Industrial control systems (ICS) often have an installed lifespan of several decades. Older ones were frequently designed on the assumption that they would communicate via small, dedicated networks: isolated from the public Internet, and protected by the same physical security as the plant itself. Even newly-built systems may incorporate software that was originally written when these assumptions were valid.
Ubiquitous Internet connectivity, and a large rise in malicious activity, has changed the threat landscape radically. Industrial control systems may still run on separate networks, but true physical isolation is becoming the exception rather than the norm. Even with no direct connection, some malware can bridge airgaps.
Security has often struggled to keep up with these new threats, and for industrial control systems the impact could be very serious. Attackers are not limited to disclosure or destruction of data: with control of your plant it would be possible to disrupt production, and in many installations cause physical damage to the equipment too. Depending on the nature and design of the system there may also be health and safety risks to consider.
Critical national infrastructure is at particular risk. The Stuxnet worm, and more recent attacks against electrical power services in the Ukraine, have demonstrated the willingness of nation states to engage in cyber warfare as an alternative or adjunct to conventional military action.
How can we help you?
Secur can deliver in-depth penetration testing and security assessments for industrial control systems, including appropriately cautious testing of live production environments if required. Our approach will help you and your organization investigate and answer the following crucial questions:
Does your company use industrial control / SCADA systems?
Are they connected to a network?
Have you assessed the security of your control network?
Could it be hijacked or used by malicious users?
Have you looked for, and found, vulnerabilities that may be present?
Have you assessed what the potential impact could be, in terms of lost production, damaged equipment, and perhaps even personal injury if the control network were attacked?
It you need to provide a level of assurance to your board, customers, industry or regulators that your systems have been tested for cyber security weaknesses, then some form of assurance exercise is an essential element of your risk governance process.
What does ICS & SCADA security testing involve?
Industrial control systems can be tested with many of the same techniques as other types of system, but there are important differences too:
Tools that are used for testing Windows-based servers and workstations are often unsuitable for testing embedded control devices such as PLCs.
Devices from different manufacturers – or even the same manufacturer – are often incompatible with each other. There are also a number of incompatible control network protocols in widespread use.
If testing has side effects then these are potentially much more serious than on a typical corporate network, especially in the case of a live production environment.
To accommodate these differences, ICS /SCADA tests require more planning and a more tailored approach than other types of security testing. Security companies without experience of ICS / SCADA testing are unlikely to achieve worthwhile results, and could potentially cause serious harm to your systems if they are unaware of the risks.
Why is ICS/SCADA security testing needed?
Industrial control systems are at risk in the modern threat environment if they are not adequately secured. Key business drivers for effectively managing this risk include:
Protecting the large capital investment that they, and the equipment which they control, represents.
Ensuring business continuity, to avoid the direct and indirect costs which would result from any loss of production.
ICS/SCADA Security testing is an important component of this process:
It can be used to direct resources towards aspects of the system where the risk is greatest.
It can be used as a validation tool to check whether a system has been adequately secured.
Can you test live systems?
Secur will always recommend use of the safest possible method of testing. Ideally this would be either the production system when it is down for maintenance, or a representative test system built to the same configuration. However, if there is a need to perform testing of live systems then Secur has the capability to do that.
The key to devising a safe but effective test plan is to first perform a detailed risk assessment. This will identify any fragilities within the system under test, detail any possible mitigations, and allow you to make an informed trade-off between thoroughness and risk. Options for ICS/SCADA testing include:
- Normal penetration testing
- Active port scanning
- Active enumeration (ARP scanning)
- Active testing of network isolation
- Passive enumeration
- Physical inspection
- Design review (paper exercise only)
For example, port scanning is normally considered a low-risk method of testing, and network hosts should not crash when exposed to one, however some types of programmable logic controller have been known to do exactly that. If necessary, Secur can mitigate risk of this type by performing safety trials beforehand against the specific device models that are connected to the network under test.
Difficult decisions may be needed to achieve the best results, but doing nothing is not a safe option. You do not want the first test of your control systems to be by an attacker who intends them harm.
Secur have performed testing of Industrial Control Systems (ISC) / SCADA systems across multiple industry sectors:
- Utilities (electricity, gas, water)
- Manufacturing and waste disposal
This has included systems in a variety of different state of operation, ranging from live systems where great care has been needed, through to those where thorough penetration testing has been permissible.
In addition to this, Secur has recently commenced a programme of vulnerability research against ICS devices such as PLCs, and is undertaking a joint research project with Lancaster University concerning how connectivity up and down the supply chain affects ICS security.
More generally, Secur conducts over a thousand penetration tests and security assessments each year against software applications, products and environments. These include web apps, mobile apps and hardware devices, software applications, social engineering engagements, wireless and many other areas.
In addition we conduct hundreds of security assessments and audits of systems and environments against a range of industry standards including NCSC, PCI (DSS and PA-DSS), ISO27001, Finance/Banking (UK and US), SANS Critical Controls, NIST and US Healthcare standards.
Secur have performed research and in-depth testing of consumer tablets and phones released on the high street (both at hardware and OS/Application level), banking systems such as ATMs and payment card devices, hardware security modules (HMSs), payment applications and many other types of mobile and end user systems where sensitive data has been used.
Secur are certified by the Payment Card Industry Security Standards Council (PCI SSC) to perform Payment Application Data Security Standard (PA DSS) assessments on authorised payment applications and conduct regular assessments throughout each year.
Secur is an award-winning global leader in the delivery of cyber security assurance testing, risk management, consultancy, incident response and threat intelligence services. We provide our clients with infrastructure, application, mobile and social engineering penetration testing services.