Talk to an expert
Talk to an expert

Industry & Control Systems

Energy, water, manufacturing, critical operators (OIV)

One compromised controller. A factory stopped — or worse.

Modbus with no authentication, 15,000 Schneider systems reachable online, 150,000 ICS systems exposed on the internet. Industrial control systems were designed for availability — not for security. IT/OT convergence creates attack paths that neither IT nor OT teams can see.

150K 1
Schneider Electric ICS systems exposed on the internet (Bitsight 2025)
IEC 62443 1
OT security standard required by NIS2 and the LPM for critical operators
NotPetya 1
$10B in damages, the reference industrial OT attack
Modbus 1
A protocol with no authentication, still dominant in 2025

THE OT PARADOX—MAXIMUM AVAILABILITY, MINIMUM SECURITY

Modbus, BACnet, OPC-UA: no native authentication
The dominant industrial protocols were designed in the 1970s-90s with no security. Modbus has no authentication. Neither does BACnet. OPC-UA has some — rarely enabled. 14,220 OPC-UA servers exposed directly on the internet (Bitsight, Jan. 2026).
Production shutdown: $500K/hour for automotive
Ransomware groups have adapted their tools to target SCADA systems. NotPetya 2017: $10B in damages. Halting an automotive line costs $500K/hour. In energy or water, the impact is directly life-threatening.
Lateral-movement paths: invisible to both teams
IT/OT convergence creates paths the IT team can't see (it doesn't know the OT) and the OT team can't see (it doesn't do security). Ransomware arriving by email can pivot to the OT network via a misconfigured jump server.
Critical operators (OIV): ANSSI can prescribe audits of ICS systems
NIS2 and the LPM impose security obligations on critical operators for their industrial control systems. ANSSI can mandate OT audits. IEC 62443 is the reference standard — its real implementation requires technical audits of the embedded systems.

OUR SERVICES

QREDTEAM

ADVERSARY SIMULATION

  • Full OT Red Team — simulation of the IT→OT pivot from the corporate network to the controllers
  • Exploitation of industrial protocols (Modbus, BACnet, OPC-UA, PROFINET, DNP3)
  • Ransomware simulation in an OT environment — impact on production availability
  • Red Team on SCADA, DCS and process-control HMI systems
  • Pentest of segmented OT networks — robustness testing of IEC 62443 zones and conduits.
Discover QRedTeam

QLAB

DEEP SECURITY RESEARCH

  • Reverse engineering of PLC firmware (Modicon, SIMATIC, FactoryTalk) without sources
  • 0-day research on critical industrial equipment (Schneider, Siemens, Rockwell, ABB)
  • JTAG/UART hardware analysis on controllers — configurations and application logic
  • Supply-chain audit of OT components — backdoors in manufacturer firmware
  • SBOM evaluation of ICS systems for NIS2 and LPM compliance.
Discover QLab

QSHIELD

SOFTWARE PROTECTION

  • Protection of embedded OT code against competitor reverse engineering
  • Anti-cloning for controller makers exporting outside the EU
  • IP protection of proprietary industrial process-control algorithms
  • Obfuscation of SIS (safety instrumented systems) code against adversary analysis
  • Protection of equipment firmware exported to geopolitically risky markets.
Discover QShield

QUARKSLAB DIFFRENTIATOR

Most firms audit the OT security policy — not the protocols that run the controllers. Quarkslab reverse-engineers the firmware of Modicon, SIMATIC and FactoryTalk PLCs, actually exploits Modbus and OPC-UA, and maps the IT→OT paths your teams can’t see. We are ANSSI-referenced for critical-operator (OIV) assessments — with the technical depth a PASSI qualification demands.

WHAT WOULD WE SAY TO EACH OTHER, FACE TO FACE

Do you know whether an attacker on your IT network can send commands to your Modbus controllers in under 30 minutes?

Most industrial critical operators have separated IT and OT on paper. In practice, there is almost always a jump server, a maintenance PC or a provider VPN that creates an undocumented path. Quarkslab maps and tests these real paths — not the theoretical topology of your ISMS.

Modbus, OPC-UA — real exploitation
We actually exploit the industrial protocols to demonstrate concrete impact — not a theoretical report on known vulnerabilities.
Without source access — backdoors, hidden accounts
We reverse-engineer your controllers' firmware to find what the manufacturer didn't document.
Referenced for critical-operator assessments
Quarkslab is ANSSI-referenced. Our deliverables are structured to meet ANSSI supervision requirements.
The paths invisible to both teams
We map the IT→OT lateral-movement paths that neither your IT team nor your OT team knows about.
Our publications & CVEs
Assess your industrial OT security