Definition
What is OT VAPT and how it differs from IT pentesting
OT VAPT (Operational Technology Vulnerability Assessment and Penetration Testing) is a security assessment for industrial environments: the networks, protocols, and devices that control physical processes. This covers SCADA supervisory systems, Distributed Control Systems (DCS), Programmable Logic Controllers (PLC), Remote Terminal Units (RTU), Human Machine Interfaces (HMI), engineering workstations, and the industrial networks connecting them.
The critical difference from IT pentesting is method. In IT security, testers send active traffic to discover hosts, probe services, and test exploits. Industrial devices, including PLCs running on protocols like Modbus, DNP3, and EtherNet/IP, were not designed to handle unexpected traffic. A probe packet aimed at the wrong register can halt a process line or trigger a safety interlock. For this reason, OT VAPT is built around passive observation, not active attack.
Safety and availability come first in industrial environments. Our methodology reflects that. We collect traffic through span ports or network TAPs, review configurations from backup files rather than live connections, and analyse architecture against the IEC 62443 zone and conduit model. The findings are real, but production never stops.
For IT systems such as corporate networks, web applications, and cloud workloads, see our penetration testing service. OT VAPT is specifically for industrial control environments.
Methodology
Passive methodology: how we assess without disrupting operations
Every phase of an OT assessment is designed around one constraint: no active traffic on the operational network. This is not a limitation of the methodology. It is the methodology.
Passive network discovery
We connect via a span port or passive TAP to the industrial network and collect traffic over one to two weeks. This duration is intentional: we need to see a full operational cycle, including shift changes, batch runs, and off-hours periods. The traffic profile during normal production can look completely different from what happens at 2am.
Industrial protocol analysis
Collected traffic is analysed for industrial protocols: Modbus, DNP3, OPC-UA, Profinet, EtherNet/IP, and IEC 60870-5. We identify which devices are communicating, what commands they are sending, and whether the traffic reveals weak authentication, unencrypted control commands, or anomalous patterns that could indicate existing compromise or exploitable configurations.
Offline configuration review
We review device configurations from backup files and configuration exports provided by the engineering team, not from live connections to active devices. This gives us an accurate view of PLC logic, HMI access controls, and network device settings without touching anything that is running.
Architecture review against IEC 62443 and Purdue model
We map the industrial environment against the Purdue model (Level 0 to Level 4) and assess zone and conduit boundaries per IEC 62443. This reveals where IT and OT networks are not properly separated, where remote access paths are undocumented, and where traffic is allowed across zone boundaries without appropriate controls.
Boundary and remote access review
Industrial environments often have undocumented paths to the outside world: vendor cellular modems for remote maintenance, jump servers with weak credentials, or IT/OT boundaries with no effective firewall. We identify every path into the industrial network and assess the controls on each.
Process
What an OT VAPT engagement looks like
An OT assessment follows a defined sequence that is coordinated closely with your operations team from start to finish. Total elapsed time is typically four to six weeks.
- 1
Scoping with operations
We start with your engineering, operations, and IT teams together. We agree on which systems are in scope, how TAPs will be installed, how configuration files will be shared, and what procedures apply if any unexpected issue arises. An operations liaison is assigned on your side for the duration of the engagement.
- 2
Passive collection
TAPs or span ports are installed by your network team with our guidance. We monitor passively for one to two weeks. No packets are sent to the industrial network from our infrastructure. At the end of the collection window, traffic is extracted and transport to our analysis environment.
- 3
Configuration and architecture analysis
Configuration files are reviewed offline. Traffic is analysed for protocol anomalies, authentication issues, and architectural weaknesses. We map findings against IEC 62443 security levels (SL 1 to SL 4) and, where relevant, against Perpres 82/2022 obligations for critical infrastructure operators.
- 4
Reporting
We produce a written report with an executive summary in Bahasa Indonesia and English, technical findings organised by zone and system, an IEC 62443 gap heatmap showing each zone against its target security level, and a remediation roadmap prioritised by operational impact and implementation difficulty.
- 5
Findings readout
We present the findings to both a technical audience and a management audience. The technical readout walks engineering staff through each finding. The management readout focuses on operational risk, compliance obligations, and the remediation roadmap.
Deliverable
What the OT VAPT report contains
The report is structured for two audiences: the engineering team doing remediation and the management team making risk decisions. Both sections draw from the same findings, but the framing is different.
| Report section | What it covers |
|---|---|
| Executive summary | An overview of the assessment scope, the overall security posture, and the most important findings. Written in Bahasa Indonesia and English. Suitable for presentation to the board, regulators, or BSSN. |
| Technical findings by zone | Every finding is organised by IEC 62443 zone and assigned a severity rating. Each entry includes a description, evidence from traffic analysis or configuration review, and the specific control gap it maps to. |
| IEC 62443 gap heatmap | A visual representation of each zone against its target security level (SL 1 to SL 4). This gives engineering teams an immediate view of where the most significant gaps are and where to focus first. |
| Purdue model asset map | A diagram of the industrial environment at each Purdue level (0 to 4), showing identified assets, communication paths, and boundary controls. This often surfaces undocumented connections. |
| Remediation roadmap | Recommendations organised by operational impact and implementation difficulty, not just by severity score. This allows operations teams to prioritise fixes that can be done without a planned outage separately from those that require one. |
| Regulatory mapping | Where applicable, findings are mapped to Perpres 82/2022 IIKN obligations and BSSN guidance on industrial control system security. This section is designed to support compliance reporting. |
Regulation
IEC 62443, Perpres 82/2022, and BSSN
IEC 62443 is the international standard for industrial automation and control system security. It defines security levels from SL 1 (protection against unintentional exposure) to SL 4 (protection against state-level threats). For most industrial operators in Indonesia, achieving a documented SL 1 across all zones is a credible starting objective, and many have not yet reached it in practice.
Perpres 82/2022 establishes the national framework for protecting critical information infrastructure (IIKN) in Indonesia. BSSN coordinates the framework across 11 sectors: energy, water, transportation, finance, health, telecommunications, food, defence, national industry, government, and emergency services. Operators in these sectors are required to conduct security assessments of their information systems, which explicitly includes OT environments that control physical processes.
Our OT VAPT reports map findings to both IEC 62443 and the BSSN guidance on industrial control system security. This means the report can be used directly to support BSSN compliance documentation without needing to translate findings from a different framework.
If your organisation needs to assess IT systems alongside OT, see our penetration testing service for corporate networks, web applications, and cloud workloads. The two assessments can run in parallel or sequentially.
Why us
Why Alpha Code
Alpha Code Technologies is a managed security services provider headquartered in Jakarta and part of Akraya International. Our OT security consultants have hands-on experience with industrial environments in energy, oil and gas, manufacturing, and utilities across Indonesia.
- Passive methodology: no active scanning, no risk to live operations
- Findings mapped to IEC 62443 SL 1-4 and Perpres 82/2022
- Reports in Bahasa Indonesia and English, built for BSSN coordination
- Engineering and management readouts included
- Experience with Modbus, DNP3, OPC-UA, Profinet, and EtherNet/IP
- Part of Akraya International, with global industrial security expertise
Frequently asked questions
OT VAPT assesses the security of industrial control systems: SCADA, DCS, PLC, RTU, HMI, and industrial networks. Unlike IT pentesting, which sends active traffic to probe targets, OT VAPT uses passive methods: traffic collection via span ports or TAPs, offline configuration review, and architecture analysis. This is necessary because industrial devices can fail or halt processes if they receive unexpected traffic. An IT pentest is not safe to run on an operational industrial network.