access-control fabric

Finding · BACnet broadcast write-property exposed on guest VLAN → HVAC setpoint manipulation possible from break-room jack

High — segmentation + BACnet/SC migration roadmap delivered

Risk severity · High

LMHC

ICS-validated tooling

Built for the process network.

The same tooling used by national lab OT teams and ICS vendors’ own pre-release hardening squads — never a generic IT scanner pointed at a PLC.

Tools we operate

Wireshark + ICS dissectorsGRASSMARLINClaroty CTD (read-only)Nozomi Guardian (read-only)ICSSPLOITPLCScanRedpointModScan / mbtgetS7scanShodan ICS filtersBinwalk + Ghidra (firmware)HackRF + SDR tooling

Compliance evidence

One engagement, every OT framework.

Findings are mapped so a single Macksofy OT assessment satisfies IEC 62443, NIST SP 800-82, MITRE ATT&CK for ICS, CEA cyber guidelines (India), NIS2 (EU), NCA-ECC OT controls (KSA) and CERT-In advisories.

CERT-In

Information security audit empanelled by Indian CERT

RBI CSF

RBI Cyber Security Framework + System Audit Reports

SEBI CSCRF

Cybersecurity & Cyber Resilience Framework for capital markets

ISO 27001

ISMS implementation, internal audit and certification support

PCI-DSS

Payment card industry — ASV scans, internal audit, pentest

GDPR

Article 32 controls, DPIA, data flow mapping

HIPAA

Healthcare data protection (relevant for India + UAE health-tech)

UAE NESA / SIA

UAE National Electronic Security Authority compliance

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things people ask before signing.

No — the engagement is built around a written safety envelope agreed with your reliability and safety engineers. We default to passive techniques, and any active testing happens against approved targets in approved windows with a documented stop-test signal. We have never caused a process trip on a Macksofy OT engagement.

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled

Information Security Auditor · India

CERT-In Empanelled
EC-Council ATC · CompTIA Authorized
20,000+ professionals trained
India + UAE engagements