Your Guide to ICS/OT Cybersecurity Assessments

Overview

According to research projections by the global economic impact of cybercrime is anticipated to continue to escalate at an alarming rate, from $8.44 trillion in 2022 to a staggering $23.84 trillion by 2027. In addition to this staggering projected financial loss, cybercrime's impact on critical infrastructure and industrial systems also pose a risk to human life and safety.

Threat actors target industrial organizations for several reasons including stealing mission-critical information, locking sensitive files and demanding a ransom payment. Furthermore, even a single breach can weigh heavily on a company's bottom line by causing system downtime, threatening brand reputation, negatively impacting business relationships, and even resulting in significant fines and class action lawsuits. In the past few years, many severe vulnerabilities have impacted industrial control systems warranting multiple critical advisories from the US Cybersecurity and Infrastructure Security Agency (CISA) [1][2][3].   

The purpose of this post is to provide a comprehensive guide specific to Industrial Control Systems (ICS) and Operational Technology (OT) Cyber Security Assessments, describe their relation to other types of security assessments including penetration testing, and provide answers to some commonly asked questions that surround ICS/OT security. The takeaway should be a solid understanding of the range of activities, methodologies, and benefits of the Packetlabs ICS/OT Cybersecurity Assessment service offering, what you should expect from an ICS/OT assessment, and other related information to increase your awareness about the ICS/OT assessment process. 

This Guide Includes

• A comprehensive guide to ICS/OT Security Assessments

• An explanation of why ICS/OT security is important

• A description of the activities involved in an ICS/OT Security Assessment

• A comparison of ICS/OT Security Assessments to other types of security assessments

• An explanation of how ICS/OT assessment supports IT security compliance efforts

• What you can expect from an ICS/OT Security Assessment

• A description of the Packetlabs PTaaS Platform

• The next steps for organizations seeking to conduct an ICS/OT Security Assessment

Who Will Benefit From This Guide?

This guide will benefit an organization’s leaders such as CEOs, CTOs, and CISOs, as well as other senior team leaders including security engineers, network engineers, and administrators. This guide can also help to inform other IT professionals such as MSPs, IaaS, PaaS, and SaaS providers.

• C-level executives that deal with IT security (CISOs/CSOs/VP of security)

• Other high-level management (CEO/Business Owner/ Business Executive)

• Managed Service Providers (MSP)

• Cybersecurity Architects, Network Architects, and Network Administrators

What Is An ICS/OT Cyber Security Assessment?

An ICS/OT Cybersecurity Assessment is a process of evaluating an organization's Industrial Control Systems (ICS) and/or Operational Technology (OT) to ensure that the security controls in place can effectively protect against cyber-attacks and support operational resilience.

The assessment involves identifying and mitigating vulnerabilities across an organization's entire ICS/OT environment, compiling and delivering a detailed report of the findings along with recommendations for improving the organization's cybersecurity posture.

ICS/OT Security Assessment

The primary objective of an ICS/OT Security Assessment is to identify potential vulnerabilities and threats that could compromise the security and integrity of critical infrastructure and industrial processes. To gain a complete understanding of an organization's ICS/OT security posture, the assessment will critically examine the people, processes, and technology that support ICS/OT processes. This approach goes beyond merely detecting known software vulnerabilities and configuration errors.  By necessity, a comprehensive ICS/OT assessment must delve into all possible avenues that adversaries could exploit to infiltrate or disrupt essential systems and operations and support a "defence in depth" approach to ICS/OT security and resilience.

Each assessment is customized to the unique environment of an organization's ICS/OT processes, and the scope of the assessment is based on an organization's key business objectives, ICS/OT network topology, and risk tolerance. The assessment will include identifying potential threat actors, identifying and evaluating the technical, administrative, and physical security controls in place, and testing the effectiveness of those controls.

Comprehensive ICS/OT Security Assessment typically starts by evaluating external attack surfaces and ensuring that ICS/OT infrastructure is effectively protected from unauthorized access and segmented from other critical networks. External attack surfaces may include company websites and public-facing web applications, APIs and cloud-based applications, remote access services such as remote desktop (RDP) and VPN entry points, wireless access points, physical premises, and the human factor - testing the resilience of an organization's personnel to social engineering techniques.

To support a "defence in depth" approach, ICS/OT assessment goals also include testing internal security posture to satisfy "what if" security questions such as:

• What if an attacker gained access to a particular system?

• What could an attacker do with stolen credentials?

• What if an insider launched a cyber-attack against the organization?

• What if a zero-day vulnerability was used to compromise a particular system?

• What if an attacker successfully executed a session hijacking attack on a website user?

• What if an attacker plugged a malicious device into an exposed ethernet port?

Answering these questions reveals what level of access a compromised credential, application, endpoint, planted rouge device, or socially engineered staff member could give an attacker and can uncover previously unknown attack techniques that could circumvent an organization's security controls.

• See more about our ICS/OT cybersecurity methodology.

ICS/OT Security Assessments include a comprehensive Infrastructure Pentest, including an Active Directory (AD) assessment to identify weaknesses in passwords and configurations, and a ransomware assessment to gauge the potential impacts of a ransomware attack and determine an organization's "ransomware readiness"; their ability to detect and respond to a ransomware attack. 

Organizations may also want to test their ability to detect and respond to cyber-attacks in what is known as a "red team" exercise. Objective-based testing combines a red team engagement with a thorough pentest, providing deeper insight into a defensive IT security team's performance and incident response capability. This combined thorough pentest + red team test is a unique offering to Packetlabs and adds the most value to our clients.

What Is Included In An ICS/OT Security Assessment?

Packetlabs'  ICS/OT Security Assessments utilize various testing methods and are conducted by certified professionals to ensure production-safe testing while preventing any negative impact on the target OT environment and processes. Here are some key aspects that are included in an ICS/OT Security Assessment:

• Certified Tester: Testing is conducted by a Global Industrial Cyber Security Professional (GICSP) certified tester. This ensures that the assessment is performed by a qualified professional who has the knowledge, skills, and experience to test ICS and OT environments safely.

• 100% Manual Testing: Packetlabs' approach to ICS/OS assessment employs 100% manual testing methods to ensure that there is no negative impact on the OT environment. This also ensures that the testing is tailored to the specific needs of the organization and is not limited to automated scans.

• Assessment of MITRE ATT&CK ICS TTP: Each assessment includes ICS/OT-specific tactics, techniques, and procedures (TTP) as defined by the MITRE ATT&CK framework's ICS Matrix. This helps identify potential vulnerabilities and threats specific to the organization's OT environment.

• Network Segmentation: An assessment of the target network's segmentation between IT and OT is conducted. This helps to identify any gaps in security and ensures that IT and OT networks are separated appropriately to prevent unauthorized access.

• White-Box Audit: A white-box audit of the OT environment is conducted to maximize the discovery of vulnerabilities and misconfigurations while minimizing the impact. This includes a detailed analysis of the target environment's technical components and configuration, as well as an evaluation of each system's host attack surface including installed applications, and may include source code analysis to identify potential vulnerabilities.

By employing certified testers and manual testing methods, an organization's stakeholders can rest assured their ICS/OT environment has been thoroughly reviewed by the most qualified and experienced IT security experts. This approach provides the highest degree of assurance that an ICS/OT environment and its processes are resilient against cyber-attack and that operations can be maintained indefinitely.

Why is ICS/OT Security Assessment Important For Securing Your Facility?

As cyber threats continue to evolve and become more sophisticated, the importance of safeguarding critical infrastructure and industrial processes has never been more important. Vulnerabilities in ICS/OT environments can lead to catastrophic consequences, including operational disruptions that can result in significant financial losses, data theft of proprietary trade secrets, and safety hazards leading to injury or even death. Conducting an ICS/OT Security Assessment is a crucial component of a comprehensive risk management strategy, ensuring that facilities maintain secure and reliable operations. By focusing on operational resilience and using production-safe testing methodologies, ICT/OT assessments support a strategic approach to reduce an organization's overall risk by providing a tailored, comprehensive evaluation of their ICS/OT security posture.

Regular ICS/OT Security Assessment also fosters a heightened security awareness among staff members, creates deeper visibility into an organization's risk landscape, and offers valuable insights into the mindset of potential attackers. By identifying and addressing vulnerabilities proactively, organizations can significantly reduce the likelihood of successful cyber attacks and enhance the overall operational resilience of their facilities.

The benefits of an ICS/OT Security Assessment include:

• Protecting critical assets from cyber attack

• Reducing the risk of downtime by proactively removing vulnerabilities 

• Verifying the effectiveness of incident response plans (IRP)

• Identifying networking security gaps that offer attackers access to ICS/OT systems

• Gaining better insight into ICS/OT-specific compensating controls

• Ensuring that industrial networks, devices, and production lines employe security best practices

• Increasing security-focused awareness for ICS/OT technologies

• Verifying the security of third-party industrial control systems (ICS) and software

• Supporting compliance with IT security standards

• Gaining the highest degree of assurance for operational resilience

How is ICS/OT Security Assessment Different From Other Types Of Security Testing?

While ICS/OT Security Assessments share some similarities with other types of security testing, such as vulnerability assessments and penetration testing, there are distinct differences due to the unique challenges, risks, and requirements of industrial control systems and operational technology environments.

Here are some key differences that set ICS/OT Security Assessments apart:

• Specialized ICS/OT Knowledge and Expertise: GICSP-certified testers have a deep understanding of the unique systems, protocols, and devices used in industrial control systems and can effectively evaluate an ICS/OT environment's security posture while avoiding any negative impact on production operations.

• Focus on Industrial Resilience: Unlike other types of security assessments that concentrate on securing data and information systems, ICS/OT Security Assessments prioritize the protection of critical infrastructure, industrial processes, and operational resilience to focus on the potential impact of a cyber attack on the availability, integrity, and reliability of an organization's industrial operations.

• Unique Threat Landscape: ICS/OT environments face unique threats and vulnerabilities that differ from traditional IT environments. As such, ICS/OT Security Assessments are tailored to address these specific risks, employing tactics, techniques, and procedures (TTPs) as defined by the MITRE ATT&CK framework's ICS Matrix and threat intelligence that applies specifically to ICS/OT technologies.

• Production-Safe Testing: Unlike other types of security testing that may be performed in test environments or with more aggressive techniques, ICS/OT Security Assessments are conducted using production-safe methods to prevent any negative impact on the OT environment.

• Emphasis on Network Segmentation: ICS/OT Security Assessments place a stronger emphasis on evaluating the network segmentation between IT and OT environments. This is crucial for verifying the security controls protecting against unauthorized access and ensuring the security of OT networks.

• Distinct Compliance Requirements: ICS/OT environments are typically subject to industry-specific regulations and standards that may not apply to traditional IT environments to support compliance efforts by ensuring that an organization's security posture adheres to these unique requirements.

How Do ICS/OT Security Assessments Support Regulatory Compliance?

ICS/OT Security Assessments play a critical role in helping organizations meet the stringent regulatory compliance requirements that govern critical infrastructure and industrial operations. Compliance frameworks, such as NERC CIP, IEC 62443, and NIST SP 800-82, mandate that organizations implement robust security measures to protect their ICS/OT environments against cyber threats and vulnerabilities.

Regular ICS/OT Security Assessments uncover potential security gaps and allow organizations to remediate their ICS/OT environment, aligning their security posture with regulatory standards. 

ICS/OT Security Assessments provide valuable insights from highly specialized and experienced IT security professionals pertaining to an organization's specific ICS/OT environment.  An ICS/OT Security Assessment consultation and report ensure that an organization is equipped to proactively prevent cyber-attacks, minimize the potential impact of a cyber-attack, and also ensure that an organization is positioned to quickly and completely recover if a cyber-attack does cause damage. 

Furthermore, ICS/OT Security Assessments foster a culture of continuous improvement, driving the adoption of best practices and enhancing overall security resilience. By meeting regulatory compliance requirements, organizations can avoid costly penalties and reputational damage while ensuring the safety, reliability, and integrity of their critical infrastructure and industrial processes.

Who Conducts the Tests?

Packetlabs is a passionate team of highly trained ethical hackers with the industry’s most advanced certifications. All PacketLabs pentesters are required to have a minimum of OSCP. The Offensive Security Certified Professional (OSCP) is a globally recognized and industry-leading ethical hacking certification offered by Offensive Security. Offensive Security offers several certifications with the OSCP being the broadest and most well-known. While OSCP is the PacketLabs minimum requirement, many team members go above and beyond to gain additional certified expertise including:

• Offensive Security Experienced Penetration Tester (OSEP) (OSEP)

• Offensive Security Wireless Attacks (OSWP)

• Offensive Security Exploit Developer (OSED)

• Offensive Security Web Expert (OSWE)

• Certified Information Systems Security Professional (CISSP)

• Certified Information Systems Auditor (CISA)

• GIAC Web Application Penetration Tester (GWAPT)

• GIAC Mobile Device Security Analyst (GMOB)

• GIAC Systems and Network Auditor (GSNA)

• GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)

• GIAC Certified Incident Handler (GCIH)

• Burp Suite Certified Practitioner

Packetlabs' dedication to professional development means our team of OSCP penetration testing professionals demonstrate industry-leading comprehensive hands-on mastery of penetration testing.

Why Choose Packetlabs For Your Next ICS/OT Security Assessment?

Whether you are looking to complete Penetration Testing to manage risk, protect your data, comply with regulatory compliance standards, or as a requirement for cyber insurance, selecting the right company is crucial. When choosing a security consultant to partner with, many things should be considered such as reputation, trust, size of the entity, degree of experience and professionalism (including certification requirements and statuses), and specialized skills that apply specifically to the target organization's environment.

All Packetlabs testers are certified with a minimum Offensive Security Certified Professional (OSCP) certification and many of our testers hold several additional highly regarded IT security industry certifications. In fact, Packetlabs' advanced capabilities go far beyond industry standards. 

Packetlabs conducts 100% of our testing activities in-house and does not outsource to external third parties, and we have been rated an average 9.5/10 NPS score by our customers upon project completion.  We’re committed to the highest standards for communication - and that includes a strict dedication to your right to security and privacy. 

Our exceptionally trained team and a robust testing methodology, go beyond merely ticking checkboxes to really understand your unique penetration testing needs. With our consultative approach, we ensure that our clients understand our reports and assessments and go the extra mile to provide support when helping our clients plan the next steps in their journey toward a stronger security posture and a bulletproof cybersecurity strategy. 

What Is Included In A Report?

An ICS/OT Security Assessment report is the comprehensive documentation delivered by the assessment consultant upon the completion of the evaluation process. This report encompasses the findings from various aspects of the ICS/OT environment, including infrastructure, applications, configurations, and potential vulnerabilities. Reports are structured such that identified vulnerabilities are prioritized according to the severity and include evidence of successful exploits such as exfiltrated data, cracked passwords, or screenshots of systems that were accessed without authorization. Additionally, the report provides insights into the technical and non-technical aspects of the organization's security preparedness. 

By leveraging the information provided in the ICS/OT Security Assessment report, organizations can strengthen their cyber defenses by addressing identified vulnerabilities and weaknesses. Furthermore, the report creates a deeper understanding of the context surrounding these vulnerabilities, thereby enhancing security awareness within the organization and promoting a more proactive approach to safeguarding critical infrastructure and industrial processes.

After receiving an ICS/OT Security Assessment report, an organization is offered the opportunity to ask questions to clarify the results. Upon reading the report, an organization may want to immediately request further testing, or begin the remediation process.

• Learn more via our Buyer's Guide.

Packetlabs PTaaS Platform

Packetlabs' Penetration Testing as a Service (PTaaS) platform is a cloud-based reporting and workflow management platform that provides real-time insights into an ICS/OT Security Assessment.  Our solution decreases the delivery time of vulnerability information and improves collaboration between teams and stakeholders.  PTaaS allows managers and stakeholders to directly monitor the findings of an ICS/OT testing engagement, quickly view findings, organize and prioritize remediation efforts, and communicate with PacketLabs directly to request retests after remediation is complete.

Packetlabs' PTaaS Cloud Platform benefits include:

• Providing secure access to current ongoing and past reports

• Making real-time insights and progress monitoring available on-demand 

• Providing convenient and direct communication for scheduling re-testing

• Increasing the collaboration between testing teams

• Providing convenient access for all stakeholders to monitor engagement progress

• Integration with JIRA and Service Now project management platforms

Next Steps

For organizations with operations that include ICS/OT infrastructure, the next step is to talk to a member of Packetlabs' team today.  Our specialized experts can help you understand your organization's current risk profile, answer any further questions you have, and start the process toward proactive security assessment of your mission-critical ICS/OT assets.