On the Resilience of Operational Technology Devices in Penetration Tests

Florian Kessels; Niklas Reitz; Marko Schuba

Commenced in January 2007

Frequency: Monthly

Edition: International

Paper Count: 33361

On the Resilience of Operational Technology Devices in Penetration Tests

Authors: Florian Kessels, Niklas Reitz, Marko Schuba

Abstract:

Operational technology (OT) controls physical processes in critical infrastructures and economically important industries. With the convergence of OT with classical information technology (IT), rising cybercrime worldwide and the increasingly difficult geopolitical situation, the risks of OT infrastructures being attacked are growing. Classical penetration testing, in which testers take on the role of an attacker, has so far found little acceptance in the OT sector - the risk that a penetration test could do more harm than good seems too great. This paper examines the resilience of various OT systems using typical penetration test tools. It is shown that such a test certainly involves risks, but is also feasible in OT if a cautious approach is taken. Therefore, OT penetration testing should be considered as a tool to improve the cyber security of critical infrastructures.

Keywords: Penetration testing, operational technology, industrial control systems, operational technology security.

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 75

References:

[1] Cisco, “2024 Cybersecurity Almanac”, https://cybersecurityventures.com/cybersecurity-almanac-2024/ (accessed on Oct 30, 2024).
[2] C. E. Bodungen, B. L. Singer, A. Shbeeb, S. Hilt, and K. Wilhoit, Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions, McGraw Hill Professional, 2016.
[3] K. Stouffer, M. Pease, C. Y. Tang, T. Zimmerman, V. Pillitteri, S. Lightman, A. Hahn, S. Saravia, A. Sherule, and M. Thompson, “Guide to Operational Technology (OT) Security”, NIST Special Publication (SP) NIST SP 800-82r3, September 2023, url: https://doi.org/10.6028/NIST.SP.800-82r3 (accessed on Oct 30, 2024).
[4] DIN, “What is Industry 4.0?”, DIN Deutsches Institut für Normung e.V., url: https://www.din.de/en/innovation-and-research/industry-4-0/what-is-industry-4-0-- (accessed on Oct 30, 2024).
[5] G. Murray, M. N. Johnstone, and C. Valli, “The convergence of IT and OT in critical infrastructure”, Proceedings of 15th Australian Information Security Management Conference, Edith Cowan University, Perth, Western Australia: Research Online, 2017.
[6] European Parliament, “The NIS2 Directive”, url: https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333 (accessed on Oct 30, 2024).
[7] A. Staves, A. Gouglidis, and D. Hutchison, “An Analysis of Adversary-Centric Security Testing within Information and Operational Technology Environments”, Digital Threats 4.1, 2023, url: https://doi.org/10.1145/3569958 (accessed on Oct 30, 2024).
[8] Cyber Security Procurement Language Project Workgroup, “Cyber Security Procurement Language for Control Systems”, Department of Homeland Security, September 2009. url: https://www.cisa.gov/sites/default/files/2023-01/Procurement_Language_Rev4_100809_S508C.pdf (accessed on Oct 30, 2024).
[9] BSI, “ICS-Security-Kompendium” (in German), Bundesamt für Sicherheit in der Informationstechnik, Nov. 2013, url: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/ICS/ICS-Security_kompendium_pdf.pdf?__blob=publicationFile (accessed on Oct 30, 2024).
[10] F. Abu-Dabaseh, and E. Alshammari, “Automated penetration testing: An overview”, The 4th International Conference on Natural Language Computing, Copenhagen, Denmark.,2018, pp. 121–129, url: https://airccj.org/CSCP/vol8/csit88610.pdf (accessed on Oct 30, 2024).
[11] Y. Cherdantseva, P. Burnap, A. Blyth, P. Eden, K. Jones, H. Soulsby, and K. Stoddart, “A review of cyber security risk assessment methods for SCADA systems”, Computers & Security 56, 2016, pp. 1–27, url: https://www.sciencedirect.com/science/article/pii/S0167404815001388 (accessed on Oct 30, 2024).
[12] DHS, and CPNI, “Cyber Security Assessments of Industrial Control Systems”, Department of Homeland Security & Centre for the Protection of National Infrastructure, Nov. 2010, url: https://scadahacker.com/library/Documents/Assessment_Guidance/DHS%20-%20Cyber%20Security%20Assessments%20of%20Industrial%20Control%20Systems.pdf (accessed on Oct 30, 2024).
[13] Free Software Foundation, “PING(1) User’s Reference Manual”, 9. Feb. 2019, url: https://man.cx/ping(1) (accessed on Oct 30, 2024).
[14] G. Lyon, “Nmap Reference Guide”, url: https://nmap.org/book/man.html (accessed on Oct 30, 2024).
[15] GitHub User bee san, “RustScan - The Modern Port Scanner”, url: https://rustscan.github.io/RustScan/ (accessed on Oct 30, 2024).
[16] Greenbone, “OpenVAS”, url: https://www.openvas.org/index.html (accessed on Oct 30, 2024).
[17] C. Sullo, and D. Lodge. “Nikto”, url: https://github.com/sullo/nikto/wiki (accessed on Oct 30, 2024).
[18] GitHub User epi052, “feroxbuster”, url: https://github.com/epi052/feroxbuster?tab=readme-ov-file (accessed on Oct 30, 2024).
[19] Kali Linux, “Hping3”, url: https://www.kali.org/tools/hping3/ (accessed on Oct 30, 2024).
[20] Kali Linux, “Hydra”, url: https://www.kali.org/tools/hydra/ (accessed on Oct 30, 2024).