A penetration test, also known as a pen test, simulates a real-world attack to identify and exploit vulnerabilities and prove or disprove security assumptions. Pen tests are suitable for more mature organizations with a strong grip on their security posture and understanding of their operational environment. They are undertaken to understand how hard it is to exploit an environment and how visible that activity will be.  

Penetration tests involve the assessment team manually testing and exploiting the environment by leveraging techniques similar to those used by adversaries or threat groups. It is important to note that there are three different types of penetration tests: 

• White-Box Pen Test: This involves a high level of information sharing about the environment between the organization and the assessment team. 

• Grey-Box Pen Test: This involves a medium level of information sharing between the organization and the assessment team. 

• Black-Box Pen Test: This involves little to no information sharing between the organization and the assessment team. 

In industrial environments, grey-box or white-box assessments are recommended. Due to the sensitivity of industrial control systems, performing a penetration test in an operational environment where assessment teams are unaware of the devices they may encounter can be dangerous. Simple testing activities such as port scanning can disrupt fragile or legacy systems critical to the industrial process. For this reason, the rules of engagement and possible impacts must be well understood by all parties before any activity is undertaken.  

An organization's expected outcomes should drive the scope or target of a pen test. The following are common scopes.  

• External Pen Test: This evaluates external cyber threats and network vulnerabilities by attempting to enter the organization's network through discovered external services such as remote access or file transfer services. It is best targeted at remote industrial sites connected to public networks. 

• IT/OT Border Pen Test: This evaluates the interface between the corporate and industrial environments. Common targets are remote access, data sharing, and infrastructure. This is the most common type of OT pen test.  

• Industrial Control Systems (ICS) Pen Test: This type of engagement targets the software and systems that control industrial processes. The aim is to exploit vulnerabilities and native functionality to determine how an adversary can leverage a system. Given the possible impact on safety and reliability, this is only undertaken on nonproduction systems.   

• Device Pen Test: This evaluates the security and resilience of a specific device. The target device, be it a PLC, RTU, or cellular modem, is subjected to a wide range of attacks to discover vulnerabilities and failure points. This is exclusively performed within a nonproduction lab environment.  

Tips for Getting the Most out of an OT Vulnerability Assessment 

• Involve operations and engineering early to gain buy-in and cooperation.  

• Clearly define goals, outcomes, and scope. 

• Define rules of engagement and safe work practices.  

• Map out any activities' risk and possible impact before undertaking work.  

• Ensure in-scope systems are available for testing. Test instances, ranges, and labs are preferred for red team exercises. Production systems or devices should not be tested unless they have been put in maintenance mode and made safe.  

• Define clear communication channels where all activities can be quickly approved before actions are undertaken.  

• Ensure that supporting teams, including operations, engineering, OT, IT, security, and leadership, are available during the engagement to share information.   

Deliverables  

The deliverable for an OT pen test is twofold, with the engagement activities being the primary and the report being the secondary. During a pen test, the interactive sessions and emulated adversary activities allow the customer to determine how their team will detect and respond. The report will capture some of this but primarily focus on the vulnerabilities and recommendations.  An OT pen test report details each exploited vulnerability and offers customized recommendations. Each Tactic, Technique, and Procedure (TTP) employed is mapped to the cyber kill chain using the MITRE ATT&CK ICS and MITRE ATT&CK matrix. The recommendations focus on the preventative and detective controls that can be deployed to interrupt the identified attack paths.