PCI-DSS Penetration Testing
Industrial control systems often have an installed lifespan of several decades. Older ones were frequently designed on the assumption that they would communicate via small, dedicated networks: isolated from the public Internet, and protected by the same physical security as the plant itself. Even newly-built systems may incorporate software that was originally written when these assumptions were valid.
Ubiquitous Internet connectivity, and a large rise in malicious activity, has changed the threat landscape radically. Industrial control systems may still run on separate networks, but true physical isolation is becoming the exception rather than the norm. Even with no direct connection, some malware can bridge airgaps.
Industrial control systems are at risk in the modern threat environment if they are not adequately secured. Key business drivers for effectively managing this risk include:
- Protecting the large capital investment that they, and the equipment which they control, represents.
- Ensuring business continuity, to avoid the direct and indirect costs which would result from any loss of production.
Security testing is an important component of this process:
- It can be used to direct resources towards aspects of the system where the risk is greatest.
- It can be used as a validation tool to check whether a system has been adequately secured.
Get a Quote
Use our online quote generation service to design and build your perfect penetration test and receive a formal quote within hours, not days.
Security has often struggled to keep up with these new threats, and for industrial control systems the impact could be very serious. Attackers are not limited to disclosure or destruction of data: with control of your plant it would be possible to disrupt production, and in many installations cause physical damage to the equipment too. Depending on the nature and design of the system there may also be health and safety risks to consider.
Critical national infrastructure is at particular risk. The Stuxnet worm, and more recent attacks against electrical power services in Ukraine have demonstrated the willingness of nation states to engage in cyber warfare as an alternative or adjunct to conventional military action.
Hedgehog Cyber can deliver in-depth penetration testing and security assessments for industrial control systems, including appropriately cautious testing of live production environments if required. Our approach will help you and your organisation investigate and answer the following crucial questions:
- Does your company use industrial control / SCADA systems?
- Are they connected to a network?
- Have you assessed the security of your control network?
- Could it be hijacked or used by malicious users?
- Have you looked for, and found, vulnerabilities that may be present?
- Have you assessed what the potential impact could be, in terms of lost production, damaged equipment, and perhaps even personal injury if the control network were attacked?
Threats for 2020
Testing & Configuration Reviews
Industrial control systems can be tested with many of the same techniques as other types of system, but there are important differences too:
- Tools that are used for testing Windows-based servers and workstations are often unsuitable for testing embedded control devices such as PLCs.
- Devices from different manufacturers – or even the same manufacturer – are often incompatible with each other. There are also a number of incompatible control network protocols in widespread use.
- If testing has side effects then these are potentially much more serious than on a typical corporate network, especially in the case of a live production environment.
To accommodate these differences, ICS /SCADA tests require more planning and a more tailored approach than other types of security testing. Security companies without the experience of ICS / SCADA testing are unlikely to achieve worthwhile results, and could potentially cause serious harm to your systems if they are unaware of the risks.
CAN WE TEST ON LIVE SYSTEMS?
We would always recommend the use of the safest possible method of testing. Ideally, this would be either the production system when it is down for maintenance, or a representative test system built to the same configuration. However, if there is a need to perform testing of live systems then Hedgehog Cyber has the capability to do that. In some cases it is possible for us to replicate the clients entire system within our Lab facility in the midlands. Our lab facility is run in collaboration with Siemens.
The key to devising a safe but effective test plan is first to perform a detailed risk assessment. This will identify any fragilities within the system under test, detail any possible mitigations, and allow you to make an informed trade-off between thoroughness and risk. Options for testing include:
- Normal penetration testing
- Active port scanning
- Active enumeration (ARP scanning)
- Active testing of network isolation
- Passive enumeration
- Physical inspection
- Design review (paper exercise only)
For example, port scanning is normally considered a low-risk method of testing, and network hosts should not crash when exposed to one, however some types of the programmable logic controller have been known to do exactly that. If necessary, Nettitude can mitigate the risk of this type by performing safety trials beforehand against the specific device models that are connected to the network under test.
Difficult decisions may be needed to achieve the best results, but doing nothing is not a safe option. You do not want the first test of your control systems to be by an attacker who intends them harm.
Hedgehog Cyber have performed testing of Industrial Control Systems (ISC) / SCADA systems across multiple industry sectors:
- Utilities (electricity, gas, water)
- Manufacturing and waste disposal
This has included systems in a variety of different state of operation, ranging from live systems where great care has been needed, through to those where thorough penetration testing has been permissible.
In addition to this, Hedgehog has recently commenced a programme of vulnerability research against ICS devices such as Programmable Logic Controls (PLCs).
Hedgehog Cyber conducts over many hundreds of penetration tests and security assessments each year against software applications, products and environments. These include web apps, mobile apps and hardware devices, software applications, social engineering engagements, wireless and many other areas.