For OT and ICS security consultancies
who run assessments where downtime is not an option

A platform built for OT and ICS engagements where scanning is constrained and downtime is the constraint

OT and ICS security consultancies run a different shape of work to IT-focused security firms. Active scanning against process control equipment is rarely permitted on production networks. Findings often come from architecture review, configuration walkthroughs, passive observation, vendor data, and manual testing on the permitted IT-side perimeter. Remediation does not happen on a sprint cadence; it happens during plant maintenance windows that may be months apart. The deliverable is rarely a single report. It is a programme of zone assessments, conduit reviews, control evaluations, and remediation tracking that runs across multiple engagements per asset owner.

SecPortal gives OT and ICS consultancies one workspace per asset owner, structured engagements per zone, findings management with CVSS 3.1 and environmental context, compliance tracking that maps to IEC 62443 and NIST SP 800-82, AI-assisted reporting tuned for layered audiences, and a branded client portal so plant operations, engineering, and corporate security all read the same finding IDs.

Capabilities for OT and ICS consulting in one workspace

How OT and ICS consultancies run a portfolio inside SecPortal

An OT consulting practice is most efficient when every asset owner looks the same operationally: same engagement structure, same evidence model, same reporting pattern. SecPortal supports the full portfolio rather than one assessment at a time.

From scope walkdown to remediation closure on one engagement record

OT and ICS engagements share an underlying shape across industries (manufacturing, energy, water, oil and gas, transportation). The platform runs that shape so the consultant focuses on judgment work rather than coordination overhead.

1. 1Open the client record with primary contacts, zone inventory at the level of detail the assessment requires (corporate, DMZ, supervisory, control, field), and any prior assessment history.
2. 2Create the assessment engagement with the methodology spelled out (IEC 62443 zone-conduit assessment, NIST SP 800-82 risk assessment, an architecture review, a tabletop, or a constrained pentest with passive observation).
3. 3Walk the scope with the asset owner, mark which segments are in or out, capture the rules of engagement (what is permitted, what is prohibited, what requires plant-side approval), and attach the signed authorisation as evidence.
4. 4Log findings as they surface from passive observation, configuration review, vendor data, manual testing on permitted IT segments, and subcontractor reports. Each finding has a CVSS vector, severity, evidence, and remediation guidance from the 300+ template library.
5. 5Track remediation through the branded portal. Findings have owners, severity-driven target dates, and status updates. Plant change windows are visible on the dashboard so slippage surfaces before the next outage cycle.
6. 6Generate the deliverable from the live record. The executive summary, technical writeup, and remediation roadmap come from the same finding set. The asset owner receives a controlled document; the consultant edits a draft rather than writes from blank.

Why OT and ICS engagements need a different operating pattern

The Purdue Enterprise Reference Architecture, NIST SP 800-82r3 (Guide to Operational Technology Security), and the IEC 62443 series describe the same operational reality from different angles. Each one is published guidance that consultancies anchor their methodology to, and each one creates a constraint that an IT-style platform does not accommodate well.

• Active testing is restricted. Sending unexpected traffic to a programmable logic controller, a remote terminal unit, or a safety instrumented system can cause a process upset. Most engagements are scoped around observation, configuration review, and tightly constrained testing on permitted segments.
• Patching cycles are slow. A plant might apply firmware updates once per outage window, sometimes once per year. The remediation tracker has to handle months-long fix cycles without losing context, and the report has to articulate compensating controls clearly enough for the asset owner to defend the gap to a regulator in the meantime.
• Audiences are layered. The controls engineer cares about the safety case and the engineering workstation. The plant manager cares about uptime and shift discipline. The corporate CISO cares about regulatory exposure. The board cares about business continuity. The same finding has to be readable by all four, and the consultant cannot afford to write the report four times.
• Compliance is regulator-driven, not certification-driven.Energy, water, transportation, and chemical sectors face sector-specific regulators (NERC CIP for the bulk power system, TSA pipeline directives, EU NIS2 for essential entities, AWWA for water). The compliance tracker has to map findings to the regulatory framework that applies, not to a generic Annex.

Frameworks the platform supports for OT and ICS work

The platform ships structured framework reference pages that OT and ICS consultancies anchor their assessments to, alongside compliance tracking against the controls those frameworks define.

• IEC 62443 for the zone and conduit assessment, the seven foundational requirements, and the asset owner, integrator, and product supplier role split that anchors most OT and ICS assessments.
• NIST Cybersecurity Framework and the broader NIST publication family, including the SP 800-82 OT-specific guidance that asset owners use to scope an OT risk assessment.
• NIST SP 800-53 for federal and federally adjacent OT environments where the catalogue applies alongside OT-specific overlays.
• ISO 27001 for the corporate IT side of an asset owner that the consultancy is also covering, where Annex A controls map to the IT segments that interface with the OT environment.
• NIS2 for essential and important entities in the EU, where industrial operators have direct regulatory reporting obligations and risk assessment expectations.
• CIS Controls as a baseline used on the IT-side perimeter and on engineering workstations that bridge into the OT environment.
• MITRE ATT&CK (and the ICS matrix referenced from it) for tagging tactics and techniques observed during testing or modelled during a tabletop.

Where OT engagements meet IT-side technical testing

Most OT engagements include some testing on the IT-side perimeter that interfaces with the OT environment: jump servers, engineering workstations, remote access portals, historians, and the corporate domain that authenticates into the supervisory layer. This is where findings on the IT side translate into pivot risk on the OT side.

• The penetration testing use case covers the day-to-day flow of running an engagement from scope through to findings and delivery, which is the pattern the IT-side workstream of an OT engagement runs on.
• The remediation tracking use case covers the end-to-end fix cycle, including how findings stay open through long remediation windows without drifting out of the record.
• The pentest evidence management use case covers structured evidence capture, which matters more in an OT engagement than in a standard IT pentest because the regulator or the certifying body may want to see the authorisation trail and the methodology evidence months after delivery.
• The default credentials and weak password policy reference pages cover two of the most common findings on engineering workstations and jump servers that bridge into the OT environment.
• The rules of engagement template gives a structured baseline that OT engagements adapt heavily, since the prohibited list (no active scanning of safety-rated equipment, no fuzzing of historians, no scanning during shift changeover) is the operational core of the contract.

Where to start

Most OT and ICS consultancies adopt the platform in three steps: stand up a single asset owner with a structured zone-conduit assessment engagement, move recurring assessment clients onto the same model so reassessments roll forward year over year, then bring the IT-side technical testing workstream and any subcontractor findings into the same workspace so the consolidated report comes off one record.

If your practice runs a broader security consulting line alongside the OT specialism, the sister page SecPortal for security consultants covers engagement management across pentest, IR, and assessment work in the same workspace. If your practice ships compliance readiness alongside the OT engagement, the compliance consultants page covers the multi-framework portfolio pattern. If the practice extends into cloud-side review for the corporate IT and SaaS estate that surrounds the OT environment, the cloud security consultancies page covers the AWS, Azure, and GCP assessment pattern.

For the operational shape of running structured assessments inside the platform, the penetration testing use case walks through scoping, finding capture, evidence handling, and report generation in detail, and the compliance audits use case covers the control-evidence side that an OT engagement layers on top of the technical findings.