Dec 16 2024 59 mins
In our latest OT Security Connect session, we explored OT penetration testing with our excellent panel providing insights into the unique challenges, the absence of standardisation, and the strategies to enhance security within OT environments.
We also witnessed the birth of a new phrase "Living off the Plant" - credit to Ric Derbyshire on this 😁
Panel
Ric Derbyshire - Principal Security Researcher at Orange Cyberdefense
Gavin Dilworth - Principal Consultant at Assessment Plus
Martin Slack - Head of ICS at Pen Test Partners
Asif Hameed Khan - Cybersecurity Professional
🌐 Key Themes and Insights
The Case for Standardisation The team debated the feasibility of a unified standard for OT penetration testing. While a universal approach seems impractical due to the diversity of OT environments and the lack of an arbitrator, the group agreed that more flexible, descriptive frameworks could provide valuable guidance.
For instance, a baseline guide to help asset owners could lean more into the IEC 62443 model, using security levels to align tests with sector-specific risks, criticality, and risk appetite, to help determine appropriate testing approaches.
Challenges of OT Penetration Testing A significant challenge in OT penetration testing lies in the diverse approaches taken by testers, particularly those transitioning from IT-focused backgrounds. It can be a struggle to adapt, as their methods tend to prioritise vulnerabilities over the operational processes central to OT environments.
In contrast, successful testers focus on identifying how attackers could disrupt key processes and systems, as this aligns more closely with asset owners' priorities.
Organisations with well-established test beds often achieve better outcomes in penetration testing, as these environments allow for controlled experimentation and more realistic simulations. However, the lack of test beds in many organisations remains a barrier to effective testing.
Clear communication of testing objectives and outcomes is another critical success factor. Testers must articulate the scope and purpose of their assessments in terms that resonate with OT asset owners, ensuring alignment between testing practices and operational realities.
🚀 Key Takeaways for OT Security Professionals
- Pen-testing Certifications: Professional development recommendations from the panel for industry professionals interested in Penetration testing in OT. OCSP and SANS highly rated by the Gavin and Martin 📚
- Pen-testing to Address Hybrid IT-OT Environments: Most pen-testing is IT TTPS and focussed towards more general purpose operating systems within the OT environments. As a result there should minimal safety and reliability issues
- Pen-Testing Outcomes Impacting Security Posture: Whole point of a pen-test is to help end users improve security postures. Reduce risk and enable the organisation to review gaps and plan security programme going forward