Risk Assessment Surveys for Control Infrastructures (SCADA \ ICS)
Personal Interviews with key personnel to gather information on the various networks, including diagrams, schematics, previous mapping documents, IP addresses, and VLAN division.
On-site Visits to gain firsthand knowledge of the network and its existing components.
Data Collection on control components in the engineering network:
Including components such as Engineering Workstations, PLCs, RTUs, HMIs, and other control elements.
The mapping is conducted using various methodologies as needed, including:
Active scanning of components with well-known tools and proprietary tools we developed.
Passive traffic sniffing to listen to components and perform advanced communication analysis.
Image capturing from servers and control stations (e.g., HMIs and Engineering Workstations).
Sampling switches and communication devices within the engineering network.
In-depth Analysis of the collected data to map the engineering network components:
Identifying equipment manufacturers and firmware versions of control devices.
Recognizing control network protocols in use.
Identifying connection and authentication methods for control components.
Assessing security hardening on control devices, servers, and stations in the engineering network.
Reviewing existing security systems and organizational controls for information security.
Investigating internal and external interfaces of the engineering network with adjacent networks (e.g., IT network).
Examining data transfer processes in and out of the engineering network.
Identifying physical security gaps in the control infrastructure.
During data analysis, supplementary interviews with relevant team members will be conducted as needed for maximum accuracy in data analysis and identification of potential security gaps.
Reviewing Vulnerabilities and Security Flaws:
Examining conclusions from the data analysis phase to identify the presence of security flaws and vulnerabilities in the engineering network.
Running vulnerability scanning tools and other specialized tools to detect vulnerabilities in critical components within the engineering network. These tools will be configured with a profile tailored for safe scanning of engineering networks.
Conducting practical segmentation testing to assess the isolation of the engineering network from other organizational networks.
Detailed Risk Survey Report: This report will include all findings and threats identified in the previous stages, along with detailed mitigation recommendations for each finding.
Penetration Testing for Control Infrastructures (SCADA \ ICS)
Determining the Attack Entry Point: Defining the attacker’s (tester’s) initial position, with common options including:
Physical access to the tested site – meant to assess an attacker’s ability to connect independently and unauthorizedly to one of the organization’s networks and then proceed with the penetration test (examining protections like NAC or Wi-Fi network security).
Position within the administrative network – meant to assess the practical access path from the administrative network to the engineering network.
Position within the engineering network – meant to evaluate lateral movement within the engineering network by connecting to the Wi-Fi or LAN of the engineering network itself (the most common entry point).
Passive and Active Data Collection from the defined entry point without assistance from the tested organization.
In-depth Analysis of Collected Data to map engineering network components:
Similar to the risk assessment survey, but with less information, as it is collected without authorization.
Reviewing Vulnerabilities and Security Flaws:
Similar to the risk assessment survey.
Exploitation, Lateral Movement, Persistence, and Achieving Attack Objectives:
This phase is central in penetration tests and is not included in risk assessments.
Actual exploitation of identified vulnerabilities in the tested assets, for example:
A known vulnerability in a controller with outdated firmware, leading to unauthorized code or command execution on the controller without prior identification.
A web service vulnerability in an HMI, allowing command injection into the HMI’s operating system.
Privilege Escalation to establish control over an initially accessed asset, for example, elevating from a standard user to a local admin on an HMI server to ensure persistence.
Lateral Movement: From a fully accessed asset, attempting to access additional or more sensitive assets in the tested network, such as moving from the initial HMI server to a neighboring HMI server managing critical controllers, directly impacting the engineering process at the site.
Accessing Sensitive Information or Control of Critical Assets: In the final stage, attempting to reach attack objectives, such as revealing sensitive and confidential information within the network, or gaining control over engineering assets. If managed by Active Directory, the capability to compromise the DC server and achieve Domain Admin status will also be examined.
Detailed Penetration Test Report: This report will detail all findings from the previous stages, including comprehensive mitigation recommendations for each finding.