Penetration tests (pentests) have gained recognition as a legitimate approach to identifying and then in theory, mitigating discovered weaknesses. The pentest industry even has a magazine (PenTest Magazine) and there are some tools out there that you, as an industrial control systems (ICS) cyber security professional, ought to have in your tool set like the PWN Phone or Metasploit modules from Digital Bond. With the various tools of the trade you will undoubtedly discover at least one vulnerability in your network and with that information in-hand, you may then get the resources to fix that problem.
Is this method of pentesting sufficient for high-value cyber-physical installations? The average pentest shows if an attacker with limited system knowledge and limited resources can discover a way to break into the target in a limited amount of time. However for high-value targets the important question is, does any attack path exist that, if exploited, can lead to disaster? Accepting pentests as a sufficient means to demonstrate cyber security posture in a way is similar to security by obscurity: Let’s bet on the idea that the attacker doesn’t find any existing vulnerabilities because he doesn’t know the system (…and, oops, the asset owner and his integrator don’t know the system either).
Like every defensive approach, pentesting includes an implicit threat model. In the case of pentesting the threat model is usually a skilled hacker who is proficient in identifying IT vulnerabilities. For defensive action, this in turn results in an approach to fix IT vulnerabilities – by applying security patches, deploying firewalls, installing antivirus etc. However, a sophisticated threat agent intending to take down critical infrastructure has a different profile. He would study and exploit cyber-physical vulnerabilities. Defending against such an attacker calls for very different defensive measures.
We need to we look at pen testing from the inside out such that the asset owner can discover and then mitigate not just the one or two pathways discovered by the pen tester, but also the 37 other pathways to disaster that a typical pen tester did not discover. We need an approach designed to not just find “a” way through the network’s defenses, but discover all possible vectors that can lead to physical destruction or even loss of life. We have dubbed this approach Critical Penetration Analysis, or CPA. It is based on the principle of identifing every single promising attack path in a whitebox setting that involves the analog part of a cyber-physical installation (process and equipment).
While this approach would be daunting or perhaps even impossible on the typical corporate IT network, for a process network it is within the realm of realistic because of the low entropy in the analog part of the target. The following five items are required to conduct CPA:
- Complete and accurate system inventory (not just a spreadsheet)
- Complete and accurate network architecture diagrams
- Complete and accurate data flow diagrams
- Rigorous engineering analysis based on deep plant systems and process knowledge, involving an understanding of process and equipment vulnerabilities and how to exploit them
- Mitigation development and implementation, cutting off attack pathways.
Information is indeed power. The goal inherent in these five steps is for the asset owners to arm themselves with more complete information and thus the skills, knowledge, and abilities to set the stage for a successful defense of critical infrastructure systems.
Effective Critical Penetration Analysis requires an investment in “preparing the battle field” as would be expected for any battle. Make no mistake, this is a battle you are engaged in already whether you accept that fact or not. The battle field is your local process network, although your adversaries may reside anywhere. Loss of intellectual property and other sensitive data is a concern to all of us, but physical damage and loss of life is an altogether different level of concern and mandates a different approach.