Traditionally, assessing networks has involved hammering on them using a variety of passive and active techniques and tools. While IT systems can generally survive momentary downtime associated with this type of testing, ICS/SCADA systems generally cannot. The way that most vulnerability assessors and penetration testers have handled these systems in the past is to remove them from the scope of their testing. As more and more ICS/SCADA systems are being connected to corporate networks, in a variety of secure and insecure ways, assessors and testers will probably come across these types of systems more often. This presentation discusses some of my experience from conducting vulnerability assessments and penetration tests on ICS/SCADA systems over the past few years. It discusses our general approach to assessing these types of systems and some of the modifications that we have to make to accommodate them.