BruCON 0x0B

The aim of this presentation is to discuss the subject of how Operational Technology (OT) differs in relation to Information Technology (IT), how this should affect any approaches to testing the security of OT systems, and what the impact of applying a traditional penetration testing model to an OT system is likely to have.

For example, the security of an IT system centers on the protection of data from observation, alteration or deletion. However in OT the key security principals lean more towards ensuring the reliability and safety of the system. This shift in priorities needs to result in a completely different approach to security assessment, not simply because of the potential impact of downtime on a given system, but because the priorities of the test are completely different. A simple adaptation of a typical IT testing methodology isn’t enough; For this reason, security testing of OT systems provides a growth area for specialized companies as they are frequently the most able to make the shift away from a dedicated IT testing methodology.

In addition to the difference in the core concerns of stakeholders between OT and IT systems, the security community also needs to acknowledge that the threat actors in play, and their methods and resources, are going to differ vastly. This needs to be considered in conjunction with a realistic view on what security measures should and could be implemented on OT systems; in a system where downtime potentially costs millions of pounds per minute patching is never going to be considered a priority, and neither are time-consuming or complicated procedures which interfere with a user’s ability to monitor the system in a potentially time-sensitive environment (such as two-factor authentication for operator login).

Without taking the above factors into consideration mistakes will be made by security professionals conducting security testing of OT systems. These may take the form of inadvertent downtime, costing the client in terms of money or even lives (depending on the target system), or may result in the actual security profile of the system being overlooked due to the focus remaining data-centric, as is standard with IT systems. While this presentation does not claim to have all the answers, the intention is to create methodology as a basis for discussion to help move the industry forward, resulting in a higher standard of testing and increased confidence in the security status of OT systems.