Secura’s approach in VAPT for OT
Our specific VAPT approach in the OT environment depends on which levels are in scope from the Purdue levels.
Purdue Level 2 & 3
Generally, systems that reside in Purdue levels 2 and 3 (Area Supervisory and Site Operations, respectively) are based on generic IT components. Depending on the criticality of each system, we can use more or less intrusive methods. The question is often to test how resilient the systems and network are against targeted attacks. In these levels, systems may also use OT-specific protocols, like Modbus, DNP3, IEC-101/104, CIP Ethernet/IP, etc., to communicate to each other and to systems in the lower Purdue models. It is also not uncommon within OT environments that custom applications or solutions are installed on this level that might add an attack surface. The ultimate question is whether a hacker can move laterally over the network and to the deeper levels of the system.
In the penetration test stage, we try to exploit vulnerabilities in the system configurations, installed (custom) applications, weak IT protocols like FTP, Telnet, HTTP, and SNMP, and insecure industrial protocols. The goal is to gain access to engineering workstations, SCADA databases, or human-machine interfaces to investigate if we could influence the process.
Purdue Level 0 & 1
In level 1 (Basic control) and level 0 (Process), we will not use any intrusive methods unless it is specifically requested, for example, when the system could also be operated manually or is not in active use due to a scheduled maintenance period. Often, the question is whether an attacker can manipulate signals or measurements or carry out a cyber-physical attack, especially when this level might also contain safety systems (SIS). It is also possible to research if these lower levels (that might be installed in unmanned remote locations) can provide access to higher levels of the OT network and maybe even the IT environment.
In these levels, most of the communication is performed via OT-specific protocols, of which many are insecure. Some examples are, Modbus-TCP, Fieldbus, Profibus, HART, and many more, including vendor-proprietary protocols.
On request, we could, as part of the penetration test, investigate the possible vulnerabilities in these levels as well. We will try to exploit vulnerabilities in the used communication protocols, potential vulnerabilities in the controller’s or device firmware, or abuse weaknesses in the device configuration.
Connectivity
Finally, all these components are connected via network devices such as switches, routers, firewalls, and even wireless access points. On top of that, it is also common that a lot of protocol and media converters are used in OT environments, like RS-232/RS-485 to Ethernet or Copper to Optical Fiber converters. All these intelligent devices generate additional attack surfaces. Therefore, network configuration and segmentation are crucial and a good focus area for our VAPT service. These devices are resilient for these types of scans and will be included in the scope of regular vulnerability scans and tests.
During the penetration test, we try to abuse weaknesses in the configuration of these devices or exploit potential vulnerabilities in the firmware to gain access to the infrastructure layer. If succeeded, it becomes easier to attack other network parts, manipulate network traffic to influence the process, or eavesdrop on unencrypted communication.