AquaSentinel
A practical IT/OT security project combining industrial control, penetration testing, and defensive architecture.
Project overview
The AquaSentinel project was part of the INCS culminating project during my time at BCIT. It brought together networking, control systems, defensive security, and offensive security inside one practical IT/OT environment.
The simulated plant included a water-level tank, an Endress+Hauser transmitter, an Allen-Bradley PLC, and a Safety Instrumented System. The OT side was paired with an IT network containing domain controllers, employee workstations, corporate websites, FTP, and other public-facing services.
Assessment goal
Part of the project was to deploy a practical converged IT and OT network, then conduct vulnerability assessment and penetration testing against it. The offensive objective was to break into the company network and work toward hijacking the water-level tank control system.
Under normal conditions, the plant maintains a level of 200 mm through PI control on the Allen-Bradley PLC.
Attack path
My team first exploited the company website to collect employee usernames and passwords from the database. We also exploited the FTP server and used it as an initial access point into the company network.
After initial access, we identified running services in the IT network and found weak firewall policies. These firewalls lacked proper application-control configuration, which allowed lateral movement and helped us discover paths toward the control environment.
Defensive proposal
After successfully taking control of the plant, we submitted a proposal to address the identified vulnerabilities and secure the network. The goal was to prevent the same attack path from working again and improve recovery in the event of a zero-day or future compromise.
- Reviewed and redesigned the network diagram.
- Improved application control between network zones.
- Added intrusion detection and prevention systems.
- Included endpoint detection and response coverage.
- Centralized visibility through SIEM workflows.
- Explored honeypots as an early-warning layer.