Connected industrial equipment manufacturer — full penetration test (IT, OT, hardware, physical)

« We wanted to know what would happen if someone really tried. Hexceos really tried — we rewrote our security roadmap after their report. »

Context

A 180-staff French industrial mid-market firm, manufacturer of measurement equipment and connected sensors (industrial IoT) deployed in the factories of over 300 European customers. The IT estate covers an HQ, a production plant, a hardware R&D department and a fleet of embedded products sold to industrial customers, some of whom are themselves essential service operators.

Three simultaneous triggers — the NIS2 directive (qualifying them as an important entity), a contractual demand from a European retail customer for an independent penetration test before signing, and the CISO’s concern about historically unaudited firmware development practices (debug interfaces sometimes left active in production).

Scope delivered

The audit, conducted over 8 weeks by a 4-consultant Hexceos team, covered four distinct scopes. Each scope produced a standalone report and a consolidated executive summary.

1. Office IT and infrastructure

• External black-box pentest on exposed services (mail, VPN, customer portals, partner applications).
• Internal pentest post-simulated compromise from a standard user workstation.
• Full Active Directory audit — privilege paths (Bloodhound), service accounts, weak passwords, sensitive GPOs.
• Cloud configuration audit (AWS for R&D, Microsoft 365 for HQ, off-site OT monitoring).

2. OT network and production line

• Passive mapping of industrial protocols (Modbus, OPC-UA, PROFINET, MQTT on some sensors).
• Pentest of IT/OT gateways and SCADA servers.
• Segmentation audit between office, supervision and command networks.
• Controlled ransomware propagation test from office to production line, with immediate abort capability.

3. Hardware of commercialised products

• Hardware supply chain analysis (critical components, third-party suppliers, firmware supply chain).
• Reverse engineering of firmware on 4 representative sensor models.
• Exploitation of debug interfaces (UART, JTAG, SWD) on electronic boards.
• Cryptographic audit of product communications (hardcoded certificates, static keys, weak update protocols).
• Fuzzing of proprietary configuration protocols.

4. Physical site security

• Unauthorised access attempts on HQ and production plant (red team physical, two days per site).
• Badge manipulation, tailgating, social engineering at reception and shipping docks.
• Hardware implant placement on unmonitored OT network ports (placement test only, no real exfiltration).
• Access control audit (cameras, alarms, human presence, visitor procedures).

Results

• 23 critical vulnerabilities identified overall — 7 in production, 9 in commercialised products, 7 in office IT.
• 4 publicly assigned CVEs on embedded products after coordinated responsible disclosure (90-day communication suspension to allow patch release before disclosure).
• Full Active Directory compromise in 6 days from a simulated non-privileged user workstation.
• Bridge to the OT network in 2 additional days post-office compromise — critical segmentation defect.
• Private cryptographic key extraction from 2 sensor models via debug interfaces left active in production.
• 2 of 2 physical site accesses successful, with no alarm triggered in the first 30 minutes after crossing the protected zone.

Remediation plan and 6-month follow-up

Quantified, prioritised and binding remediation plan delivered in week 9 — 47 actions (12 critical, 19 major, 16 minor). Monthly mixed steering committee (customer + Hexceos) over six months.

• Average CVSS score on critical vulnerabilities reduced by 86% after the remediation phase (six-month measurement).
• IT/OT segmentation redesigned with data diode on supervision outbound flows and industrial DMZ.
• Firmware redesign on 3 product models — debug interfaces disabled in production, cryptographic signing of updates, key rotation.
• Responsible disclosure policy published for third-party security researchers (with parallel closed bug bounty programme).
• Physical access controls hardened on both sites — mantraps, multi-factor badges in sensitive areas, reinforced reception training.

What changed

The trigger tender was won thanks to the independent audit report which reassured the retail customer. The industrial division ringfenced a three-year product cybersecurity budget (previously non-existent in R&D), and an in-house product security engineer was recruited to carry the follow-up work.

The CISO obtained the annual audit and the formal lifting of their reservations on the firmware development chain. NIS2 compliance — which was red-flagged before the audit — was restored within three months of action plan delivery.

Anonymised at the customer’s request. Figures presented reflect real measurements on a single customer between 2025 and 2026.