Sitra is Bahrain's industrial heart - oil, gas, petrochemicals and power, where operational technology controls physical processes with real safety consequences. CyberFortify tests these environments the way they demand to be tested: safety-first and non-destructive, focused on IT/OT segmentation and the network, cloud and application layers around the plant, aligned with IEC 62443 and NIST SP 800-82, with audit-ready reporting and a free retest.
// 01 Why Sitra operators need penetration testing
On Sitra, a cyber-attack is not an abstraction about stolen records - it is a threat to processes that move fuel, generate power and run continuously. The industrial systems on the island were largely built for reliability and isolation, not for a world where corporate IT, remote-access tools and cloud dashboards now reach deep into the plant. Every one of those connections is a potential path an attacker can follow from an ordinary phishing email toward a control network.
IT-only testing stops at exactly the wrong place - the office firewall - and never examines whether that path into the plant is real. A specialist penetration test walks the IT/OT boundary deliberately, proving whether segmentation holds, whether an engineering workstation bridges two worlds, and whether an exposed historian or remote-access gateway offers a foothold. It does so without endangering the process, because safety is the first rule of the engagement.
// 02 Compliance and regulatory drivers in Sitra
Sitra's operators answer to industrial-security standards and critical-infrastructure expectations that most businesses never encounter. The drivers below are the ones CyberFortify most often maps evidence against for the island's plants and utilities.
IEC 62443
The international standard for industrial automation and control-system security. Testing aligned with IEC 62443 evidences zone-and-conduit segmentation and secure-by-design controls for refineries, plants and utilities.
NIST SP 800-82
The definitive guide to securing operational-technology environments. It grounds our non-destructive OT methodology and the segmentation evidence Sitra operators need.
National critical-infrastructure expectations
Energy and utility operators are core national infrastructure and are expected to test their defences continuously. Independent penetration testing provides that assurance to boards and regulators.
ISO 27001 & NIST CSF
Industrial operators use ISO 27001:2022 and the NIST Cybersecurity Framework to structure their programme; penetration testing supplies the technical-assurance evidence at their core.
Bahrain PDPL (Law No. 30 of 2018)
Even heavy industry processes employee, contractor and vendor data, bringing the PDPL's security-of-processing duty to the corporate IT that surrounds the plant.
Process-safety & cyber convergence
Cyber risk to control systems is increasingly treated as a process-safety concern. Testing the IT/OT boundary supports the safety case, not just the security one.
// 03 Penetration testing services for Sitra
Sitra engagements are led by network and OT segmentation testing, with cloud and application testing covering the systems that now connect the plant to the outside world.
Network & OT segmentation
External, internal and IT/OT boundary testing - the core of an industrial engagement, proving isolation between corporate and control networks.
Cloud pen testing
The cloud dashboards, historians and analytics platforms that increasingly pull data out of the plant - tested for misconfiguration and exposure.
API pen testing
Vendor, telemetry and integration APIs that bridge OT data to enterprise and cloud systems - checked for authorisation and data-exposure flaws.
Web application pen testing
Operational dashboards, contractor portals and corporate applications tested against the OWASP Top 10.
Red teaming
Goal-based simulation of an attacker moving from the corporate perimeter toward the control network, testing detection along the way.
Compliance consulting
Support turning findings into IEC 62443 and ISO 27001 evidence for boards, auditors and regulators.
// 04 How we deliver to Sitra
Industrial testing is done on the ground, carefully. CyberFortify's Bahrain-based team delivers OT and internal work on-site in Sitra, coordinated tightly with plant operations, while external, web and cloud testing runs remotely. Safety planning is built into every OT engagement from the first call.
Safety-first OT testing
Passive analysis and IT/OT boundary testing preferred; any active technique near live control systems is pre-authorised in writing and scheduled around operations. The process is never put at risk to find a finding.
Evidence boards accept
Reports mapped to IEC 62443, NIST 800-82 and ISO 27001, structured for the operational-risk and safety committees that govern an industrial site, with a free remediation retest.
Every engagement opens with a free 30-minute scoping call and a fixed-price quote within the hour, with OT safety planning factored into the timeline.
// 05 Industries we secure in Sitra
Sitra's economy is industrial to its core. CyberFortify tests across the operators that define the island:
// 06 Our methodology
Sitra engagements combine CyberFortify's core method with dedicated OT discipline. Testing is grounded in the Penetration Testing Execution Standard (PTES) and NIST SP 800-115 for IT, and in IEC 62443 and NIST SP 800-82 for operational technology, with exploitation mapped to the relevant MITRE ATT&CK tactics - including the ICS matrix. As a CREST Accreditation Pathway firm, we lead with manual, human-driven testing, and every OT action runs under explicitly agreed, non-destructive rules.
Scoping & safety planning
Targets, IT/OT boundaries, safety constraints and test windows agreed in writing before any testing begins.
Safety-firstReconnaissance & threat modelling
Attack surface mapped against the corporate-to-control paths that matter most for an energy or process operator.
ICS ATT&CKControlled testing
Segmentation validated, exposed interfaces probed and IT weaknesses exploited under controlled, non-disruptive conditions.
Non-destructiveReporting & free retest
Executive summary, technical report and IEC 62443 / ISO 27001 mapping - followed by a free retest once fixes ship.
Audit-ready// 07 Why CyberFortify for Sitra
An IT-only pen test vendor
A team that scans office systems, has no OT competence and no safety discipline, and hands over a report that ignores the IT/OT boundary - the one place a Sitra plant is genuinely exposed.
CyberFortify for industry
A Bahrain-based, CREST-pathway team that understands operational technology. Safety-first, non-destructive testing, findings mapped to IEC 62443 and NIST 800-82, on-site delivery coordinated with operations, and a free remediation retest.
Sitra engagements frequently pair a network and OT assessment with a red team simulation or ongoing compliance support, depending on the maturity of the operator's security programme.
// 08 Frequently asked questions
Do you test OT and ICS/SCADA systems for Sitra's industrial operators?
Yes, with care. Sitra's refineries, tank farms and power plants run SCADA and industrial control systems where a careless test can be dangerous. CyberFortify focuses on IT/OT segmentation, exposed control interfaces, engineering workstations and historians using passive and non-destructive methods aligned with IEC 62443 and NIST SP 800-82, with every high-risk action pre-agreed in the rules of engagement.
Will testing risk disrupting live process control in Sitra?
No. Safety comes first. OT testing is scoped to be non-disruptive: we prefer passive analysis and testing against the IT/OT boundary and any test or mirror environments, and any active technique near live control systems requires explicit written authorisation and is scheduled around operations.
Why isn't a firewall between IT and OT enough on its own?
A firewall is only as good as its rules, and in real plants those rules drift - a temporary engineering exception, a dual-homed workstation, an unmanaged remote-access tool. A penetration test proves whether the IT/OT boundary actually holds, rather than assuming the diagram matches reality.
How fast can I get a quote for a Sitra engagement?
After a free 30-minute scoping call we return a fixed-price quote, usually within the hour and always within one business day, including a free remediation retest. OT engagements include extra time for safety planning.
Is on-site testing available in Sitra?
Yes. OT and internal-network testing in Sitra is delivered on-site by our Bahrain-based team, coordinated with plant operations. External, web and cloud testing is delivered remotely in the local time zone.