Cyber criminals are interested in critical infrastructures more than ever before therefor cyber threats are raising dramatically for critical infrastructures. Catastrophic attacks are just a matter of time so we need  realistic risk assessments and penetration tests.

My major concern is not only how (methodologies) but also what (scope) about ICS-SCADA penetration tests and audits.  There are some common mistakes about scoping penetration tests;

1-Excluding ICS-SCADA components
Most of the penetration tests  and audits are missing ICS-SCADA networks and components. This means most of the threats&risks are missing related to ICS-SCADA. I understand the logic behind this behavior.  Nobody wants to their core operation shut down during an audit/pentest but this risk is always on the table  and you can not avoid this risk with just closing your eyes. Ignorance is not blessing for critical infrastructure. To be honest real intruders will have no mercy.

2-Excluding supportive ICS-SCADA components
There is an another common mistake related to scoping a pentest is excluding supportive ICS-SCADA networks. What I mean by that it is not enough to include core operation ICS-SCADA networks for example power generation is much more than turbines. Remember, we are responsible for whole operation. It should be up and running whenever we need.

3-Missing Network and Connections
Penetration testers and auditors should not be rely on topologies, network diagrams, and IP Blokcs. All possible connections and networks should  be identified. This task requires configuration analysis, site visits, firewall analysis and more.

Conclusion
Penetration test/audit scope is highly critical to identify what to protect. All critical infrastructure networks and components should be in audit scope.