What pen tests and cyber risk assessments won’t tell you

Unfortunately, conventional cyber risk assessments and penetration tests don’t provide the answer. They focus on IT-style vulnerabilities in industrial control system (ICS) components and networks that would likely be exploited by a skilled hacker. While this approach may point out configurations and practices worth improving, it doesn’t answer the fundamental question about unacceptable risk.

- For ICS environments, we must focus on the physical process and equipment – beyond the capabilities of most IT pen testers and hackers.

- High-value targets need to be prepared for sophisticated, well-funded attack scenarios that may extend to coordinated cyber and physical attacks.

- If actions by authorized administrators can lead to unexpected trouble, malicious compromise certainly will.

- For high-value targets it is necessary to identify every potential route to disaster. False negatives are not an option.

Critical Penetration Analysis for high-value targets

For these reasons, The Langner Group has developed a more appropriate method to simulate cyber attacks for targets where more is at stake than just information. We refer to it as Critical Penetration Analysis because it addresses all the shortcomings of pen tests mentioned above and answers the most important question of risk management.

Critical Penetration Analysis starts out with identifying critical risks for the target. In general terms, critical risk is the potential to enter a state where the prevention of unacceptable consequence can no longer be guaranteed and the fate of the target is subject to factors beyond the asset owner’s control. Critical penetration is an attack path that gets the plant into such state.

Threat intelligence is of limited value for Critical Penetration Analysis because what really counts for the asset owner at the end of the day is not the intentions of attackers but the damage they can cause, including unintended consequences which may by far outweigh the attacker’s intended win. Assumed capabilities of identified threats are also of limited value as it may just be the attacker’s lucky day.

Based on the critical risks identified, our system and process experts identify attack vectors for the target. This occurs in close coordination with the client’s internal experts using a whitebox approach in order to not miss any single vector that could lead to disaster, no matter if intended by an attacker or as an unintended side effect. Critical Penetration Analysis involves the reliable identification of any cyber compromise pathways that could lead to unacceptable physical con-sequence. The process is similar to traversing a maze with cyber entries and physical exits.

We then conceive and document cyber-physical exploits that would implement the attack vectors, which act as factual guidelines for causal mitigation. At no time do we actively intrude the target because actually using the exploits we conceive will most likely result in mayhem. The final report that the client receives at the end of a Critical Penetration Analysis, which contains mitigation advice on how to break critical attack paths, is detailed in technical, operational and economic terms.

More Information for Asset Owners

For asset owners of high-value targets such as nuclear facilities, chemical plants, or refineries, we provide our in-depth knowledge of cyber-physical attack methodology to identify attack vectors and strategies that sophisticated, well-funded attackers would exploit. Our analysis is the closest thing to a real-world plot by a state-sponsored adversary with engineering resources and expert knowledge of physical process and equipment. Using this insight may save you and others from disaster waiting to happen. If you would like to know more, you can reach us through the web, twitter, LinkedIn, or directly to Perry Pederson in the U.S. at pp@langner.com.

Web: www.langner.com

Twitter: www.twitter.com/langnergroup