ICS/OT Penetration Testing Approach and Objectives
ICS/OT penetration testing methodology uncovers vulnerabilities
LOGIROBOTIX is aligned to the current CREST methodology. The methodology employed during an Internal OT Network Security Assessment involves the following stages.
Logirobotix’s ICS/OT Penetration Testing goes beyond a typical OT pentest by combining best-in-class IT and OT pentesting methodologies to form a holistic offering that will assess all security aspects of your environment. You’ll gain real-life, actionable results based on proven ICS (IT and OT) penetration testing methods and techniques. OT environments pose unique challenges that can’t be covered by traditional IT penetration testing. Production environments are
finely tuned machines, and even small interruptions to their operation can have a profound impact on their output. Attacks against your production environment can lead not only to business interruption, but also to physical injury and harm.
Our ICS penetration testing experts will work with you to tailor a penetration testing engagement that will uncover crucial vulnerabilities without negatively impacting or disrupting your production capabilities.
ICS penetration testing methodology uncovers vulnerabilities and attack vectors such as:
- Public exposure of ICS assets or their sensitive data
- Make sure about the segmentation in place, and PLCs overall security and SCADA systems.
- Unauthorised access to production systems or data from unsecure zones
- The potential effects on your production environment from a compromise on the Enterprise (IT) network
Multiple facets of core OT cybersecurity (RF, IOT, Architecture, vendor application robustness, legacy equipment, etc.)
This kind of assessment/audit is the best way to discover gaps in your defenses, including device misconfigurations, unencrypted traffic, improper network segmentation, a weak patching program, or exposed embedded devices that cannot be patched. Only by testing can you make sure your security controls work the way you intend them to, and whether your ICS are as isolated as you think they are.
Intelligence Gathering & Workflow Study
Conduct passive and active information gathering to determine the level of information that can be found about the assets in scope. These actions are conducted to understand what level of exposure the assets have, and how an attacker can use this information to conduct further attacks.
Vulnerability Assessment & Identification
Security Engineers investigate for vulnerabilities through manual searches complemented by automated tools. The objective is to discover as many vulnerabilities as possible on the target.
Phase 1 OT Testing – Information Gathering
Our objective is to comprehensively understand the scope and intricacies of our network landscape. To achieve this, we have undertaken a systematic approach to consolidate all available resources and information.
Mapping the Network Content:
Exploration of Visible Services: We delve into the identification and assessment of services that are readily observable within the network to understand their functionality and relevance.
Protocol Exploration: To ensure robust communication and data exchange within our network, we actively identify and scrutinize the underlying protocols, their versions, and the security mechanisms in place.
Discovery of Hidden Services: Recognizing that not all services broadcast their presence, we employ advanced tools and methodologies to unearth any concealed or latent services that might be operating under the radar. This aids in ensuring no unauthorized or potentially harmful services go undetected.
Mapping Existing PLCs and Additional Devices: Given the diverse nature of our infrastructure, special attention is paid to Programmable Logic Controllers (PLCs) and other pertinent devices. We aim to identify their presence, understand their configurations, and assess their interdependencies within the broader network ecosystem.
Observing Segmentation Traffic: In order to maintain a secure and efficient network, segmentation is essential. We continuously monitor and analyse traffic patterns across different segments to ensure appropriate controls are in place and that the data flows are in alignment with our network design principles.
Phase 2 Vulnerability Identification
In this phase, leveraging the insights and data obtained, our team is committed to thoroughly examining the identified elements within the agreed-upon scope. The aim is to detect, understand, and catalog any potential vulnerabilities that may pose a risk to our infrastructure and operations.
Authentication & Access Controls Assessment: Our priority is to assess the strength and reliability of authentication methods and access control mechanisms, ensuring that only authorized users can access relevant resources.
Session Management Evaluation: We’ll rigorously test session management across various services. This entails understanding how user sessions are initiated, maintained, and terminated, making sure there are no weak links that could be exploited.
Client-Side Controls Examination: Evaluating the security measures on the client side is crucial. We ensure that data processing and interactions occurring on the client’s end are protected from malicious intent.
Input Validation Testing: A cornerstone of security, we verify that all input fields within applications and services are resistant to irregular or malicious inputs, mitigating risks such as injection attacks.
Logic Flaws and Traffic Manipulation Analysis: By simulating different user behaviours and data flow patterns, we seek to identify any logical errors or flaws that could be leveraged by malicious actors to manipulate traffic or gain undue advantages.
Server/Master/Slave Flaws Evaluation: Ensuring the robustness of our central servers and their counterparts is essential. We investigate potential vulnerabilities in the master-slave dynamics, looking for weaknesses that could compromise data integrity or system operations.
Segmentation & Access Control Analysis: Beyond simple observation, we actively test the segmentation protocols and access control mechanisms, including potential bypass techniques, ensuring the distinct segments of our network are fortified against breaches.
Binary Analysis and Reverse Engineering: To ensure the integrity of our software components, we engage in thorough analysis of binaries. Through reverse engineering techniques, we aim to understand and protect against potential exploitation of our compiled software.
Phase 3 Exploitation
In this critical phase, upon obtaining the necessary approvals, our dedicated team moves from mere identification to active exploitation of detected vulnerabilities within the OT infrastructure. This allows us to not only validate the real-world implications of these vulnerabilities but also to understand the tangible business risks they pose.
During this phase, the tester attempts to exploit any vulnerabilities which are discovered to gain access to the target network or its resources. This may involve using known exploits or developing custom exploits to target specific vulnerabilities. The following activities will be performed:
Identify Business Risks: Before delving into active exploitation, we focus on aligning the identified vulnerabilities with potential business repercussions. This involves understanding how a successful exploit could disrupt OT operations, cause financial losses, or compromise safety and security protocols.
Building Test Risks: Keeping in mind the sensitive nature of OT systems, we design our exploitation tests to balance risk and reward. It’s essential to understand the potential operational impact of our tests, ensuring that while vulnerabilities are probed, the core functionality of the OT systems remains uninterrupted.
Exploitation and Verification:
Planning: Post vulnerability assessment, we strategize on the most effective methods to exploit the identified weak points. This plan considers the specificities of OT systems, such as PLCs, SCADA, or DCS, ensuring the approach is both efficient and minimally disruptive.
Preparation: Here, our experts equip themselves with the appropriate tools, scripts, and techniques tailored for OT systems. Whether it’s exploiting a misconfigured PLC or tapping into unencrypted communication in a SCADA system, our preparation is thorough and OT-centric.
Initial Access: Leveraging the vulnerabilities identified, our team attempts initial breaches. This could involve tapping into unsecured communication channels, exploiting device-specific vulnerabilities, or manipulating control commands.
Privilege Escalation: Once initial access is secured, the focus shifts to gaining higher-level access to systems and controls. In the context of OT, this could mean gaining unauthorized control over critical system functionalities or manipulating setpoints in control systems.
Lateral Movement: With the varied and interconnected nature of OT systems, our team explores lateral access opportunities – moving from one subsystem to another, trying to compromise system integrity across the board.
Data Exfiltration: In an OT setup, this could involve unauthorized extraction of system configurations, setpoint values, or operational data, which if in the wrong hands, could lead to serious repercussions.
Through Phase 3, our objective remains clear: understand the full spectrum of risks, validate vulnerabilities in real-world settings, and provide actionable insights for fortifying the OT infrastructure.
This rendition emphasizes the unique and sensitive nature of OT infrastructures and tailors the penetration test accordingly. Modify as needed to fit your organization’s specifics.
Phase 4 Reporting
The final report will begin with the executive summary section to describe the findings at a high-level. Where appropriate strategic recommendations will also be detailed in a non-technical manner. For the technical audience, the main body of the report will describe each issue in depth. Each finding will be rated by severity using the 5×5 style scoring system, this will provide a prioritised list of findings. Risks will be awarded a Critical, High, Medium, Low, or
Informational rating. For each finding, detailed remedial advice will describe how to mitigate the risk. Instructions on how to replicate the finding will be
included to permit developers to check and retest the finding themselves. This aids knowledge transfer, something which is often overlooked but can lead to long-term benefits.
Internal access within the OT network.
Different user accounts (admin and user-level) on the jump-hosts.
Diagrams/Documentation of the in-scope network and devices which are within the network.
Firmware of the PLCs in scope.