Bridging the OT Security Skills Gap: A Spotlight on Hacktonics

In our latest webinar, we had the pleasure of hosting Awais Rashid and Joe Gardiner, co-founders of Hacktonics. Both Awais (a professor of cybersecurity at the University of Bristol) and Joe (a lecturer with hands-on ICS experience) are on a mission to make ICS and OT cybersecurity training far more accessible - an urgent need in an industry where the skills gap often slows progress and leaves critical infrastructure exposed.

Hacktonics’ Approach

1. Hands-On Training Boxes Hacktonics has developed portable training kits that simulate realistic ICS environments. Trainees gain experience configuring, attacking (ethically!), and defending actual devices. This direct exposure fosters far deeper understanding than any purely theoretical or virtual course ever could.
2. LinICS (Linux for ICS) The team created a specialist Linux-based platform, bundled with OT-specific tools mapped to the MITRE ATT&CK for ICS framework. Think of it as “Kali for ICS,” but with an emphasis on protocols like Modbus, DNP3, and industrial-grade hardware. By providing a one-stop platform - containing both modern and legacy utilities - Hacktonics cuts the usual complexity of spinning up ICS test labs.
3. Boot Camps & Bespoke Courses Free, introductory sessions for newcomers or anyone curious about transitioning into OT security. These allow you to trial real ICS scenarios under expert guidance. Bespoke Courses: Tailored corporate training to upskill in-house teams — particularly beneficial for IT security teams who want to gain OT fluency or safety engineers who need to weave security into their processes.
4. Community Focus Although Hacktonics offers commercial solutions, their ethos is firmly rooted in community building. They regularly host sessions at local meetups, B-Sides events, and student conferences, aiming to nurture new talent by lowering the barriers to entry.

It was a pleasure to host our latest webinar session, the experience in our panel was shining through, even with the early morning start in New Zealand for Gavin and Stefano fighting off an illness, the team were on top form.

In this session, we explored the essential building blocks of ICS/OT cybersecurity, perfect for practitioners and leaders in OT Security, tasked with building defences from the ground up. Our panel for the session:

• Sam Taylor – Current CISO/Project Manager at Enfinium (formerly GSK and Johnson Matthey), overseeing OT cyber programmes
• Andres Prieto – A seasoned engineer, based in Barcelona, who transitioned from IT into global OT cybersecurity
• Stefano Saccomani – With over twenty-five years of experience in rail, focusing on rail control systems, signalling, and OT security
• Gavin Dilworth – An OT all-rounder from New Zealand, bringing experience as an operator, automation engineer, managing consultant, and security advisor

In our latest OT Security Connect session, we explored OT penetration testing with our excellent panel providing insights into the unique challenges, the absence of standardisation, and the strategies to enhance security within OT environments.

We also witnessed the birth of a new phrase "Living off the Plant" - credit to Ric Derbyshire on this 😁

Panel

Ric Derbyshire - Principal Security Researcher at Orange Cyberdefense

Gavin Dilworth - Principal Consultant at Assessment Plus

Martin Slack - Head of ICS at Pen Test Partners

Asif Hameed Khan - Cybersecurity Professional

🌐 Key Themes and Insights

The Case for Standardisation The team debated the feasibility of a unified standard for OT penetration testing. While a universal approach seems impractical due to the diversity of OT environments and the lack of an arbitrator, the group agreed that more flexible, descriptive frameworks could provide valuable guidance.

For instance, a baseline guide to help asset owners could lean more into the IEC 62443 model, using security levels to align tests with sector-specific risks, criticality, and risk appetite, to help determine appropriate testing approaches.

Challenges of OT Penetration Testing A significant challenge in OT penetration testing lies in the diverse approaches taken by testers, particularly those transitioning from IT-focused backgrounds. It can be a struggle to adapt, as their methods tend to prioritise vulnerabilities over the operational processes central to OT environments.

In contrast, successful testers focus on identifying how attackers could disrupt key processes and systems, as this aligns more closely with asset owners' priorities.

Organisations with well-established test beds often achieve better outcomes in penetration testing, as these environments allow for controlled experimentation and more realistic simulations. However, the lack of test beds in many organisations remains a barrier to effective testing.

Clear communication of testing objectives and outcomes is another critical success factor. Testers must articulate the scope and purpose of their assessments in terms that resonate with OT asset owners, ensuring alignment between testing practices and operational realities.

🚀 Key Takeaways for OT Security Professionals

• Pen-testing Certifications: Professional development recommendations from the panel for industry professionals interested in Penetration testing in OT. OCSP and SANS highly rated by the Gavin and Martin 📚
• Pen-testing to Address Hybrid IT-OT Environments: Most pen-testing is IT TTPS and focussed towards more general purpose operating systems within the OT environments. As a result there should minimal safety and reliability issues
• Pen-Testing Outcomes Impacting Security Posture: Whole point of a pen-test is to help end users improve security postures. Reduce risk and enable the organisation to review gaps and plan security programme going forward