Industrial VAPT

Within industrial environments, cybersecurity testing requires a specialized approach. We know. This is mainly due to the different risks and threat models within Operational Technology (OT).

Discover more about VAPT in the Industrial Sector:

1. What is Vulnerability Assessment / Penetration Testing (VAPT)?
2. The value and results of VAPT in OT
3. VAPT in the Industrial Sector
4. Different techniques for OT systems
5. Secura's approach in VAPT for OT

What is Vulnerability Assessment & Penetration Testing?

Many types of testing are collectively known as ‘Vulnerability Assessments and Penetration Testing’ (VAPT). Classical ‘Penetration Testing’ means that tests are performed from an attacker’s perspective, and vulnerabilities are exploited to see ‘how far can an attacker get’. However, this is not always the most effective way of testing because it often makes more sense to perform a Vulnerability Assessment. A Vulnerability Assessment implies testing in such a way as to find as many vulnerabilities as possible without wasting time exploiting those vulnerabilities to see how far you can get. Finding more vulnerabilities is often more valuable because it reduces risks more effectively: exploring wide, instead of (only) deep.

The value of VAPT in OT

VAPT in the Industrial Sector

Within industrial environments, many critical business processes depend on OT. Networks with Industrial Controls Systems (ICS) such as DCS, PLC’s and SCADA systems manage and automate critical processes. Still, the enterprise’s IT services are just as important for daily operations. Moreover, due to the convergence of IT and OT and Industry 4.0-initiatives, the dependency between these two environments is also increasing. A successful business depends on reliable systems in both IT and OT; therefore, VAPT testing is important for all these systems. Different technologies are used across these environments, and it is collectively known that OT systems might not be resilient against VAPT scans. It is obvious that each area requires a different approach.

Information Technology (IT)

Industrial security is not the same as OT security. All industrial companies have a regular IT network that is just as critical to their business as the OT network.

Besides all the regular components found in any modern IT network (and their related vulnerabilities), industrial organizations might face additional challenges. Services that depend on data received from the OT layer or vice versa. A good example is connecting the IT ERP system and OT applications, often using unencrypted SQL or HTTP connections. Even OT-cloud services or OT-remote access might be routed through the IT domain. This connectivity and dependency increase the risk that cyber incidents traverse between these domains. Incidents within the IT environment could affect the OT environment, but the opposite is also true.

Of course, you can have a standard VAPT performed within your IT domain. Still, it is also possible to extend this with the question if whether vulnerabilities in the IT domain could be abused to reach or affect the OT systems. In this case, we try to exploit the discovered vulnerabilities to gain access to servers in the IT/OT-DMZ or potentially directly in the OT network.

IT/OT-DMZ

This network zone separates the enterprise IT network and the OT network. Often, this level consists of generic IT components, but it could also contain specific OT-related applications, including specific OT communication protocols, like Modbus, OPC, or OPC-UA. Some examples are remote access servers, patch update distribution servers, and data historian servers. It is often a crucial layer as this is one of the first layers of defense of the underlying OT systems.

Operational Technology (OT)

Within the OT environment, there are many more components like DCS controllers, PLC’s, RTU’s, SCADA systems, and possible other legacy systems that can’t handle the disruptive scans or actions used during a conventional penetration test. Even a simple network scan could already be sufficient to disrupt the working of a PLC. This is one of the reasons why it’s commonly said that it is not a good idea to perform VAPT assignments in live production networks.

Meanwhile, hackers might not know or care about this, and we know that many vulnerabilities exist in OT networks. So, how can you manage this? Instead of just following the consensus, you need to focus on tests that are possible in OT environments. This depends on the specific infrastructure in scope, but we generally prefer a “crystal box” approach. In this case, the information about the internal network is provided, maybe with some credentials and access to configuration examples. This information is needed so the approach for each device can be tailored based on where it “lives” in relation to the Purdue model.

VAPT techniques for OT systems

Passive scanning

One of the techniques that can be used in OT environments is passive vulnerability scanning. Contrary to normal (active) vulnerability scanning, there is no (intrusive) traffic injected into the network to ensure even the most fragile systems are not affected. Passive scanning is a “read-only” technique that uses a copy of already existing network traffic. This traffic is analyzed and could expose vulnerabilities like weak protocols, poor configuration, or outdated firmware.

The downside of this method is it is less accurate and will not provide full coverage (only devices in use at the time of testing will generate traffic to be analyzed). It will therefore require a bit more manual investigation to confirm the findings.

Selective scanning

On top of passive scanning, it is possible to use specific and less intrusive active scanning techniques in collaboration with the customer. These queries will be tailored to a single host or a selected part of the network, and parameters will be configured in such a way as to prevent any overwhelming amount of traffic. This technique is more accurate than passive scanning, but it’s time-consuming. Still, some devices like legacy PLCs should never be scanned when they are in production. However, it might still be possible to perform these scans during a maintenance period or manual supervision, or if available, in a separate test environment containing the same types of devices.

Secura’s approach in VAPT for OT

Our specific VAPT approach in the OT environment depends on which levels are in scope from the Purdue levels.

Purdue Level 2 & 3

Generally, systems that reside in Purdue levels 2 and 3 (Area Supervisory and Site Operations, respectively) are based on generic IT components. Depending on the criticality of each system, we can use more or less intrusive methods. The question is often to test how resilient the systems and network are against targeted attacks. In these levels, systems may also use OT-specific protocols, like Modbus, DNP3, IEC-101/104, CIP Ethernet/IP, etc., to communicate to each other and to systems in the lower Purdue models. It is also not uncommon within OT environments that custom applications or solutions are installed on this level that might add an attack surface. The ultimate question is whether a hacker can move laterally over the network and to the deeper levels of the system.

In the penetration test stage, we try to exploit vulnerabilities in the system configurations, installed (custom) applications, weak IT protocols like FTP, Telnet, HTTP, and SNMP, and insecure industrial protocols. The goal is to gain access to engineering workstations, SCADA databases, or human-machine interfaces to investigate if we could influence the process.

Purdue Level 0 & 1

In level 1 (Basic control) and level 0 (Process), we will not use any intrusive methods unless it is specifically requested, for example, when the system could also be operated manually or is not in active use due to a scheduled maintenance period. Often, the question is whether an attacker can manipulate signals or measurements or carry out a cyber-physical attack, especially when this level might also contain safety systems (SIS). It is also possible to research if these lower levels (that might be installed in unmanned remote locations) can provide access to higher levels of the OT network and maybe even the IT environment.

In these levels, most of the communication is performed via OT-specific protocols, of which many are insecure. Some examples are, Modbus-TCP, Fieldbus, Profibus, HART, and many more, including vendor-proprietary protocols.

On request, we could, as part of the penetration test, investigate the possible vulnerabilities in these levels as well. We will try to exploit vulnerabilities in the used communication protocols, potential vulnerabilities in the controller’s or device firmware, or abuse weaknesses in the device configuration.

Connectivity

Finally, all these components are connected via network devices such as switches, routers, firewalls, and even wireless access points. On top of that, it is also common that a lot of protocol and media converters are used in OT environments, like RS-232/RS-485 to Ethernet or Copper to Optical Fiber converters. All these intelligent devices generate additional attack surfaces. Therefore, network configuration and segmentation are crucial and a good focus area for our VAPT service. These devices are resilient for these types of scans and will be included in the scope of regular vulnerability scans and tests.

During the penetration test, we try to abuse weaknesses in the configuration of these devices or exploit potential vulnerabilities in the firmware to gain access to the infrastructure layer. If succeeded, it becomes easier to attack other network parts, manipulate network traffic to influence the process, or eavesdrop on unencrypted communication.

The Purdue Model

According to the Purdue model, a typical OT network consists of different levels:

Interested in VAPT at your company?

For more information, please contact us. We are happy to discuss how we can help you the best. You can contact us via the contact form, by telephone at +31 (0) 88 888 31 00, or by email at info@secura.com.