Is Penetration Testing recommended for Industrial Control Systems?

Conducting a cyber-security assessment is an important step in an industrial IT lifecycle because it can pro-actively address any shortcomings and vulnerabilities. The intent and purpose is to identify security weaknesses and to follow up with actionable recommendations that will promptly plug the gaps before any security breach can occur. One of the techniques involved, known as system vulnerability assessment, is to find out if the systems contain any vulnerabilities that are susceptible to viruses or Trojan horses, or in a worst case scenario - a malicious cyber hack.

The question is whether a cyber security assessment for industrial automation should include penetration testing as an extension of the system vulnerability assessment.

Before we go further, it is important to make a clear distinction between system vulnerability assessment and penetration testing.

What is System Vulnerability Assessment?

In a vulnerability assessment, data is collected from the system and compared with documented issues to deduce if the system is vulnerable to any known exploits. When we say “documented issues”, we are referring to vulnerabilities or systems weaknesses that have been discovered and therefore known, hence, they have been documented and most probably made available to the public for awareness. Most of the time, the publishing of vulnerabilities would also have included remedial measures to address the weakness.

In an attempt to categorize and to rank the severity of vulnerabilities in information systems, a few computer security communities have developed standards for this. Among the well known standards are the Common Vulnerabilities and Exposures (CVE) dictionary and the Common Vulnerability Scoring System (CVSS). The CVE system provides a reference-method for publicly known information-security vulnerabilities and exposures, and is maintained by MITRE Corporation with funding from the National Cyber Security Division of the United States Department of Homeland Security. The CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities, and is under the custodianship of the Forum of Incident Response and Security Teams (FIRST). There are a few others as well such as the Common Vulnerability Reporting Framework (CVRF) by the Industry Consortium for Advancement of Security on the Internet (ICASI) and the OWASP Vulnerability Classification Mappings by the Open Web Application Security Project (OWASP) which focus more on web systems’ vulnerabilities.

CVE and CVSS are among the most widely used standards including by the US National Vulnerability Database. Many vulnerability scanning tools like the Tenable Network Security utilizes the CVE or CVSS program to reference each of the vulnerabilities detected by its Nessus scanner.

This is where in a vulnerability assessment, the system’s configuration and settings data are collected by the scanner and compared with the scanner’s dictionary-list of CVE or CVSS-referenced vulnerability information to deduce if the system is susceptible to any known weakness. In the event of a match, the finding is reported as vulnerability discovered. The testing stops here and does not go further, like for example, seeking ‘to prove’ if the found vulnerability is indeed exploitable.

What is Penetration Testing?

Penetration testing, however, takes a further step into simulating the exploitation on the found system vulnerability to confirm if a security breach or a catastrophic damage can really be inflicted on the system, if it would have been a real cyber attack. Exploitation may involve automated techniques using software programs or scripts that were developed, possibly available on the Internet openly and ready for running on the vulnerable system to effect an outcome, and this is often malicious in nature. Other exploitation may involve keying in invalid inputs into the requesting field of a flawed application that has been discovered with security weakness that leads on to the application’s breakdown (an example of such vulnerabilities is the widely known SQL-injection weakness). Yet other exploitative venture may involve devising own scripting and techniques to make use of the vulnerability to break into the system further.

Such techniques are often invasive and potentially result changes to the system’s settings which in a real malicious attempt may have an end-goal of rendering the system’s functionality unable to perform to its original intend or reducing its capability or even in some cases totally disabling it, like in a total system-shutdown. Other more sophisticated exploitative technique may be to extract critical data such as confidential information but leaving the system intact and still operating as if nothing untoward has happened.

Why some prefer penetration testing?

As we can see now, penetration testing has a conclusiveness to the investigation. Hence, it holds strong appeal to many security practitioners. They see it as an added benefit to exhaustively find out the reality of cyber security threat to their systems.

Risk Factor = Change or Rule Severity x System Business Value

Many, however, may not be aware that a penetration test can have the potential of destabilizing the system. In certain instances, the impact on the system is irreversible such that it can no longer be restored back to its original state. In some other situation, the impact of the destabilizing can even propagate the effect upstream, or downstream affecting other inter-connected systems. In industrial control systems – such impact has a very high risk of destabilizing the manufacturing processes and potentially resulting a volatile chemical reaction that poses danger to human safety and also to the environment.

So we ask: Is penetration testing recommended for a cyber security assessment on industrial control systems? If it is for the purpose of confirming a found vulnerability – which if, for example already has a CVE registered to it, and hence, the fixes and patch are likely also available – is there a need to prove its exploitability anymore?

What should we do?

In today’s ICS landscape, many plants have yet to be assessed to ascertain the security health of their systems, processes and operations since their DCS migration to open-systems architecture. For them, the urgency may be to conduct an immediate security assessment that is broad-based because the results of first-time assessments are usually both sporadic and wide-ranging. Often too, security gaps tend to be inter-related in a way that a primary system vulnerability can derive many secondary weaknesses. Hence, a collective few inherent weaknesses may actually be dealt with when a single system patch is applied. This is how single service packs work in comparison to individual hotfixes.

Hence, it is usually more practical to start with a broad-based assessment. The real value of pin-point testing such as the surgical penetration test may find its merits when a more exacting security assessment is necessary later. This is because most common issues would have been cleared after the initial assessment.

You can read our other articles on Security here.