Skip to content

Threat Actors Don’t Wait For Your Annual OT Pen test

Annual OT pen tests provide snapshots. Real attackers operate continuously. Why your operational technology security strategy needs to evolve.

James Smith

Hive Red Team Lead

OT worker in the dark

Threat actors don’t operate on your compliance schedule. They don’t wait 364 days between your annual pen tests to probe your SCADA systems or exploit your PLCs. They’re patient, persistent, and they’re already probing your network.

Yet most organisations treat OT security as a box-ticking exercise – an annual event that delivers a report, a warm feeling, and nothing close to actual resilience.

Operational Technology has been stuck in a compliance mindset for too long. Whether it’s part of an internal programme or driven by regulatory requirements, it gets revisited maybe once a year. You commission a pen test, receive the report, and assume things are under control.

They’re not. And it’s time to challenge the traditional approach to OT cybersecurity.

What is Operational Technology (OT)?

Operational Technology refers to the systems that monitor and control physical processes – from power grids and water treatment plants to factory floors and rail networks. These are the systems that make the world go around and for decades they were isolated, bespoke and very rarely connected to the outside world.

With todays connected world that’s no longer the case and with that once air-gapped environment systems are now linked through corporate networks, remote connections and cloud interfaces.

Three dangerous misconceptions about OT security

1 – We’re not a target

This is why we say ‘You Deserve to be Hacked’,  not because your defences are bad but because you’re valuable. Every organisation holds value.

Whether that’s operational data, intellectual property or simply leveraged for disruption. Many attacks aren’t even targeted at first. Attackers scan broadly, looking for low-hanging fruit. You don’t need to be critical infrastructure to be hit, you just need to be accessible.

2 – We’re air-gapped

This is something I have experienced time and time again and to be honest very few truly are. Even when isolation exists on paper, engineers and vendors still use USB drives, laptops, CD-ROMs (yes, still), and remote connections to maintain systems. Each of these introduces risk.

3 – We’ve had a pen test though

Traditional penetration tests provide a point-in-time snapshot of your security posture today. But what about next week? Real attackers operate continuously- probing, waiting, adapting. As soon as a report is delivered its relevance starts to decay.

Yes, a onetime test can identify vulnerabilities, but it rarely replicates the persistence, creativity and patience of a real threat actor.

Why traditional pen tests fall short in OT

In practice, traditional penetration tests often:

      • Focus on IT perimeter systems, leaving OT environments out of scope completely
      • Rely on limited and constrained time windows, which can miss complex attack paths
      • Avoid testing live systems due to availability concerns
      • Deliver static reports that become outdated within weeks

This approach worked when OT was isolated. It doesn’t work now.

Common OT weaknesses attackers exploit

Across every sector we tend to see the same issues reported repeatedly:

      • Legacy systems that cannot be patched or monitored effectively
      • Flat networks where IT and OT share credentials or connectivity, allowing lateral movement
      • Insecure remote access solutions – VPNs with weak authentication, or worse, exposed RDP
      • Default or hardcoded credentials in PLC’s and controllers
      • Poor visibility – arguably the most critical gap. Defenders cannot protect what they cannot see.

Each of which serves as a foothold for a malicious threat actor. Compromise could start small initially but given enough time, attackers pivot into OT systems.

If there is one thing to do today, it’s this:

Assume compromise. 

Test continuously how an attack would unfold by transitioning from a compliance- driven approach to a threat-driven one.

Continuous adversarial testing should be part of your OT security lifecycle and not an optional exercise, but a necessity.

Where OT Meets IoT

As more sensors, controllers and smart devices are being connected, the line separating OT from IoT starts to blur. The “Industrial Internet of Things (IIoT) brings much-needed efficiency and data insight but also exponentially expands the attack surface.

Continuous offensive testing can bridge this gap. It helps organisations understand how vulnerabilities in connected devices, cloud platforms and traditional OT systems intertwine,  and how to defend them as one ecosystem – not isolated silos.

The bottom line

OT security isn’t an annual event. It’s continuous adaptation against adversaries who never stop evolving. Traditional pen tests provide snapshots. Real attackers operate in real time.

The question isn’t whether your OT environment has vulnerabilities. It does.
The question is: are you testing like attackers operate, or like compliance demands?