Non-Profit Penetration Testing 2024

OT/ICS Security Assessment for a Major Metropolitan Transit Authority — Protecting Rail, SCADA, and PTC Systems

Confidential Client Major Metropolitan Transit Authority
1,487 OT Assets Mapped
38% OT Cyber Risk Reduced
14 High-Risk Issues Resolved

The Challenge

A major metropolitan transit authority operating rail and bus networks had no unified OT visibility, legacy vendor-managed access without governance, 213 devices on unsupported firmware, and a flat network architecture where a single depot workstation compromise could pivot directly into signaling systems — all while facing mandatory TSA Security Directive compliance.

The Solution

Propelex conducted a full-spectrum OT/ICS Security Assessment using passive discovery and protocol-aware analysis across all OT zones — mapping 1,487 assets, identifying 68 findings including 14 high-risk issues, building MITRE ATT&CK for ICS threat scenarios, and delivering a prioritized modernization roadmap aligned to NIST 800-82 and IEC 62443.

Operational technology environments in public transit are among the most consequential attack surfaces in critical infrastructure. Signaling systems, SCADA networks, Positive Train Control, and fare collection platforms are not just IT assets — they are systems whose compromise can cause operational disruption, safety incidents, and direct harm to the public. Securing them requires a fundamentally different approach than enterprise IT security, and the stakes of getting it wrong are categorically higher.

Propelex conducted a comprehensive OT/ICS Security Assessment for a major metropolitan transit authority — deploying a technically rigorous, ground-up assessment that uncovered critical vulnerabilities, mapped 1,487 OT assets, built realistic attack scenarios against live network architecture, and produced a standards-based remediation roadmap that the Authority could immediately fund and execute.

About the Client

The client is a major metropolitan transit authority responsible for regional rail and bus operations across a significant urban population. Their OT environment encompasses signaling systems, SCADA servers, Positive Train Control (PTC) back office, PLCs, RTUs, IEDs, wayside cabinets, depot workstations, and fare collection infrastructure — a complex, multi-vendor environment that had evolved organically over two decades of continuous operation. The client name is kept confidential under NDA.

The engagement was motivated by two converging pressures: increasing cyber threat activity targeting transit and transportation infrastructure globally, and the introduction of TSA Security Directive SD 1580/82-2023-01, which imposed mandatory cybersecurity reporting and risk assessment requirements on passenger rail operators.

The Starting Point

Initial interviews with the Authority’s leadership and technical staff revealed a consistent pattern — operational reliability had been the priority for years, and cybersecurity had not kept pace with either the sophistication of the threat environment or the complexity of the OT infrastructure itself:

  • No authoritative OT asset inventory existed — the Authority could not accurately state how many devices were on its OT networks, what firmware versions they were running, or which vendors had access to which systems
  • OT networks had evolved organically over two decades, with new systems added to existing infrastructure without architectural security review
  • Remote access for suppliers and vendors had expanded without centralized governance — multiple vendors maintained always-on VPN tunnels, some without MFA, using equipment the Authority did not control or monitor
  • Enterprise IT security tools had been deployed but were not designed for OT protocols — the Authority had no visibility into DNP3, Modbus, or PTC messaging behavior
  • TSA SD 1580/82-2023-01 created a compliance obligation the Authority needed to satisfy, but had no existing program structure to support

Propelex Assessment Approach

OT environments require assessment approaches that differ fundamentally from IT penetration testing. Active scanning that generates unexpected traffic on a PLC network can cause controller faults. Propelex structured the engagement around operational safety from the first day:

Passive discovery
All asset discovery performed passively to avoid disrupting live control systems — listening to existing traffic rather than generating probe traffic that could interfere with signaling or control functions
Protocol-aware analysis
Deep inspection of DNP3, Modbus, and TCP/IP signaling interfaces — understanding the operational behavior of the network and identifying anomalies against expected control traffic patterns
Controller-level configuration validation
Direct review of PLC, RTU, and IED configurations against security baselines — identifying firmware versions, default credentials, unnecessary services, and configuration drift from expected states
MITRE ATT&CK for ICS threat mapping
Every significant finding mapped to realistic attack scenarios using the MITRE ATT&CK for ICS framework — connecting technical vulnerabilities to operational impact narratives that leadership could understand and act on

Key Technical Findings

The assessment surfaced a consistent underlying theme: the Authority had invested in modern OT capabilities, but the cybersecurity controls surrounding those capabilities had not kept pace.

Flat Network Architecture

A flat network structure connected operator HMIs, wayside cabinets, PTC back office, PLCs, RTUs, SCADA servers, and depot workstations without adequate segmentation. Propelex identified a workstation with dual-homed network interfaces bridging two critical OT zones — creating a silent bypass around firewall rules that had been completely undetected due to the absence of centralized OT monitoring. This single device created a lateral movement path from depot workstations into core signaling networks.

213 Devices on Unsupported Firmware

Controller fingerprinting revealed 213 devices operating on unsupported firmware versions — including PLCs running firmware dated as far back as 2011, serial-to-IP converters with no patch history, and vendor-installed field switches with default SNMP community strings. Each of these represented exploitable entry points that an attacker could use without triggering any existing alerts.

  • Uncontrolled vendor remote access — multiple vendors maintained always-on VPN tunnels, including one tunnel that had been active for nearly a year without review, providing persistent external access into core OT segments. Split-tunnel configurations, absent MFA, and vendor-owned gateways the Authority did not monitor compounded the exposure
  • No OT-specific monitoring — enterprise IT security tools provided no visibility into unauthorized ladder-logic changes, deviations in PTC messaging intervals, abnormal traffic between wayside devices, or attempts to modify controller configurations
  • 68 total findings — 14 high-risk requiring immediate action, 32 medium-risk representing elevated operational exposure, and 22 low-risk with governance implications. Every finding was linked to a specific business consequence: service disruption, safety implication, or regulatory non-compliance

The Modernization Roadmap

Propelex delivered a phased remediation roadmap aligned to IEC 62443 zones-and-conduits architecture, TSA SD compliance requirements, and the Authority’s operational constraints:

  • Phase 1 — Visibility and segmentation: IEC 62443-aligned network zones isolating signaling, PTC, SCADA, fare collection, wayside networks, and depot environments — eliminating the lateral movement paths identified in the assessment
  • Phase 2 — Governance, remote access, patching: Centralized jump server for all vendor access, MFA and session monitoring, time-bound access controls, decommissioning of vendor-owned gateways, and a prioritized firmware update program with vendor accountability SLAs
  • Phase 3 — Resilience and continuous improvement: OT-specific security platform with DPI for Modbus, DNP3, and proprietary signaling protocols, controller integrity monitoring, behavioral analytics integrated with the Authority’s SIEM, and a Zero Trust OT architecture roadmap

The Results

1,487 OT Assets Mapped

For the first time in the Authority’s history, a complete, authoritative inventory of OT assets existed — every device, firmware version, network connection, and vendor access point documented and understood.

38% OT Cyber Risk Reduction in 90 Days

The highest-priority remediations from the assessment were executed within 90 days — eliminating multiple lateral movement paths, closing the most critical vendor access exposures, and materially reducing the Authority’s OT cyber risk profile.

TSA Compliance Path Established

The assessment findings and remediation roadmap provided the Authority with the documented risk assessment required by TSA SD 1580/82-2023-01 — positioning the organization for compliance and providing the evidence package needed for regulatory examination.

Multi-Year Modernization Funded

The assessment findings gave leadership the evidence needed to secure funding for a multi-year OT security modernization program — transforming a reactive, vendor-dependent security posture into a structured, measurable, and strategically governed one.

Key Takeaway

Transit authorities face a security challenge that is more consequential than most: the systems they operate are not just business infrastructure, they are critical infrastructure whose failure directly affects public safety. A ransomware attack on a signaling network is not a data breach — it is a potential safety incident affecting hundreds of thousands of passengers.

The Transit Authority’s engagement demonstrates what a genuine OT security assessment looks like for critical infrastructure: technically rigorous, operationally sensitive, standards-grounded, and connected to the business consequences that leadership needs to understand to fund and prioritize remediation. Propelex delivered not just a vulnerability report but a complete narrative of how fragmented controls, legacy systems, and unmanaged vendor access collectively shaped the Authority’s risk profile — and a clear path to changing it.

The Results

Within 90 days the Transit Authority eliminated multiple lateral movement paths, introduced vendor access governance, reduced OT cyber exposure by 38%, achieved full visibility across 1,487 OT assets, and secured funding for a multi-year OT security modernization program — moving from reactive to structured and measurable.

Related Case Studies

View all →

Partner with Propelex

Security Built for Your Reality

Our team brings deep expertise across compliance frameworks, attack surfaces, and industry-specific threats — so you can focus on your mission.

Schedule a Consultation Explore Services