SCYTHE 5.1 Released  Read More

    Book Demo

    OT/ICS Adversary Emulation, Without Disrupting Operations

    Adversary emulation in operational technology environments has a problem that IT security testing does not: the cost of getting it wrong is measured not in data loss but in operational disruption, safety incidents, and in the most severe cases, physical consequences. Conventional security testing tools were not designed for this constraint.

    SCYTHE was. Production-safe adversary emulation is not a feature SCYTHE added to an IT-focused platform — it is a foundational design principle that makes SCYTHE the right choice for organizations that operate environments where uptime and safety are non-negotiable.

     

    Why OT/ICS Security Validation Is Different


    Operational technology environments share little with enterprise IT beyond network connectivity. The constraints that define OT security testing are fundamental:

    Availability is everything

    An IT system can be rebooted during a test. A power generation control system, a water treatment SCADA system, or a manufacturing PLC cannot. Every test must be designed with the assumption that the operational process continues without interruption.

    Legacy and unpatched systems

    OT environments commonly run systems and protocols that predate modern security by decades (i.e., Modbus, DNP3, Profibus, proprietary vendor protocols) on hardware that cannot be patched and software that cannot be upgraded without multi-year change management cycles.

    Agent deployment is often impossible

    Many ICS components cannot run software agents. The network topology is designed for deterministic process communication, not general-purpose IP networking. Validation approaches that require software deployment on every tested system don't work.

    The threat actors are different

    Nation-state actors targeting critical infrastructure (i.e., VOLTZITE, SANDWORM, KAMACITE, TRITON/TRISIS developers) use techniques specifically designed to evade OT security tools, live off the land in industrial protocols, and cause physical consequences through digital means. Your IT-focused BAS tool's technique library was not built with these actors in mind.

    The OT/ICS Threat Landscape

    Understanding which threat actors are actively targeting your type of environment is the foundation of effective OT adversary emulation. SCYTHE maps emulation campaigns to the real actors targeting critical infrastructure, such as:

    volt typhoon hacker group

    Voltzite / Volt Typhoon

    A Chinese state-nexus threat actor conducting long-duration espionage and pre-positioning operations against U.S. electric utilities, telecommunications, and defense. This group specializes in living-off-the-land techniques using legitimate system tools to avoid detection and has demonstrated specific interest in operational technology data and network diagrams.

    sandworm hacker group

    Sandworm

    A Russian military intelligence unit responsible for the most destructive cyberattacks on industrial infrastructure in history, including the 2015 and 2016 Ukrainian power grid attacks and the deployment of Industroyer/Industroyer2 malware designed to directly interact with ICS protocols. SANDWORM remains the most capable and dangerous threat to EU and NA energy.

    triton hacker group

    Triton / Trisis

    The group responsible for deploying TRITON malware against Safety Instrumented Systems (SIS) in Middle Eastern petrochemical facilities. The attack targeted the safety systems designed to prevent catastrophic accidents — representing the first known malware specifically designed to cause physical harm.                                                                         

    How SCYTHE Operates in OT/ICS Environments

    Most security validation tools are built for IT environments and stop at the enterprise perimeter. SCYTHE is purpose-built to operate across the IT/OT boundary — validating the attack paths that matter most to critical infrastructure defenders without disrupting the operations they're protecting.

    SCYTHE's approach to OT/ICS adversary emulation is built around five principles that conventional testing tools cannot offer:

    IT-to-OT lateral movement emulation Purdue Model Layer 3 and above Production-safe techniques only Lab environment support for deeper testing Regulatory alignment — NERC CIP, IEC 62443, NIST CSF, TSA

    How We Operate in OT/ICS Environments?

    Production-safe by design
    Every SCYTHE test is controlled, configurable, and auditable. Destructive capabilities, anything that could cause operational disruption, require explicit authorization and cannot be triggered accidentally. Tests can be scoped to specific network segments, specific time windows, and specific technique categories to match the operational risk tolerance of each environment.
    Flexible deployment without mandatory agents
    SCYTHE supports deployment models that work in OT environments, including network-based assessment approaches for environments where agent deployment on ICS components is not feasible. SCYTHE works with the network architecture of your OT environment, not against it.
    IT/OT convergence validation
    Most successful attacks on OT environments begin in IT and pivot to OT through convergence points, like historian servers, data diodes, jump hosts, remote access infrastructure. SCYTHE validates the full kill chain from IT-side initial access through the IT/OT boundary into the OT environment, because that is how real adversaries operate.
    OT-specific technique emulation
    SCYTHE's technique library includes OT-specific adversary behaviors, spanning industrial protocol reconnaissance, historian access, HMI interaction patterns, and the specific living-off-the-land techniques used by threat actors targeting industrial systems, not just IT techniques reapplied to an OT context.

    What OT Organizations Achieve with SCYTHE

    Organizations operating critical infrastructure use SCYTHE to answer the questions that matter most for OT security:

    "Does our OT network segmentation actually prevent lateral movement from IT?" SCYTHE emulates IT-to-OT pivot attempts and validates that segmentation controls (firewalls, data diodes, network access controls) are configured correctly and actually enforced.

    "Would our security team detect a VOLTZITE-style reconnaissance campaign in our environment?" SCYTHE emulates the specific TTPs associated with threat actors targeting your sector and validates detection coverage against their actual playbook.

    "Are our OT-specific security tools — like Claroty, Dragos, or Nozomi — detecting the techniques they're supposed to catch?" SCYTHE validates OT security monitoring platform coverage the same way it validates IT EDR coverage, by running real techniques and measuring what detects and what doesn't.

    "Can we prove our security controls work to our regulator?" SCYTHE produces repeatable, documented, auditable evidence of control effectiveness, the defensible validation record that NERC CIP auditors and TSA directive compliance requires.

     

     

    Ian Anderson, OG&E — Energy Sector Customer

    "SCYTHE improves our security control efficacy, optimizing budget spend and ROI, while also enhancing talent development, training, and partner relationships." — Ian Anderson, OG&E (Oklahoma Gas and Electric)

    OG&E is an electric utility serving approximately 900,000 customers across Oklahoma and Arkansas — an environment where operational continuity and NERC CIP compliance are both requirements. SCYTHE's production-safe approach made continuous adversary emulation possible in an environment where most testing tools were not viable.

    Our+History+-+XL

    Frequently Asked Questions

    Can SCYTHE test ICS/SCADA systems without risking operational disruption?

    Yes. SCYTHE is designed for production-safe emulation. Tests are configurable by scope, technique category, and execution timing. Techniques that could cause operational disruption require explicit authorization and are separated from standard validation runs. SCYTHE operates in live OT environments at energy utilities, manufacturing facilities, and critical infrastructure operators.

    Does SCYTHE require deploying agents on OT systems?

    SCYTHE supports flexible deployment models including approaches that do not require agent installation on OT devices where that is not feasible. Deployment strategy is designed around your OT architecture, not the other way around.

    How does SCYTHE handle air-gapped OT environments?

    SCYTHE supports on-premises deployment in air-gapped environments. The platform does not require internet connectivity for operation, making it suitable for classified, highly regulated, and physically isolated industrial environments.

    Which OT security monitoring platforms does SCYTHE integrate with?

    SCYTHE integrates with leading OT security monitoring platforms including Dragos, Claroty, Nozomi Networks, and Microsoft Defender for IoT. Validation results can be correlated against monitoring platform alerts to measure OT-specific detection coverage.

    Prove your OT defenses work, without disrupting operations.

    Talk to SCYTHE about adversary emulation for your OT/ICS environment. We'll discuss your architecture, your regulatory requirements, and the specific threat actors targeting your sector.