Operational technology (OT) cybersecurity faces significant challenges in maturing its operations and processes against advanced adversary attacks, such as those from advanced threat persistent groups or cyber warfare armies targeting OT systems, due to their attractive value. This raises questions about why OT cybersecurity struggles to mature compared to information technology (IT) systems. The answer lies in the prevalence of legacy subsystems within OT systems, which pose safety concerns when implementing cybersecurity solutions. The slow pace of improvement is further exacerbated by the need to maintain availability, as patching or other security measures could disrupt operations. This article explores techniques for safely conducting penetration testing on OT systems to enhance effectiveness and reduce associated risks within a controlled framework.

How can the concept of conducting safe penetration testing for OT be defined?

What is Penetration Testing?

Penetration testing is a simulation process for adversary tactics, techniques and attacks on the partial system of an organization, and this simulation targets finding the critical vulnerabilities in the system before they are exploited by adversaries to make the organization close these vulnerabilities. In addition, when we say conducting safe penetration testing, we mean that penetration testing during the whole process was controlled and managed in a way that is not a risk for the operation of plant or facility OT systems.

Why is that? Because penetration testing is a simulation of a real attack, which may happen in the future, penetration testing will have the same effect as a real attack if it is not manageable and affects the plant operation. Based on that, system owners need to integrate penetration testing as the main part of the cybersecurity program and try to manage the testing process according to their cybersecurity operation.

What are the critical phases and tactics in penetration testing specifically tailored for OT environments?

The key concept for conducting safe penetration testing for the OT system is managing the risk of testing from the start to the end of the process as part of a cybersecurity management program, or CSMS. To do this, you need to understand penetration testing lifecycle phases and tactics to enhance management processes in general.

Penetration testing phases are the lifecycle for penetration testing that organizations can follow to conduct successful testing. Referred to as PTES, or penetration testing execution standards, these have seven phases, from intelligence gathering to the reporting phase. In penetration testing, the most important phases the organization's cyber security team needs to focus on are those with the highest risk to the OT system. These include scanning, exposure, and post-exploration due to the nature of these phases for direct interaction with the OT system via tools and processes to complete penetration testing.

Penetration testing tactics can reduce the risk of the penetration and increase the effectiveness of the process itself during the cybersecurity program lifecycle for an organization.

• Risk Management Control: Consider penetration testing as a risk vector that should be included in risk management for better control in production.
  • Implementation can be used by ISA/IEC 62443-3-2 for risk assessment or NIST SP 800-82 Rev 3 chapter 4 for risk management.
• Testing Environment Control: Set up a better-controlled penetration testing environment that can lower the process' risk, such as testing during shutdown time, minting time, isolating systems during testing, and so on.
  • Implementation can be done by understanding penetration testing lab configuration by Docker container or virtual machine.
• Testing Methodology: Manual scanning and explosion testing are highly recommended to ensure accurate testing output.
  • Manual testing can also be used with automation security testing tools like the Kali Linux set of tools.
• Attack Selection: If the environment is not initially isolated very well, malware attacks and post-exploitation activities need to be minimized or avoided to reduce the risk to the OT system.
  • Attack selection can be followed by the MITRE ATT&CK Framework for a deep understanding of adversaries' TTPs.
• Remote Testing Avoidance: Avoid any remote testing for the OT environment that is only allowed for internal testing.
  • Remote connections such as SSH, Telnet, and so on need to be avoided if they come from the internet not from inside the OT facility in general.
• Team Selection: An expert team that is highly familiar with the OT system will conduct testing to avoid or reduce crashing the system with a backup plan.

Conclusion

Conducting safe penetration testing for OT systems is crucial for organizations to enhance cybersecurity operations proactively rather than reactively after an incident. Cyberwarfare adversaries, such as APT groups, target OT systems for maximum impact, exploiting their vulnerabilities. Legacy systems and availability constraints pose challenges for OT cybersecurity defenses. Regular penetration testing is essential to strengthening cybersecurity programs. Implementing safer testing tactics can enhance effectiveness, provided organizations have the necessary expertise and tools.