Offensive Security

Kroll’s Solution

Kroll worked closely with the client to discuss options and identified that the most beneficial assessment at this stage would be a security architecture review of its OT environment. This niche requirement called for Kroll’s combined expertise in offensive and OT security, including specialist knowledge of cybersecurity requirements for pipelines, such as TSA Cybersecurity Directive, relevant aspects of NIST, and ISA/IEC 62443.

The OT Security Architecture Review, aligned to ISA/IEC 62443, followed a structured assessment of the current OT environment against the standard’s foundational requirements and zone/conduit model. The process included asset and network architecture analysis, review of policies and controls, validation of segmentation and access paths. Key outcomes included identified gaps against 62443 requirements, prioritized remediation actions, and a risk-informed roadmap to strengthen segmentation (micro-segmentation), access control, monitoring and resilience across the OT environment.

Kroll conducted a comprehensive assessment of the client’s internet-facing network to uncover potential security weaknesses. The objective was to determine whether any part of the defined scope could be exploited by malicious actors to gain unauthorized access. This was linked to its Operationally Critical Business Application (OCBA) which integrates with operational measurements for billing and revenue settlement. The application is a feature-rich business platform with a web interface used by customers and select employees to support operational and financial processes.

Kroll also conducted a comprehensive penetration test of the client’s OCBA, taking a significantly deeper approach than a standard black-box assessment. Given the application’s operational and financial importance, the testing methodology was tailored to achieve maximum coverage and meaningful risk insight. Unlike typical assessments that rely solely on external interaction, this engagement incorporated source code-assisted testing, with the Kroll team providing access to both the application’s source code and a live application instance.

By leveraging a structured combination of white-box and grey-box testing techniques, Kroll was able to analyze application logic, authentication workflows, data handling mechanisms and internal trust relationships at a granular level. This approach allowed the team to identify realistic attack paths that could be exploited by external adversaries. The team uncovered systemic weaknesses, including legacy code dependencies and architectural patterns that were effectively undermining or bypassing built-in security controls.

In addition to external testing, Kroll evaluated the application from an internal threat perspective, simulating scenarios in which an employee account or a connected system was compromised. This approach provided insight into how insider threat, privilege escalation, lateral movement, and misuse of trusted access could impact the application’s integrity and business processes. Kroll identified numerous vulnerabilities rooted in legacy components, implicit trust relationships and architectural design patterns that increased systemic risk. Many of the issues were indicative of broader architectural gaps within the client’s codebase and application framework. Addressing these findings required strategic guidance on phased remediation, including architectural hardening, improved access control models and secure coding practices.

The client had previously worked with another provider on a cloud security assessment. However, they had not provided any actionable steps to enable the client to improve its cloud security posture. After exploring the company’s priorities, Kroll completed a cloud configuration assessment and leveraged the adversarial cloud penetration testing approach to identify multiple realistic exploitable and potential attack paths. This was focused on specific areas, such as evaluating the security of the company’s Azure cloud environment and exploring risks from an account breach perspective, in which an employee or developer's account has been compromised. After the assessment, Kroll provided the company’s executive and security team with advice and actionable next steps along with prioritized short-to-long-term strategic recommendations.

Following the OT security review and cloud security engagement, the pipeline company’s security leadership needed a clear and consolidated view of the risks and recommendations to present to their executive leadership. Kroll partnered with the team to develop a structured mitigation plan. As a result, leadership was equipped with a defensible roadmap—clearly defining near-term controls, medium-term improvements, and long-term modernization priorities—providing confidence that cybersecurity risks across both OT and cloud environments were being managed in a structured and measurable manner.

The pipeline company continues to engage Kroll to mature its overall security posture. Building on earlier engagements, the client engaged Kroll to conduct a C2M2-based OT maturity assessment. This initiative reflects the organization’s commitment to advancing from reactive risk mitigation toward structured, benchmarked cybersecurity capability development. Future engagements under discussion include targeted offensive security testing such as purple teaming across both IT and OT environments, vulnerabilities management and architecture hardening within operational systems, and long-term resilience planning.