March 22 2021
When it comes to testing Industrial Control Systems there are two general types of test. The active penetration test, where you can go in and test the actual system itself, or the passive test, where you theoretically explore known vulnerabilities.
Active testing is by far the most effective method. It lets you see a true picture of system vulnerabilities and takes away any ambiguity in terms of your system security posture. However, for many organisations aggressive testing can be a scary prospect. Downtime is usually the biggest concern and companies often fear that an active test will have the potential to cause unwanted downtime. Testing can be done in a number of ways so as not to cause any downtime, but it’s this fear that often stops those in charge from even entertaining the idea.
When this is the case passive testing could be the answer.
So, what is passive testing and how can it help?
The network map is the first stage of conducting a passive test and allows you to discover how your ICS is connected, what devices have access and how data flows to and from the system. Having an accurate network map is essential for this and if there are any inaccuracies, or anything is missed, it means that security red flags may be overlooked in the resulting test.
Once a network map is ready you, or an external cybersecurity firm, can use this information to investigate the known vulnerabilities in connections and devices, reporting back known security concerns and identifying the most critical threats your organisation needs to start addressing.
There’s no touching of the actual system itself and no fear of downtime.
Passive testing is only the starting point
As we mentioned, passive testing can only highlight known vulnerabilities in connections and devices, this means that it cannot give you a truly accurate picture of your own system situation, just an overall view of potential security concerns. To delve into your own system vulnerabilities you need to undertake an aggressive test, whether that be on live systems, during downtime or on a mirrored system.
Passive testing also only looks at issues that are known about and reported. Therefore it cannot tell you about defense weaknesses that a future attack may utilise, only what current vulnerabilities may exist.
As you can see there are limitations to this type of test but one of the key benefits is that it can act as a first step towards more active testing options.
Working towards active penetration testing
Testing your ICS is no longer an option. The consequences of a potential breach far outweigh the cost of security action and those in charge need to understand that the threat is real and growing.
As we have seen, passive testing is a good starting point and as well highlighting security priorities it can give you a useful introduction into how security consultants work and what you get from a cybersecurity service.
This can act as a springboard to more active testing methods and no matter what test you choose, a good cybersecurity firm should work with you, and support you, throughout the process. From initial scoping and understanding your needs, to interpretation of results and follow up support.
Improving ICS security
The fear of downtime is just one of the issues that are preventing many companies from testing their ICS security, many simply don’t know what options are available or the steps to take to improve their security situation.
That’s why we’ve created our ICS Security Guide, to help organisations overcome the obstacles, to give you a rundown of testing options and to give you practical advice on what you can be doing to start improving your systems security posture.