Taking an offensive approach to pen testing

James Smith at Bridewell outlines how overcoming anxiety over penetration testing will be the first step for CNI organisations to secure themselves against catastrophic cyber-incidents

 

Within critical national infrastructure (CNI) organisations, a single seemingly minor system disruption can wreak havoc on a grand scale. Last year, for example, an air traffic control glitch in the UK caused the cancellation of more than 1,500 flights in a single day. Such incidents highlight the potential devastation a cyber-attack could inflict under similar circumstances.

 

Among organisations with complex operational technology (OT) systems, incidents like this raise fears about penetration (pen) testing. They know they should need to test rigorously to expose any weaknesses they have to cyber-attacks.

 

Yet many fear the very rigour of the testing will knock down systems and cause hugely damaging disruption. In a refinery, hospital complex or telecommunications network, organisations have made substantial investments to maximise safety, productivity and sustainability. The last thing they want is for a test to jeopardise human wellbeing or operational efficiency.

 

Some believe that the risks of pen testing outweigh the benefits, however, the cost of not conducting these tests can be far more devastating. Understanding the importance of pen testing, addressing common fears, and exploring the benefits and process of an offensive approach, can help safeguard CNI organisations against damaging cyber-incidents.

 

The necessity of pen testing

Pen testing is essential for identifying vulnerabilities and security weaknesses before attackers can exploit them. Unlike automated vulnerability scanning, which merely identifies potential issues, pen testing involves a combination of automated tools and manual techniques to find and verify vulnerabilities. This method helps organisations understand actual risks and the potential impacts on their systems.

 

Regular pen testing is crucial for maintaining a strong security posture. By proactively identifying and addressing vulnerabilities, organisations can significantly reduce the likelihood of a successful cyber-attack. Pen testing also helps build a culture of security awareness within the organisation, encouraging continuous improvement in security practices and resilience against evolving threats.

 

The cost of inaction

Despite its importance, some organisations avoid pen testing due to fears of operational disruptions. This reluctance overlooks the catastrophic consequences that could result from untested vulnerabilities. IBM/Ponemon’s research reveals that the average cost of a data breach in critical infrastructure was $5 million last year, rising to $11 million in healthcare. Proactive penetration testing or red teaming, however, reduced breach costs by an average of $4 million.

 

Avoiding pen testing due to fear of disruption is a short-sighted approach. The potential cost of inaction far exceeds the controlled risks associated with pen testing. A data breach can lead to financial losses, reputational damage, and significant operational downtime. The evolving nature of cyber-threats means that untested systems remain perpetually at risk.

 

Real-world human expertise

Addressing these fears requires understanding the benefits of real-world human expertise in pen testing. Pen testing brings the specialised experience of a security team to bear on the challenges. This expertise is crucial in grasping the context in which a company operates. While it is relatively straightforward to pick up an unsupported operating system, understanding the context means recognising other mitigating factors such as strong firewalls or multi-factor authentication in place.

 

Pen testing teams understand that OT systems need careful handling, given their criticality. A less full-on, slower, and more targeted approach to pen testing is required than is the case with standard desktop machines and servers. Automated tools are for this reason, highly undesirable, having potentially adverse effects on operating systems with serious consequences. Pen testing teams know not to take risks with OT.

 

Taking the offensive approach

To counter the rising tide of cyber-threats, organisations must adopt a more offensive approach to testing their defences. Offensive testing goes beyond identifying vulnerabilities and verifying their exploitability; it involves actively simulating real-world attack techniques to understand how an adversary could navigate and exploit a system.

 

This proactive stance is crucial because many operational technology (OT) and SCADA systems were not designed with security in mind and often lack basic controls like firewalls, intrusion detection systems, or encryption.

 

By adopting an offensive approach, organisations gain a deeper understanding of their security posture. Offensive testing teams bring real-world, specialised expertise, allowing them to tailor their testing approach. They recognize that OT systems require careful handling due to their criticality, employing a more targeted and less aggressive approach compared to standard desktop and server environments.

 

Scoping restricts potential for collateral damage

A comprehensive offensive testing programme includes detailed scoping before it starts. Testers should gain insight into the concerns of the company they are testing to concentrate effort and expenditure to deliver maximum benefit.

 

Effective scoping ensures that pen testing will not go for the obvious but will assume the mentality as well as the techniques of hackers. With threats and vectors in constant evolution, pen testers use their insights to adopt the most likely tactics of malicious actors. This approach minimises collateral damage and maximises the effectiveness of the testing.

 

Testing the cloud and among staff

In addition to traditional IT environments, an important element in offensive testing is the inclusion of companies’ cloud environments. This was previously a potential area of friction with cloud providers.

 

However, agreements are more easily achieved now before tests commence. Public-facing infrastructure such as VMs are relatively straightforward for pen testers, but configuration reviews may have to be relied on for vendor-specific infrastructure or applications.

 

Where the human factor needs examination, red teaming will step in. Even in harsh industrial settings, phishing and social engineering remain very high risks. Organisations that have high levels of cyber-maturity may feel their employees are potentially the weakest link, which is where this approach comes in, using email templates for example, to gauge how staff respond.

 

There is no cast-iron guarantee that penetration testing will avoid some disruption of systems, but it will give organisations a more realistic assessment of their security posture and help outline the steps to mitigate overall cyber-risk.

 

Failure to take testing seriously out of fear of disruption is not a sensible approach given what is at stake. Adopting an offensive approach, leveraging real-world expertise, and conducting thorough scoping are critical to safeguarding critical national infrastructure against cyber-threats.

 

---

 

James Smith is Head of Offensive Security at Bridewell

 

Main image courtesy of iStockPhoto.com and Artur