Scada Penetration Testing
SCADA Penetration Testing has never been more important in the every connected world.
Industrial control systems often have an installed lifespan of several decades. Older ones were frequently designed on the assumption that they would communicate via small, dedicated networks: isolated from the public Internet, and protected by the same physical security as the plant itself. Even newly-built systems may incorporate software that was originally written when these assumptions were valid.
Ubiquitous Internet connectivity, and a large rise in malicious activity, has changed the threat landscape radically. Industrial control systems may still run on separate networks, but true physical isolation is becoming the exception rather than the norm. Even with no direct connection, some malware can bridge airgaps.
Hedgehog Cyber can deliver in-depth SCADA penetration testing and security assessments for industrial control systems, including appropriately cautious testing of live production environments if required. Our approach will help you and your organisation investigate and answer the following crucial questions:
- Does your company use industrial control / SCADA systems?
- Are they connected to a network?
- Have you assessed the security of your control network?
- Could it be hijacked or used by malicious users?
- Have you looked for, and found, vulnerabilities that may be present?
- Have you assessed what the potential impact could be, in terms of lost production, damaged equipment, and perhaps even personal injury if the control network were attacked?
Benefits and ChallengeS
SCADA and Industrial control systems are at risk in the modern threat environment if they are not adequately secured. Key business drivers for effectively managing this risk include:
- Protecting the large capital investment that they, and the equipment which they control, represents.
- Ensuring business continuity, to avoid the direct and indirect costs which would result from any loss of production.
SCADA Penetration Testing is an important component of this process:
- It can be used to direct resources towards aspects of the system where the risk is greatest.
- It can be used as a validation tool to check whether a system has been adequately secured.
Threats for 2020
Industrial control systems can be tested with many of the same techniques as other types of system, but there are important differences too:
- Tools that are used for testing Windows-based servers and workstations are often unsuitable for testing embedded control devices such as PLCs.
- Devices from different manufacturers – or even the same manufacturer – are often incompatible with each other. There are also a number of incompatible control network protocols in widespread use.
- If testing has side effects then these are potentially much more serious than on a typical corporate network, especially in the case of a live production environment.
To accommodate these differences, ICS / SCADA penetration testing requires more planning and a more tailored approach than other types of penetration testing. Security companies without the experience of ICS / SCADA penetration testing are unlikely to achieve worthwhile results, and could potentially cause serious harm to your systems if they are unaware of the risks.
We would always recommend the use of the safest possible method of testing. Ideally, this would be either the production system when it is down for maintenance, or a representative test system built to the same configuration. However, if there is a need to perform testing of live systems then Hedgehog Cyber has the capability to do that. In some cases it is possible for us to replicate the clients entire system within our Lab facility in the midlands. Our lab facility is run in collaboration with Siemens.
The key to devising a safe but effective test plan is first to perform a detailed risk assessment. This will identify any fragilities within the system under test, detail any possible mitigations, and allow you to make an informed trade-off between thoroughness and risk. Options for testing include:
- Normal penetration testing
- Active port scanning
- Active enumeration (ARP scanning)
- Active testing of network isolation
- Passive enumeration
- Physical inspection
- Design review (paper exercise only)
For example, port scanning is normally considered a low-risk method of testing, and network hosts should not crash when exposed to one, however some types of the programmable logic controller have been known to do exactly that. If necessary, Nettitude can mitigate the risk of this type by performing safety trials beforehand against the specific device models that are connected to the network under test.
Difficult decisions may be needed to achieve the best results, but doing nothing is not a safe option. You do not want the first test of your control systems to be by an attacker who intends them harm.
Our team consists of OSCP and CREST CRT certified experts. Our experienced consultants frequently publish research on all aspects of Penetration Testing.