A recent, disturbing trend I’ve seen in industrial control system (ICS) security is that, in response to concerns about the security of their ICS & SCADA systems, companies are performing penetration (pen) testing on operational systems. Often times they request these services as one of the first steps in their plans to improve ICS security.
Pen testing, as the name implies, is intrusive testing whereby the tester behaves like an attacker and attempts to penetrate the system. This often means the tester will deliberately send probe packets or malformed packets on the network. Pen testing is common practice in IT security as a means to testing the effectiveness of the security controls (e.g. firewall, intrusion detection, etc.) that have been implemented. IT security consulting companies who aren’t familiar with industrial control systems often innocently but irresponsibly recommend this to their industrial clients.
The problem with pen testing on a live control system is that it can cause unexpected operation of automation equipment which, in turn, could cause unexpected operation of an industrial plant or machine. This can not only put production in jeopardy but could also impact health, safety, and the environment. Making matters worse is that ICS equipment in general has been shown to be very fragile against even minor network disturbances. The Repository of Industrial Security Incidents (RISI) database contains numerous examples of industrial safety and reliability incidents caused by ICS equipment failure due to network disturbances.
While penetration testing does have a place in the ICS security lifecycle (see Figure 1), it should only be performed in an offline test environment (e.g. Factory Acceptance Testing (FAT) or Site Acceptance Testing (SAT)) and after the system has been properly designed for security – and never on a live production system.
I liken pen testing of a live control system as the equivalent of hiring a SWAT team to attempt to break into your house – with your family inside!