Penetration Testing Industrial Control Systems: What to Know
Written By: Benjamin Mahar
Share this post
Attackers are honing in on industrial control systems because of the role they play in critical infrastructure and the potential fallout of an attack. Electrical grids, water treatment, oil and gas storage and transportation, and modern manufacturing facilities all depend on industrial control systems (ICS). From Supervisory Control and Data Acquisition (SCADA) systems used for monitoring, to Distributed Control Systems (DCS) that monitor and regulate processes, industrial control systems are essential for keeping sensitive processes moving safely.
Disruption of these systems can lead to an immense impact to your business and the customers who trust you. While some attackers are financially motivated and know the need for continuity of operations will drive their targets to pay a ransom, others are associated with nation-states or political groups, and may target ICS as a way to achieve their strategic goals or obtain leverage. Either way, you need to be ready to stop these attackers before they can achieve their objectives, and a rigorous penetration testing program is an important piece of your cybersecurity program.
Why Penetration Test Industrial Control Systems?
Attackers are targeting ICS more than ever before. Even though ICS has always been critical for activities such as manufacturing and maintaining critical infrastructure, the operational technology (OT) has not always been online. The move to the Industrial Internet of Things (IIoT) is excellent for efficiency and safety because it offers more ability than ever to monitor processes and tune them for efficiency and safety. However, this also means that critical operations are connected in ways they never were before. Ingesting and processing all of this data from IIoT devices requires network connections. It requires edge computing or cloud computing capabilities. This means it also requires proper security controls to keep unauthorized parties out. After all, these connected devices, if left unsecured, can give attackers access to sensitive data and processes, or give them leverage to demand a ransom.
Penetration tests are the best way to discover gaps in your defenses, including device misconfigurations, unencrypted traffic, improper network segmentation, a weak patching program, or exposed embedded devices that cannot be patched. Only by testing can you make sure your security controls actually work the way you intend them to, and whether your ICS are as isolated as you think they are.
It is better and more cost effective to discover these weaknesses in a pen test and fix them up front than to deal with the effects if an attacker finds them first. Experienced ICS penetration testers use a cautious, risk-aware methodology. This means a negligible risk of service disruptions during the pen test, and you walk away with targeted and actionable recommendations for how to improve your defenses against the rising threat against ICS.
Even if you are doing vulnerability assessments, that is not going to be enough. Vulnerability assessments give you an idea of known vulnerabilities, but do not delve into exactly how exploitable they are. Though automated vulnerability identification is a phase of penetration testing, a real pen test goes far deeper. It includes human security experts doing the work to find out which vulnerabilities are actually exploitable, and what access they can gain by exploiting those vulnerabilities. In short, you need penetration testing to know not only what an attacker might exploit in your ICS infrastructure, but what they actually can exploit, and to help you make more informed and impactful remediation decisions.
What Are the Risks of Not Pen Testing Industrial Control Systems?
Finding your security issues is more urgent than ever because both reported vulnerabilities in ICS and attacks against ICS are on the rise.
The number of ICS vulnerabilities reported in the first half of 2021 rose 41%, and 71% of those issues were classified as high- or critical-severity. Per a 2021 Claroty report, 47% of respondents had identified an attack against ICS or operational technology in the past year. In short, there are ICS issues for attackers to target and they are actively trying to attack them.
ICS are attractive targets for three main reasons:
Ransomware: Attackers know that organizations who use ICS often face a pressing need to stay in business. Consider attacks against critical infrastructure, like the Colonial Pipeline attack. They paid a ransom equivalent to $4.4 million in Bitcoin to the attackers, because they did not know the extent of the attack and did not know how long it would take to restore operations otherwise.
Industrial Espionage: Espionage-motivated attackers want to get detailed information on how a business process is performed. Though these are often less noticeable than financially motivated attacks, they still have deep long-term effects due to loss of trade secrets and competitive advantage.
Nation-State Actors: Nation-state actors see attacking critical infrastructure providers as an effective way to achieving strategic goals, leading to a recent increase in ICS attacks against such organizations. The current conflicts involving Russia, both in the context of the attacks on Ukraine and the tension with NATO, have been a significant driver.
The Costs of an Attack
An attack can cost you time, money, and reputation. Ransomware is a common threat, and due to the pressure to keep functioning, industrial organizations end up paying hefty ransoms. According to a 2021 Claroty survey, 62.14% of industrial organizations who suffered ransomware attacks paid the ransoms, with 45% of those ransoms costing $500,000 US or more, and almost 9% costing over $5 million US.
Aside from financial risks, the threat varies based on what the organization uses ICS for, but it can include blackouts, environmental damage, failure of manufacturing equipment and missing fulfillment contracts, and injury of workers. These issues can lead to not only time spent cleaning up or catching up, but also lost trust with customers, investors, or the public.
Why ICS Penetration Testing Experience Matters
The thought of penetration testing industrial control systems often brings trepidation at first. Uptime lies at the heart of those fears: for both manufacturers and critical infrastructure providers, devices must remain online to satisfy customer demands. If a testing window runs over or a device is brought down because of an unexpected response to a scan or a simulated attack, your reputation and your ability to fulfill contracts may be at stake. However, experienced professionals know how to safely test within an ICS environment, protecting your business processes while strengthening your security for the future.
Penetration testing industrial control systems requires a different approach than other kinds of penetration testing. Tools like scanners and fuzzers are useful against IT or web application assets, but can cause service disruptions when used to test ICS. Experienced ICS penetration testers know that these systems need to be tested in a cautious and methodical way, and use tools and methods specifically designed to detect exploitable issues while minimizing the risks of testing. Experienced ICS penetration testers can also customize a test to the hardware, software, legacy systems, and network perimeter that you rely on, knowing that every client depends on a different group of systems to get the job done.
An experienced penetration tester not only knows how much care a test against ICS requires, but also knows common issues that companies using ICS have. Often companies try to solve their ICS issues by segregating the devices. But attempts at segmentation are not usually as effective as companies think they are. Common reasons for perimeter or segmentation flaws include vendor access, technicians trying to make things easier to manage, or weaknesses in firewall configurations. The only way to find out these flaws is to test, and an experienced ICS penetration tester is well versed in looking for these issues.
Other common issues identified in ICS tests relate to disruptions via techniques that companies may not expect. For example, most companies realize the possibility that an attacker will compromise a controller. However, they may not think of the fact that an attacker can cause a similar interruption by compromising a network device and selectively delaying traffic related to the process that the attacker wants to interfere with. Experienced ICS penetration testers know how to identify and test for these secondary devices which can have non-obvious effects on ICS systems.
What to Expect During an ICS Test
Through our experience at Security Compass Advisory in performing penetration tests on ICS environments, we have developed a methodology that provides useful and impactful results while minimizing the chance of interruption. These phases you can expect during the test include:
Architecture review: First, we review the architecture on paper, in order to have a full understanding of your ICS before beginning any testing.
Boundary Assessment: Segmentation controls and boundary defenses form the core of a sound ICS security strategy. Since many ICS devices were not designed with security in mind, a strong boundary is important for defending them. Penetration testing this boundary is critical for knowing how well boundary controls actually work.
Device assessment: In cases where this is appropriate, we will assess what an attacker can do when they gain access to an ICS network. We typically do this in a lab or test environment, in order to prevent it from affecting the production environment.
By following this methodology, we are able to test the security controls in your ICS environment and help you strengthen your environment against attack, while supporting your need for continued uptime.
A Secure Future for ICS
ICS penetration testing is more important than ever. Attackers are focusing on ICS, and organizations need to be prepared to keep them out. The best way to do that is to work with an experienced ICS penetration tester who can help you identify exploitable issues in your environment and fix them before attackers can make their way in. Security Compass Advisory has over fifteen years in the security industry, including work with critical infrastructure and manufacturing clients. Learn more about our penetration testing services, and find out how we can help you strengthen your security and your confidence.
Ben is an innovative security expert with over 15 years of experience serving clients in the Government, Retail, Energy, and Technology sectors. Prior to joining Security Compass Advisory, he was a leader in providing cyber security within the Air Force, as well as a Big-4 consulting firm, where he developed extensive first-hand experience protecting against both criminal and nation-state cyber threats.