The value of penetration testing ICS/OT environments
There are several considerations to make when companies decide it’s time to order a pentest for industrial control system (ICS) and operational technology (OT) environments.
When establishing and testing a brand-new cybersecurity program such as penetration testing (pentest), it can be difficult to know exactly what steps are reasonable to take, and when to take them.
When is it time to pentest?
Building a cybersecurity program is a marathon, not a race. It can be exciting finally getting to the point of ordering a penetration test, but testing should be considered a late-stage maturity activity. In other words, system owners should make sure that they have the basic building blocks of a cybersecurity program in place before considering penetration testing.
Dragos Professional Services clients have typically gone through a process of architecture review and site assessment prior to ordering a network penetration test. This is done to ensure that the conceptual framework for network architecture is sound. When conducting an architecture review, Dragos may ask for certain documents including network topology, incident response plan, recovery plan, and firewall configurations. Dragos then conducts interviews with client staff to better understand the makeup of the existing security program.
The follow-on site assessment explores the ground truth, which helps discover discrepancies between what is on paper, and what is reality within the facility. Nothing helps expose the good the bad and the ugly of security operations like walking through the facility where those operations take place. This exercise typically results in additional findings which should be remediated prior to any penetration testing.
Once these exercises have been complete, and all the findings have been addressed, it’s time to think about testing the mitigations put in place after the last two rounds of exercises. Testing these mitigations should be a primary goal of the penetration test. Of course, there are other ways to get to the conclusion that it’s time to conduct a penetration test. However a system owner comes to the conclusion that it’s time to order a test, there are some things to consider when it comes to what kind of test to ask for.
When it’s time to discuss a penetration test with a vendor, it helps to understand a few basic pentesting strategies. In terms of pentesting strategy, there are three broad approaches that are typically consulted:
When Dragos performs an industrial penetration test, we work around a set of limitations that help guide our approach to testing. One of these limitations is time. Whereas most adversaries do not have this time limitation, and can “dwell” for extended periods of time to gather information and research their target, pentesters do not have this advantage. Therefore, our goal is to simulate a breach in advanced stages. We call this an “assumed breach” test.
In an assumed breach test, system owners consider a scenario where their network has already been breached to some extent. This allows system owners to consider questions related to how far an attacker could get, and how much damage they could do once they’ve managed to gain access to the owner’s network.
Whatever strategy a system owner decides on, they should also carefully consider the vendor they choose and how much their experience their chosen vendor has in ICS penetration testing specifically. Special considerations should be made in ICS environments with respect to network availability that not all penetration testing providers will respect, or even be aware of.
How an OT pentest differs
No two penetration tests are the same. Different goals, different strategies, and different network placement all contribute to unique penetration testing experiences. It’s possible that readers of this post may have experience with IT pentests that reflect this fact, however, there are dramatic differences between IT and OT penetration tests.
Because OT penetration tests need to take additional precautions to prioritize availability during pentests against production ICS networks, certain tools and techniques are considered high-risk, and accordingly are not used because of the stability risk they pose to our clients. We do recognize that this creates a tradeoff between a thorough test and a sanitary test. One way that we deal with this tradeoff is by checking exploitability before committing to using the exploit.
This method allows us to use a “defanged” exploit, or an exploit that both reduces the risk of using the “fanged” (full exploit technique) method, and also allows us to continue testing. This is not something that is often seen in IT penetration testing, but it is something we get a great deal of use out of in ICS pentesting.
The following graphic provides a simplified overview of the penetration testing process conducted by Dragos. To view the process in more detail, see our infographic, Anatomy of a Penetration Test, here.
Impacts and outcomes
Another area where IT pentesting differs from ICS pentesting is in the outcomes we hope to achieve. After a penetration test, clients can expect to have a realistic picture of what a breach against their networks would look like.
Knowing how successful a professional team of hackers would be against the protections and mitigations built into the network. Having this information can be used to directly inform changes security improvements, which may not be obvious from on-paper exercises alone.
Not only does a penetration test help illuminate what pathways an attacker may take if they achieve network access, but clients can also expect to understand what sorts of impacts may result from network compromise as well. When it comes to impacts, we want to identify pathways that create impacts to ICS operations such as:
- Loss of view
- Loss of control
- Loss of confidence
- Impair process control
- Inhibit response function.
All of the above can pose obstacles to operational continuity, and are often not outcomes clients would expect to see on an exclusive test of their IT systems.
Penetration testing can significantly improve the security posture of a growing cybersecurity program, and there are many things to consider. Maturity is an investment, and ensuring a cybersecurity investment through testing is highly rewarding and illuminating to system owners who are prepared.
Original content can be found at Dragos.