Industrial Control Systems Testing

The Rapid Rise of OT/ICS Cybersecurity Risk

The past decade has seen a dramatic increase in cyberattacks focused beyond traditional desktop computers. The security industry refers to this sector as Operational Technology (OT), Internet of Things (IoT), or Industrial Internet of Things (IIoT), and it includes systems such as HVAC, pumps, turbines, pressure regulating valves, tanks, and a wide variety of other devices typically controlled by programmable logic controllers (PLCs) or other devices that are outside the traditional scope of a normal IT department.

In 2010 the world was put on notice on the power of cyber over industrial systems as Stuxnet, a piece of malware that attacked Iranian nuclear enrichment facilities. The code was then modified by hackers to attack industrial systems around the world from 2011-2018 taking on various named such as Duqu (2011), Flame (2012), Industroyer (2016), and Triton (2017), and plaguing power facilities, petrochemical plants, and many other OT based systems.i The National Vulnerability Database (NVD), which is a repository of security related information maintained by the National Institute of Standards and Technology (NIST) which has a separate category for Industrial Control System (ICS) attacks, which has exploded in the last year. Between Q1 2019 and Q1 2020 the water and wastewater industry has seen an increase of 122% of common vulnerabilities and exposures (CVEs), critical manufacturing is up 87.3%, and energy up 58.9%. While cyber-attacks on OT systems are still flying below the radar of more common IT hacks, the momentum in this space is quickly building.

It is a perfect storm as many OT system owners are wanting to take advantage of new technologies for automation and monitoring that require internet connectivity, without recognizing the cyber-risk that comes with that connection. Because the push for technology insertion and automation is relatively new to the ICS community at large, the security tools and experience required to secure these systems is just now starting to emerge to combat the threat actors who have caught on to the new wealth of targets bringing these legacy systems online provides.

How We Can Help

The first step in being secure is understanding your risk. Our testing methodology walks through a very logical process to help you understand your attack surface, the attacks and actors that may target you, and how to secure your systems against these attacks.

How We Became Experts

Vigilant Cyber Systems has developed a highly experienced and credentialed team of cybersecurity engineers that specialize in OT and ICS testing. The convergence of in-depth understanding of cybersecurity best practices as well as a deep understanding of the non-traditional computers that run OT/ICS systems such as programmable logic controllers (PLCs) that don’t have traditional network connections or traditional operating systems is a very niche space. NIST’s Cyberseek database dedicated to track open cybersecurity jobs has highlighted the large talent gap that exists in OT cybersecurity, with some estimates claiming there will be 3.5M unfilled cybersecurity jobs in 2021.

VCS has been able to build a team that has been working together for over 5 years testing these systems. In the world of OT/ICS cybersecurity, this is a substantial amount of experience. Prior to specifically doing OT focused cybersecurity assessments, our engineers spent time both supporting industrial control system software development, as well as traditional IT cybersecurity assessments. Our long history supporting the Department of Defense (DoD) enabled us to be in position to start gaining experience with the OT/ICS cybersecurity push in 2016 during a time when the DoD was one of the only organizations that was paying for OT/ICS cybersecurity testing.

While the OT/ICS cybersecurity industry is relatively new, there are a few organizations that are rapidly working to build a consensus of training and processes to help support these systems. Our team is at the forefront of this work holding all of the major certifications that have been identified for this sector, as well as familiarity with the best practices that are currently being developed, spearheaded by NISTs SP800-53, and MITREs ATT&CK Framework for ICS.

The certifications that our team hold are: Offensive Security Certified Professional (OSCP), GIAC Expert Researcher Advanced Pen Tester (GXPEN), GIAC Penetration Tester (GPEN), Certified Information Systems Security Professional (CISSP), Advanced Security Practitioner Certification (CASP), COMPTIA Security+, and Certified Ethical Hacker (CEH). While there is no substitute for the experience in the field that our team brings, these certifications help to educate them to industry best practices, and we are continuously updating our list of required certifications, and working with accreditation organizations such as SANS to refine their training to focus specifically on OT/ICS threats and methods.