Since SCADA systems are increasingly becoming a target for focused attackers – with some highly publicised successful intrusions resulting in malicious attackers obtaining administrative access to core systems.
To ensure your SCADA based systems are secured from external threats, self-assessment and external independent testing should be performed bi-annually.
ATRC has done research into securing SCADA systems and networks. This research includes learning the best practices used for securing SCADA and also designing application level gateways and Air Gap systems to ensure complete security.
Why perform SCADA testing?
SCADA systems are often outdated legacy systems and full of holes.
Companies today are connecting SCADA network segments to the Internet.
There is a tendency not to activate the password capability on SCADA systems
There is a tendency not to patch SCADA systems for fear of breaking something. This can leave gaps in your digital defence which attackers can easily exploit.
What you gain from this testing
A comprehensive understanding of the risks of your SCADA systems.
Assurance that your SCADA systems can hold up against a motivated attacker.
A comprehensive report outlining the security issues of your SCADA systems, including high impact recommendations and root causes.
Peace of mind that the SCADA systems are secure.
How we do security tests
We customise our testing to your environment and requirements. We have developed a proven methodology to test SCADA systems which can include:
Foot printing systems and enumerating SCADA software in use.
Port Scanning
Identifying weak access controls.
Network Equipment Security Controls Testing
Administrator Privileges Escalation Testing
Password Strength Testing
Network segregation.
Exploitation research.
Brute Force attacks.
Denial of service checks.
Misconfiguration attacks.
Manual Vulnerability Testing and Verification
Manual Configuration Weakness Testing and Verification
We have assisted and enhancing the security and in some cases actively managed the security of many organisations. Particularly in mission critical processes.
How Can We Help You?
Does your company use industrial control / SCADA systems?
Are they connected to a network?
Have you assessed the security of your control network?
Could it be hijacked or used by malicious actors?
Have you looked for, and found, vulnerabilities that may be present?
Have you assessed what the potential impact could be, in terms of lost production, damaged equipment, and perhaps even personal injury if the control network were attacked?
If you need to provide a level of assurance to your board, customers, industry or regulators that your systems have been tested for cybersecurity weaknesses, then some form of assurance exercise is an essential element of your risk governance process.
What Does SCADA & ICS Security Testing Involve?
Industrial control systems can be tested with many of the same techniques as other types of system, but there are important differences too:
Tools that are used for testing Windows-based servers and workstations are often unsuitable for testing embedded control devices such as PLCs.
Devices from different manufacturers – or even the same manufacturer – are often incompatible with each other. There are also a number of incompatible control network protocols in widespread use.
If testing has side effects then these are potentially much more serious than on a typical corporate network, especially in the case of a live production environment.
To accommodate these differences, ICS/SCADA tests require more planning and a more tailored approach than other types of security testing. Security companies without the experience of ICS/SCADA testing are unlikely to achieve worthwhile results, and could potentially cause serious harm to your systems if they are unaware of the risks.
Why Is Security Testing Needed?
Industrial control systems are at risk in the modern threat environment if they are not adequately secured. Key business drivers for effectively managing this risk include:
Protecting the large capital investment that they, and the equipment which they control, represents.
Ensuring business continuity, to avoid the direct and indirect costs which would result from any loss of production.
Security testing is an important component of this process:
It can be used to direct resources towards aspects of the system where the risk is greatest. It can be used as a validation tool to check whether a system has been adequately secured.
We can test live Systems?
We will always recommend the use of the safest possible method of testing. Ideally, this would be either the production system when it is down for maintenance, or a representative test system built to the same configuration. However, if there is a need to perform testing of live systems then we have the capability to do that. It may not be as detailed as the offline test, but we shall do the best without interrupting the ongoing operations.
The key to devising a safe but effective test plan is first to perform a detailed risk assessment. This will identify any fragilities within the system under test, detail any possible mitigations, and allow you to make an informed trade-off between thoroughness and risk. Options for testing include:
Normal penetration testing
Active port scanning
Active enumeration (ARP scanning)
Active testing of network isolation
Passive enumeration
Physical inspection
Design review (paper exercise only)
For example, port scanning is normally considered a low-risk method of testing, and network hosts should not crash when exposed to one, however some types of programmable logic controller have been known to do exactly that. If necessary, we can mitigate the risk of this type by performing safety trials beforehand against the specific device models that are connected to the network under test.
Difficult decisions may be needed to achieve the best results, but doing nothing is not a safe option. You do not want the first test of your control systems to be by an attacker who intends them harm.
Why us?
We have experience in designing, running and securing systems which are to be in operation 24/7. This has allowed us to develop a different way of implementing security. We find and replace ALL weaknesses in a system which can cause reliable operations. Security becomes a subset to reliability. This method in our experience has the best performance to price ratio for the cost of ownership for the systems.
Because there is no utility in a system which is not operational.
There is no utility in a system which is operational but blocked behind a firewall for security reasons.
There is no security in security by obscurity. So network management services like ping, SNMP, BGP, OSPF and many more should be secured instead of deactivated.
This method of focusing on reliability allows the maximum utility of the systems and best ROI for the projects which the systems support.
The standards which we consider include (but are not limited to ) : NCSC, PCI (DSS and PA-DSS), ISO27001, Finance/Banking (UK, US, Malaysia, Singapore, Pakistan), SANS Critical Controls, NIST and US Healthcare standards HIPAA.
We have done work on integrating consumer tablets, phones (both at hardware and OS/Application level), banking systems such as ATMs, Cash accepting Kiosks and payment card devices, hardware security modules (HMSs), payment applications and many other types of mobile and end user systems where sensitive data has been used. RFID, SecureID and keycard access to desktops. Also high speed connection of GPS and Canbus data over wifi while a truck moves through a gate.
Our security related research, consulting and development projects include market manipulation of the stock market, ATM machines which have hardware to skim off data, and recently the Follina flaw.