Industrial Control Systems (ICS) are where the digital world meets the physical world. The whole point of ICS is that computer can control machinery, making them more efficient and easier to operate. These systems operate is diverse environments including: on ships and other transport systems; in waste management sites; in manufacturing plants; and in power plants.
ICS wern't originally connected to the Internet, but this is increasingly becoming the case. Even when these systems are "air-gapped" and have no direct connectivity to the Internet, there are attackers who have developed the ability to "bridge the air gap".
ICS penetration testing looks at the system as a whole and then dives deeply into specific areas. Controller devices tend to be very resource constrained and unfortunately this often results in weak systems. Not only do the end devices typically have problems, but they also often rely upon outdated management systems that run on legacy Operating Systems such as Windows 2000.