CyberSaif
Back to all projects
/ project

AquaSentinel

A practical IT/OT security project combining industrial control, penetration testing, and defensive architecture.

  • ICS Security
  • IT/OT
  • Penetration Testing
  • SOC
Complete

Project overview

The AquaSentinel project was part of the INCS culminating project during my time at BCIT. It brought together networking, control systems, defensive security, and offensive security inside one practical IT/OT environment.

The simulated plant included a water-level tank, an Endress+Hauser transmitter, an Allen-Bradley PLC, and a Safety Instrumented System. The OT side was paired with an IT network containing domain controllers, employee workstations, corporate websites, FTP, and other public-facing services.

AquaSentinel physical water-level control system
Physical AquaSentinel process setup used for the IT/OT security scenario.

Assessment goal

Part of the project was to deploy a practical converged IT and OT network, then conduct vulnerability assessment and penetration testing against it. The offensive objective was to break into the company network and work toward hijacking the water-level tank control system.

Under normal conditions, the plant maintains a level of 200 mm through PI control on the Allen-Bradley PLC.

Initial vulnerable AquaSentinel network topology
Initial network topology before the defensive redesign.

Attack path

My team first exploited the company website to collect employee usernames and passwords from the database. We also exploited the FTP server and used it as an initial access point into the company network.

After initial access, we identified running services in the IT network and found weak firewall policies. These firewalls lacked proper application-control configuration, which allowed lateral movement and helped us discover paths toward the control environment.

Revised secure AquaSentinel network topology
Revised network topology after applying segmentation and defensive controls.

Defensive proposal

After successfully taking control of the plant, we submitted a proposal to address the identified vulnerabilities and secure the network. The goal was to prevent the same attack path from working again and improve recovery in the event of a zero-day or future compromise.

  • Reviewed and redesigned the network diagram.
  • Improved application control between network zones.
  • Added intrusion detection and prevention systems.
  • Included endpoint detection and response coverage.
  • Centralized visibility through SIEM workflows.
  • Explored honeypots as an early-warning layer.

Project video

AQUASENTINEL_VIDEOYOUTUBE