Conducting a cyber-security assessment is an important step in an industrial IT lifecycle because it can pro-actively address any shortcomings and vulnerabilities. The intent and purpose is to identify security weaknesses and to follow up with actionable recommendations that will promptly plug the gaps before any security breach can occur. One of the techniques involved, known as system vulnerability assessment, is to find out if the systems contain any vulnerabilities that are susceptible to viruses or Trojan horses, or in a worst case scenario - a malicious cyber hack.

The question is whether a cyber security assessment for industrial automation should include penetration testing as an extension of the system vulnerability assessment.

Before we go further, it is important to make a clear distinction between system vulnerability assessment and penetration testing.

What is System Vulnerability Assessment?

In a vulnerability assessment, data is collected from the system and compared with documented issues to deduce if the system is vulnerable to any known exploits. When we say “documented issues”, we are referring to vulnerabilities or systems weaknesses that have been discovered and therefore known, hence, they have been documented and most probably made available to the public for awareness. Most of the time, the publishing of vulnerabilities would also have included remedial measures to address the weakness.

In an attempt to categorize and to rank the severity of vulnerabilities in information systems, a few computer security communities have developed standards for this. Among the well known standards are the Common Vulnerabilities and Exposures (CVE) dictionary and the Common Vulnerability Scoring System (CVSS). The CVE system provides a reference-method for publicly known information-security vulnerabilities and exposures, and is maintained by MITRE Corporation with funding from the National Cyber Security Division of the United States Department of Homeland Security. The CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities, and is under the custodianship of the Forum of Incident Response and Security Teams (FIRST). There are a few others as well such as the Common Vulnerability Reporting Framework (CVRF) by the Industry Consortium for Advancement of Security on the Internet (ICASI) and the OWASP Vulnerability Classification Mappings by the Open Web Application Security Project (OWASP) which focus more on web systems’ vulnerabilities.

CVE and CVSS are among the most widely used standards including by the US National Vulnerability Database. Many vulnerability scanning tools like the Tenable Network Security utilizes the CVE or CVSS program to reference each of the vulnerabilities detected by its Nessus scanner.

This is where in a vulnerability assessment, the system’s configuration and settings data are collected by the scanner and compared with the scanner’s dictionary-list of CVE or CVSS-referenced vulnerability information to deduce if the system is susceptible to any known weakness. In the event of a match, the finding is reported as vulnerability discovered. The testing stops here and does not go further, like for example, seeking ‘to prove’ if the found vulnerability is indeed exploitable.

What is Penetration Testing?

Penetration testing, however, takes a further step into simulating the exploitation on the found system vulnerability to confirm if a security breach or a catastrophic damage can really be inflicted on the system, if it would have been a real cyber attack. Exploitation may involve automated techniques using software programs or scripts that were developed, possibly available on the Internet openly and ready for running on the vulnerable system to effect an outcome, and this is often malicious in nature. Other exploitation may involve keying in invalid inputs into the requesting field of a flawed application that has been discovered with security weakness that leads on to the application’s breakdown (an example of such vulnerabilities is the widely known SQL-injection weakness). Yet other exploitative venture may involve devising own scripting and techniques to make use of the vulnerability to break into the system further.

Such techniques are often invasive and potentially result changes to the system’s settings which in a real malicious attempt may have an end-goal of rendering the system’s functionality unable to perform to its original intend or reducing its capability or even in some cases totally disabling it, like in a total system-shutdown. Other more sophisticated exploitative technique may be to extract critical data such as confidential information but leaving the system intact and still operating as if nothing untoward has happened.

Why some prefer penetration testing?

As we can see now, penetration testing has a conclusiveness to the investigation. Hence, it holds strong appeal to many security practitioners. They see it as an added benefit to exhaustively find out the reality of cyber security threat to their systems.

Risk Factor = Change or Rule Severity x System Business Value

Many, however, may not be aware that a penetration test can have the potential of destabilizing the system. In certain instances, the impact on the system is irreversible such that it can no longer be restored back to its original state. In some other situation, the impact of the destabilizing can even propagate the effect upstream, or downstream affecting other inter-connected systems. In industrial control systems – such impact has a very high risk of destabilizing the manufacturing processes and potentially resulting a volatile chemical reaction that poses danger to human safety and also to the environment.

So we ask: Is penetration testing recommended for a cyber security assessment on industrial control systems? If it is for the purpose of confirming a found vulnerability – which if, for example already has a CVE registered to it, and hence, the fixes and patch are likely also available – is there a need to prove its exploitability anymore?

What should we do?

In today’s ICS landscape, many plants have yet to be assessed to ascertain the security health of their systems, processes and operations since their DCS migration to open-systems architecture. For them, the urgency may be to conduct an immediate security assessment that is broad-based because the results of first-time assessments are usually both sporadic and wide-ranging. Often too, security gaps tend to be inter-related in a way that a primary system vulnerability can derive many secondary weaknesses. Hence, a collective few inherent weaknesses may actually be dealt with when a single system patch is applied. This is how single service packs work in comparison to individual hotfixes.

Hence, it is usually more practical to start with a broad-based assessment. The real value of pin-point testing such as the surgical penetration test may find its merits when a more exacting security assessment is necessary later. This is because most common issues would have been cleared after the initial assessment.

You can read our other articles on Security here.

Apr 18, 2024

Oil & Gas Operations and Decision-Making in the Cloud Era

Recently, KBC launched the Acuity Industrial Cloud Suite, consolidating its simulation software solutions. It aligns with KBC's portfolio to address challenges in energy transition, process optimization, value chain optimization, and asset management. For insights, we interviewed Rolando Gabarron, a senior consultant in product management.

Apr 2, 2024

Behind the scenes of Pioneers: Pursuing objectives while also focusing on personal growth with Esmeralda Roxas

In the dynamic landscape of professional careers, the journey of growth and adaptation of Esmeralda Roxas at Yokogawa stands out. From her humble beginnings in system sales engineering for upstream oil and gas to her current role in network security, her trajectory is a testament to resilience, proactivity, and a thirst for knowledge.

Dec 21, 2023

The Necessity of Converged IT/OT SOC in Strengthening Cybersecurity for Today's Industrial Landscape

In the rapidly advancing technological landscape, industrial organizations face escalating cyber threats. To fortify cybersecurity, embracing a Converged IT/OT SOC is imperative. Yokogawa's cloud-based IT/OT SOC service provides a holistic defense, offering integrated visibility, proactive measures, and real-time monitoring. As cyber threats evolve, businesses can stay ahead with Yokogawa, safeguarding operations effectively in the cybersecurity race.

Dec 19, 2023

Yokogawa Recognised as a ‘Leader’ in Verdantix Green Quadrant for Process Safety Software 2023

Yokogawa has been acknowledged as a key software platform provider in the Green Quadrant report published by Verdantix and achieved the title of a 'Leader' in Process Safety Management. This recognition stands as a great achievement for Yokogawa, showcasing excellent performance in areas such as Control of Work, Mobile, Platform Interoperability, Integration, and Sustainability, including ESG considerations, among other notable areas.

Dec 18, 2023

Behind the scenes of Pioneers: Mahalakshmi R, Deputy Head, Yokogawa India Service: A Trailblazer in Leadership and Career Success at Yokogawa

In a recent interview, Mahalakshmi, Deputy Head at Yokogawa India Service, revealed her remarkable 28-year journey with the company. A leader in training and customer service, she has driven innovative projects and fostered a culture of success. Let's explore the key elements that have defined her leadership and career at Yokogawa.

Nov 30, 2023

Optimizing Energy Efficiency for Industrial Enterprise Buildings & Offices

Explore Yokogawa's EEMS revolutionizing energy efficiency in industrial buildings, recognizing their substantial impact on global energy consumption and CO2 emissions. This blog delves into EEMS's digital prowess for optimizing energy dynamics through real-time monitoring and a centralized platform. Uncover insights into smart meters, sensors, and communication protocol challenges and solutions.

Oct 2, 2023

Enhancing Energy Security Unveils the Power of Convergence and Yokogawa's Cybersecurity Program

In an age of looming cyber threats, the energy sector's vulnerability is glaring. Embracing IT-OT convergence is vital to combat these risks. Explore the benefits, challenges, and the pivotal role of Yokogawa's cybersecurity program in safeguarding energy systems against cyber threats. Discover more in our enlightening infographic, here: Access the infographic. Convergence merges security aspects for a unified defense, yet poses new risks. The Colonial Pipeline incident highlighted the cascading impact of IT breaches on OT systems. Yokogawa's comprehensive cybersecurity program addresses these challenges, offering tailored solutions, risk assessment, layered defense, monitoring, and employee education. Join us in fortifying cybersecurity posture.

Digital Solutions Blog

Is Penetration Testing recommended for Industrial Control Systems?

What is System Vulnerability Assessment?

What is Penetration Testing?

Why some prefer penetration testing?

What should we do?

Looking for more information？

Yokogawa Digital Solutions

Contact us