Tagged: critical infrastructure
Common Pentest Scoping Mistakes for ICS-SCADA
Cyber criminals are interested in critical infrastructures more than ever before therefor cyber threats are raising dramatically for critical infrastructures. Catastrophic attacks are just a matter of time so we need realistic risk assessments and penetration tests.
My major concern is not only how (methodologies) but also what (scope) about ICS-SCADA penetration tests and audits. There are some common mistakes about scoping penetration tests;
1-Excluding ICS-SCADA components
Most of the penetration tests and audits are missing ICS-SCADA networks and components. This means most of the threats&risks are missing related to ICS-SCADA. I understand the logic behind this behavior. Nobody wants to their core operation shut down during an audit/pentest but this risk is always on the table and you can not avoid this risk with just closing your eyes. Ignorance is not blessing for critical infrastructure. To be honest real intruders will have no mercy.
2-Excluding supportive ICS-SCADA components
There is an another common mistake related to scoping a pentest is excluding supportive ICS-SCADA networks. What I mean by that it is not enough to include core operation ICS-SCADA networks for example power generation is much more than turbines. Remember, we are responsible for whole operation. It should be up and running whenever we need.
3-Missing Network and Connections
Penetration testers and auditors should not be rely on topologies, network diagrams, and IP Blokcs. All possible connections and networks should be identified. This task requires configuration analysis, site visits, firewall analysis and more.
Conclusion
Penetration test/audit scope is highly critical to identify what to protect. All critical infrastructure networks and components should be in audit scope.
Diğer Yazılar: “Kritik Altyapı/ICS-SCADA Güvenliği için 19 Temel Adım”
Kritik altyapılarda (ics/scada)güvenliği sağlamak adına gerekli 19 temel adım yazısına bu linkten erişebilirsiniz.
Diğer Yazılar: “Kritik Altyapılar ve Güvenlik”
Kritik altyapılar (ics/scada) ve güvenlik yazı dizisi birinci bölümüne bu linkten ulaşabilirsiniz.