As business and production automation grows, so does the number of vulnerabilities. In some areas their presence is especially critical. For example, for a set of solutions for process control automation – ACS, it is important to timely identify the most dangerous attack vectors of intruders. Pentest ACS allows you to analyze external and internal threats to identify and eliminate weaknesses.
Why it’s so important to ensure the cybersecurity of the ACS
ACS is a general term for all devices that help automate the control of a variety of processes.
The first automatic process control systems appeared in manufacturing. However, later they began to be used for transportation and engineering systems. For example, such devices are used in “smart home” systems. They include controllers and sensors, information processing devices, remote controls and networks that connect all components into a single whole.
The control system has three components: dispatching system, telemetry subsystem and communication infrastructure. The dispatching system is a complex of hardware and software for monitoring and control of technological processes. The dispatcher sees on a single screen information about all equipment connected to this system. The telemetry subsystem includes sensors, regulation devices and actuators that help to automate technological processes. The communication infrastructure is built on the basis of industrial data transfer protocols.
Supporting a high level of safety of automated process control systems is a separate area with its own peculiarities. If in information systems it is important to ensure the confidentiality of information, the main goal in control systems is to automate and ensure the continuity and integrity of the technological process. At the same time, among the risks of hackers’ attacks on control systems are not only data leakage, but also potential harm to health, damage to infrastructure and the environment. To identify vulnerabilities, a pentest or penetration test is performed.
Identified vulnerabilities are divided into critical and non-critical, systematic and accidental. Critical systematic vulnerabilities are addressed first. Cybersecurity requirements for process control systems can be found in FSTEC Order No. 31 of March 14, 2014 and in the international standards IEC 62443.
How to protect data with ACS pentests
Cybercriminal attacks on automated process control systems are a regular occurrence around the world. Dealing with the consequences of these attacks can take a serious toll on an organization. Therefore, it is easier to prevent them. To do this, information security specialists find vulnerabilities in the infrastructure in advance and give recommendations on how to eliminate them, i.e. pentest or penetration testing. A penetration test is a simulation of cyberattacks to identify vulnerabilities in the defense and infrastructure components and an independent assessment of the ACS security. Its purpose is to attempt to bypass the defense system to provide an independent security assessment and recommendations for remediation of vulnerabilities. The actions of testing specialists are fully coordinated with the customer.
Pentest helps to assess information and functional security. By detecting and eliminating vulnerabilities in time, serious problems, including risks to human life, can be prevented. At the same time, security can be ensured by both organizational and technical means:
- organizational part of the ACS pentest checks the level of training and awareness of employees;
- technical part includes measures to improve the security of control systems, such as placing equipment and software at different levels of information security, data redundancy, diagnostics, etc.
Penetration testing of control systems is carried out manually or using automated technologies. Specialists try to compromise servers, applications, network devices, etc., simulating the actions of intruders.
Pentest ACS can be external and internal:
- external testing checks wireless and corporate networks, external infrastructure and resources to which third-party users have access;
- Internal pentest assesses security from within the corporate network, may use social engineering techniques and methods based on employee inattention (but not necessarily).
.
There are three methods of penetration testing. The WhiteBox method assumes that the attacker knows all the information about the system and defenses. BlackBox assumes that the cybercriminal is minimally aware. GreyBox, an intermediate variant, is in the middle between these two methods.
Once vulnerabilities are detected, they are given a criticality rating. Based on this, experts compile a report with recommendations on how to eliminate vulnerabilities and prioritize them.
Given the importance of ACS security testing, it is advisable to have it performed by third-party specialists who have not only knowledge but also extensive experience. The engineers at ITGLOBAL.COM Security conduct penetration testing using state-of-the-art tools that simulate various types of cyberattacks. Their reports help to improve security and achieve compliance with Russian and international standards.
Previous article
