General aspects of Penetration Testing in ICS/SCADA

The process of conducting a cyber security assessment in ICS is most often initiated by a meeting between the technical team leader and key people within the ICS organization. There will be discutions about the high-level architecture, how is the system configured, what ICS servers and other key components are present and their position in the network diagrams. After the presentation of the ICS structure, the discussions will focus on identifying the attack vectors included in the test plan.

In the pre-assessment stage, the engagement rules of the evaluation will also be established. These rules include statements about known issues and a list of processes and IPs that will be excluded from testing. Responsible contacts during testing as well as a testing schedule are also established.

Once the test starts, the system configuration will remain unchanged.

Levels of Information

Penetration tests simulate a hacker whose target is a company or a particular object of interest. Testers usually have little or no knowledge of the company’s network. Security assessment teams receive direct access to the target, with varying levels of information.

The amount of information disclosed to testers can range from no information to full disclosure of network diagrams, source code, IP addresses, and so on. These processes are known as black-box testing versus white-box testing. Everything that lies between the two thresholds is known as gray-box testing.

ICS beneficiaries may request black-box penetration tests in order to receive security certification or meet regulatory self-assessment requirements. However, any real attack on a system will most likely require some level of knowledge of the system, and any inside attacker would have as much information as the beneficiaries of the system. In most cases, it is preferable to take into account the worst case scenario and and give to the testers as much information as possible, assuming that any particular attacker has already acquired this information.

Gray-box testing is generally the optimal solution for comparing the benefits of black-box and white-box testing depending on the situation.

Defining the scope of penetration tests in ICS infrastructures

A typical cyber security penetration test focuses on the IT / corporate environment and the weaknesses exposed to the outside world that can allow an unauthorized attacker access via the Internet. These Internet-related tests are less common in ICS assessment. SCADA components are considered prime targets for cyber attacks.

The protocols used in ICS differ from those in IT. Many ICS vendors use proprietary protocols for communication between processes. These protocols were developed when ICSs were isolated from the corporate environment and security was not taken into account. Also, the fact that the protocols were proprietary led some vendors to mistakenly believe that an attacker could not exploit them. Communications with portable devices often use standard public protocols, such as Distributed Network Protocol 3.0 (DNP) and Modbus.

These protocols were originally developed to run serial connections, but have been layered over TCP / IP for the convenience and efficiency of LAN / WAN communications. Many of these industrial protocols have no means of authentication or integrity verification and some industrial protocols are published with information freely available on the Internet. With ICSs no longer isolated from the corporate / IT world, these insecure protocols endanger critical systems.

Aspects regarding the impact of penetration tests

Typical penetration tests look for known IT vulnerabilities that can be exploited (often with published exploits) to gain unauthorized access to the network. Penetration testers usually try to effectively exploit vulnerabilities to break into the system. The significance of unauthorized access is determined by the impact on the three defined security objectives for information and information systems: confidentiality, integrity and availability (CIA). According to a federal information processing standard, a loss of confidentiality means the unauthorized disclosure of information, loss of integrity means an unauthorized change or destruction of information, and loss of availability means disruption of access to or use of that information or information system. For regular IT systems, the CIA’s security objectives are listed in order of importance, with confidentiality being considered the most important. In general, the most significant difference between the ICS domain and the corporate IT domains is the high availability requirement for monitoring and control functionalities.

Cyber ​​security is the protection of information transmitted and stored on a computer on the network. The objectives of cyber security are the following:

• Protecting the confidentiality of private information;
• Ensuring the availability of information for authorized users in a timely manner (authentication, non-repudiation);
• Protecting the integrity of information (ie accuracy, reliability and validity).

Vulnerabilities are often exploited during an ICS cybersecurity assessment. However, any exploit development is done on an evaluation or development environment and never on an active system. For ICS, the CIA’s security objectives are in reverse order, with Availability considered the most important. Industry personnel can often use the term “security” attributed to availability and reliability.

Systems that control critical infrastructure must be continuously operating, and the impact of a malfunction can have catastrophic effects. Because public health and safety may be at risk, vulnerabilities that are found during the ICS cybersecurity assessment are never exploited unless the test can be performed on isolated or offline components. The team will collaborate with ICS engineers and other factory employees to determine the potential impact of the vulnerabilities identified in ICS.

Nothing should be done in the active ICS network that interferes with or disrupts the chronology of system operations. In the ICS environment, the security goals of the IT world are being replaced by human health and safety, system availability and the timeliness and integrity of data. This is the major difference between ICS assessments and IT security. This difference also applies to mitigation strategies. No cybersecurity solution can be implemented in the ICS network if it interferes with the system’s responsiveness.