Dr. Antje Winkler
Senior Manager | Offensive Security
OT/IT Security Test
OT Penetration Testing
Protecting Critical Infrastructures (KRITIS)
Operational Technology (OT) comprises technologies for monitoring and controlling industrial processes such as Industrial Control Systems (ICS) and associated software. ICS include Supervisory Control and Data Acquisition (SCADA) systems that enable remote monitoring and control, Programmable Logic Controllers (PLC) for controlling machines and Distributed Control Systems (DCS) for managing complex processes.
Cyber security is crucial in this context as OT systems are increasingly connected to IT networks and are therefore more susceptible to cyber attacks. A successful attack can cause production downtime, damage to critical infrastructure and risk to human lives. While IT environments are generally very fast-moving and adaptive in terms of security-related updates, OT infrastructures are usually operated for decades and must be permanently available.
With the publication of the NIS 2 directive, the European Union is increasingly focusing on the topic of cyber security. This directive tightens security requirements for critical infrastructures and expands the circle of affected companies and organizations.
Through security testing, organizations can verify the effectiveness of their security measures and ensure that they meet the requirements of the NIS 2 directive. These tests help to identify vulnerabilities in OT systems before they can be exploited by cyber criminals.
Implementing regular security tests is not only a question of complying with legal requirements, but also an important step towards protecting critical infrastructures and maintaining the trust of customers and partners.
Cyber security is crucial in this context as OT systems are increasingly connected to IT networks and are therefore more susceptible to cyber attacks. A successful attack can cause production downtime, damage to critical infrastructure and risk to human lives. While IT environments are generally very fast-moving and adaptive in terms of security-related updates, OT infrastructures are usually operated for decades and must be permanently available.
With the publication of the NIS 2 directive, the European Union is increasingly focusing on the topic of cyber security. This directive tightens security requirements for critical infrastructures and expands the circle of affected companies and organizations.
Through security testing, organizations can verify the effectiveness of their security measures and ensure that they meet the requirements of the NIS 2 directive. These tests help to identify vulnerabilities in OT systems before they can be exploited by cyber criminals.
Implementing regular security tests is not only a question of complying with legal requirements, but also an important step towards protecting critical infrastructures and maintaining the trust of customers and partners.
Our Offer for You
With our expertise, we support you in comprehensively examining your OT systems and identifying potential security gaps. Due to our broad range of services, we can examine both externally and internally accessible systems and thus identify threats in a wide variety of areas:
External and Internal Infrastructures
Nowadays, OT systems are increasingly connected to a wide variety of external and internal IT systems (e.g., cloud or on-premises solutions) in order to implement various use cases like:
- Transmitting sensor data and controlling actuators
- Visualizing data in dashboards
- Remote maintenance and management
- Networking with internal systems (e.g. SAP)
For this, various network technologies such as Ethernet or LoRaWAN are used. The necessary interconnection of OT and IT systems results in a large number of attack vectors.
To counter this risk, we examine the interfaces and components of your OT solutions in a penetration test.
Production Plant
Targeted attacks on production systems such as Stuxnet or Industroyer have shown the scope of successful attacks on industrial systems and highlight the need to evaluate the security measures implemented in such systems.
Penetration tests of networked production plants or individual components (ICS/SCADA systems, PLC/SPS, sensors/actuators, network hardware or embedded devices) allow to identify weak points in these systems at an early stage and thus minimize vulnerabilities.
Local Security Measures
Freely accessible interfaces and devices in public areas, such as conference rooms and supplier entrances, can pose a significant security risk. They can be used by attackers to manipulate individual devices in your OT environments and, in the worst case, to compromise the entire network. We help you to uncover these entry points and protect your OT infrastructure.
System-Specific Configurations
OT systems often use resource-efficient hardware and sometimes outdated software components, which makes classic penetration tests more difficult as they can lead to undesirable behavior and crashes with serious consequences. Therefore, a manual configuration check is often better suited.
Such hardening checks can also be useful before new components are rolled out in the productive environment. We are happy to support you in determining and checking suitable hardening measures for your OT environments.
Our Methodology
The penetration testing process of BDO Cyber Security GmbH is based on the five-step approach defined in “Study A Penetration Testing Model”, published by the German Federal Office for Information Security (BSI) and adapted to the special features of tests in the OT environment:
Phase 1
Preparation
During the first phase of the penetration test, test objectives as well as organizational, technical, and legal aspects are coordinated with the client. As critical infrastructures must not be impaired by the test activities, particular care must be taken when planning a penetration test in an OT environment. Depending on the environment under test, the depth of the test and the resulting consequences must be weighed up.
The results of this phase are documented in a contract, which serves as the legal basis for commissioning the penetration test.
Phase 2
Information Gathering
In phase 2, the information and documents provided by the customer are examined, thereby gathering preliminary information about components and protocols of the OT environment to be tested.
In parallel, it will be verified whether access to all test components is possible.
Phase 3
Analyzing Information
Based on the information gathered during previous phases, the list of planned test cases - and therefore the time required - can be adjusted for selected components according to their relevance. This involves identifying, analyzing, and prioritizing potential threats and attack vectors (e.g., based on damage potential, likelihood of success, and possible impacts).
Phase 4
Active Intrusion Attempts
Following the initial analyses, active intrusion attempts are conducted. For this purpose, selected test cases for each component in scope will be executed.
In the OT environment, especially in production environments, testing is carried out with the utmost care to minimize disruption or damages. Due to the unique nature and complexity of the devices and protocols in OT infrastructures, the approach differs fundamentally from traditional IT penetration tests. Industrial control systems, for example, often use resource-efficient hardware and outdated software, which usually precludes automated scans and attacks on known vulnerabilities as these can lead to undesirable behavior and crashes with serious consequences.
If a test case reveals a (potential) vulnerability, its exploitability and impact are examined:
- Exploitability refers to conditions affecting the success of an intrusion attempt, such as the accessibility of the vulnerable component, required permissions and expertise, safeguards and protection mechanisms, etc.
- Impact refers to the consequences that a successful attack would have, e.g., on confidentiality, integrity and availability of systems, user accounts or data
Furthermore, evidence is gathered for each vulnerability, such as screenshots or step-by-step instructions to reproduce the attack or provoke specific system behaviors.
All tests are mainly carried out manually.
Phase 5
Final Analysis and Clean-Up
The penetration test is concluded with the Final Analysis and Clean-Up Phase. During the final analysis, all results from the previous phases are compiled into a detailed report, including:
- A summary of the test approach and findings, including an overall assessment of the security level of the test subject
- A detailed description of each discovered vulnerability, including proof-of-concept and screenshots
- An evaluation of each vulnerability in terms of its severity
- General recommendations for remediation or mitigation of the identified vulnerabilities
If necessary, remnants of the test activities are also removed in this phase.
Testing Based on Established Frameworks
In the context of the penetration test, test cases are selected and executed based on testing guidelines. While the BSI model for penetration tests categorizes test cases into modules for information gathering (I-Modules) and intrusion attempts (E-Modules), BDO Cyber Security GmbH employs its own framework. The primary reason for this is that the I- and E-Modules can only be applied to OT environments to a limited extent.
BDO Cyber Security GmbH's framework is based on recognized, current standards. In addition, BDO Cyber Security GmbH has developed its own catalog with detailed test cases for individual technologies and standards. This catalog is based on current recommendations and best practices for the respective technologies and is constantly being developed further, taking new security vulnerabilities into account.
