Every test assessment is different, and on each occasion a unique approach is required based on the system functionality and type of industry it is deployed in.

Image module

SCADA Penetration Testing

A Hybrid Approach


SCADA Penetration Testing with EHS is designed to assess the effectiveness of your security controls as applied to NERC-CIP, NIST 800-53 v4 or ISO 27001 through the manual analysis of your SCADA systems and application of best practices to Information Technology and Operational Technology systems for Critical Infrastructure.

SCADA/ICS penetration tests are highly sophisticated due to the combination of customized technology, the criticality of the infrastructure, and the knowledge necessary to test these systems without taking them off-line.

To conduct SCADA/ICS penetration tests, EHS assesses these systems with a combination of the disparate knowledge base of the actual SCADA language environment itself as well as industry leading penetration testing expertise to ensure that all vulnerabilities identified and exploited do not jeopardize customer operations or its infrastructure.

Compared to Commercial Penetration Testing

SCADA systems are different from most TCP/IP-based system in that many ICS vendors use proprietary protocols to communicate within their systems. Additionally, due to the differences between commercial and proprietary SCADA/ICS systems, the same vulnerability assessment or penetration testing tools/methods that maybe used in a standard commercial penetration test can have a serious impact on a SCADA/ICS network if improperly applied.

Here at EHS, our experts work with the customer’s Assessment Team to understand the implications of testing on a production system and when possible to mitigate operational effects by testing offline or on a backup ICS.

To us, the best possible outcome is the proper testing of a SCADA/ICS that provides adequate details around identified vulnerabilities and the provision of mitigation information for the SCADA/ICS Administrator or Security staff to address them.

Systematic Protection
Our Process

While there are numerous standards that apply to SCADA Penetration Testing, EHS’S  process takes into consideration the care that must be taken to fully address a SCADA/ICS penetration test. While its personnel and tests conform to NERC-CIP and NIST 800-53 standards, the company’s methodology follows the “Cyber Security Assessment of Industrial Control Systems” published by the Department of Homeland Security.

Assessment Team Selection

The SCADA/ICS customer should ensure that the assessment team has two components: qualified personnel from within its own organization from Security, IT and Management as well as qualified persons from the assessment team that are familiar with the standards that apply to the assessment as well as the proprietary protocols and methodologies specific to the customer. It is not unheard of to have a penetration tester assigned to the customer’s side to ensure that the vendor is appropriately certified and can “vet” their personnel. Additionally, EHS provides IT Assessment and ICS Assessment personnel that assist in identifying vulnerabilities on the SCADA/ICS network for the penetration testers to exploit.

SCADA Test Plan Development

EHS works with the customer’s assessment team to develop a SCADA/ICS test plan so that both the customer and EHS know how the assessment will progress. Similar to the test plans developed by EHS on its other assessments, key areas that are covered include rules of engagement, attack vectors, in and out of scope areas of IT and OT and Points of Contact for both elements. EHS works with the customer to identify attack vectors to focus on that are part of their ongoing cyber assessment program or areas that they want to concentrate on such as DMZ, penetration between corporate and control servers, downstream or remote access or administration etc.

Assessment Execution

EHS will conduct the Assessment according to the test plan and in alignment with the attack vectors identified in a process composed of three stages: reconnaissance, exploration and exploit. The reconnaissance phase is usually conducted with passive detection scanners and monitoring/mapping software that can identify key vulnerabilities as well as assessing the networking equipment used, as well as authentication mechanisms and firewall rules. The exploration phase then commences where EHS penetration testers with ICS and IT experts alongside them, attack the system to determine which vulnerabilities identified during the reconnaissance phase are actually exploitable thru methods such as buffer overflows, improper authentication and improper access controls. Based on those findings the assessment team will then opt to develop an exploit and to deploy that exploit based on the Rules of Engagement.

Assessment Reporting

At EHS, we consider the final phase of the SCADA/ICS penetration testing process, reporting, to be the most crucial and instrumental step. Due to the varying audiences that may see the report i.e. Management, Security, Customers and the public, EHS takes great care to ensure we effectively communicate our findings and mitigation strategies as clearly as possible and, when necessary, can provide varying levels of reporting based on the audience. EHS reports are considered some of the best in the industry by our vendors and are written by the actual penetration tester or ICS/IT Assessor that was on the team. As part of a comprehensive risk assessment, EHS can provide consultants to advise how to integrate findings into an Information Security Plan . Our main goal is to ensure that all information is clearly understood and that a roadmap toward remediation/mitigation is crystal clear.

Ready to start talking with a professional?