Uncovering hidden risks in operational technology systems with red teaming

Understanding the stakes: why OT security is different

Unlike traditional information technology (IT) environments, OT systems control physical processes directly. A cybersecurity incident in OT can have real-world consequences, impacting people, equipment and the environment. While IT security focuses on protecting data through confidentiality, integrity and availability, OT security prioritizes safety, reliability and the uninterrupted operation of critical assets.

The stakes are high. Industry data shows a significant rise in cyber attacks targeting OT environments, year over year. Not to mention, these incidents are often underreported, meaning the true scale of the threat is even greater.

What is OT red teaming?

Red teaming for OT is a simulation exercise designed to replicate real-world cyber attacks on operational systems. The goal is to test the effectiveness of security controls, validate incident response capabilities and identify opportunities for improvement. Unlike penetration testing, which typically focuses on finding and exploiting vulnerabilities, red teaming simulates full-spectrum attacks to evaluate how well an organization can detect, respond to and recover from sophisticated attacks.

It’s important to note that OT red teaming is not a replacement for incident response tabletop exercises (check out BBA’s IR Playbook) or a comprehensive cybersecurity program. Instead, it complements existing strategies by providing practical, scenario-based insights into an organization’s true security posture.

When should organizations consider OT red teaming?

OT red teaming is most effective for organizations that have achieved a basic level of maturity in key domains such as asset management, risk management, identity and access management, and incident response. If your organization is looking to validate the effectiveness of its security controls, understand which tactics and techniques are most relevant to your operations or train staff in real-world threat scenarios, red teaming can deliver significant value.

Building an effective OT red teaming program

1. Flexible strategies and frameworks

Every organization’s OT environment is unique, shaped by its industry, architecture and operational processes. A flexible approach is essential. Frameworks like MITRE ATT&CK for ICS provide a structured way to map attack scenarios to real-world threats, helping teams prioritize the most relevant techniques.

2. The importance of an OT/ICS lab

A non-production OT/ICS lab is crucial for safe and effective red teaming. Labs allow teams to replicate operational environments, test attack scenarios and refine detection and response capabilities without risking disruption to live systems. Whether in-house or external (such as the BBA digital labs), labs should balance realism with flexibility, enabling organizations to scale and adapt as needed.

3. Scenario selection and risk-based approaches

Selecting attack scenarios should be guided by a risk-based approach, considering factors such as industry-specific threats, commonly used vendors and typical system architectures. Tools like the MITRE ATT&CK Navigator can help prioritize the techniques to focus on first, ensuring efforts are aligned with the most pressing risks.

4. Collaboration between IT and OT teams

Effective OT red teaming requires close collaboration across IT and OT teams. While IT red teaming is often more mature, leveraging IT expertise, labs and tools can accelerate OT security improvements. Real-world attacks rarely respect organizational boundaries—attackers often move from IT to OT—so breaking down silos is essential for comprehensive defense.

5. Leveraging open-source tools

Open-source tools like Caldera OT offer powerful capabilities for simulating attacks on industrial protocols (e.g., BACnet, DNP3, Modbus, IEC 61850 – MMS, Profinet). These tools support both autonomous and manual red teaming, and their abilities are mapped to the MITRE ATT&CK for ICS matrix, making them accessible to both IT and OT teams.

Key takeaways

• OT/ICS incidents can have significant physical impacts, making cybersecurity a matter of operational safety.

• Red teaming for OT systems provides a practical, scenario-driven approach to uncovering hidden risks and improving resilience.

• Access to a dedicated OT/ICS lab is essential for effective red teaming.

• Collaboration between IT and OT teams is critical to reducing attack surfaces and strengthening defenses.

As the OT threat landscape continues to evolve, organizations must move beyond reactive measures and embrace proactive strategies like red teaming. By simulating real-world attacks and fostering cross-disciplinary collaboration between IT and OT, security teams can uncover hidden risks and build the resilience needed to protect critical operations.

If you have questions or want to learn more about implementing OT red teaming in your organization, reach out to an ICS cybersecurity expert or explore resources like the MITRE ATT&CK for ICS and open-source tools such as Caldera OT.