P E N E T R AT I O N T E S T I N G F O R

IN DUSTRIA L CO NTRO L SYSTEMS

Embrace the Exponential

P E N E T R AT I O N T E S T I N G F O R
INDUSTRIAL CONTROL SYSTEMS
INTRODUCTION
The Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT)
reported 245 cybersecurity incidents
between September 2014 and February
2015, including at least 154 incidents
affecting critical manufacturing,
energy systems, and chemical and
nuclear facilities (see Exhibit 1).
These incidents are increasing in
frequency, complexity, and severity. Last
year, more than half of the incidents
involved advanced persistent threats.
But despite an increasing need for
improved security controls, monitoring,
and detection capabilities, the rise
of the Industrial Internetalong with
progressively sophisticated threat
actorshas considerably increased the
number of exploits available in the past
5 years. In this constantly evolving cyber
environment, knowing your risk surface
is critical. Penetration testing allows you
to validate your cyber processes and
investments to protect your operational
technology (OT) in the Industrial Internet.
WHAT IS PENETRATION TESTING?
A penetration test or pentest simulates
an actual cyber attack by employing
the same techniques and methods
used by hackers. Pentests can be very
invasive, because the objective is often
to gain unauthorized access to systems
by exploiting vulnerabilities. Special
precautions must be taken when testing
OT systems because traditional methods
could have serious adverse effects
on infrastructure and operations.
Penetration testing is often used to
validate the findings from a vulnerability
assessment, which is an exhaustive
search to identify as many vulnerabilities
as possible within an environment. Both of
these methods contribute to an overall risk
assessment, which measures and rates
the level of risk that potential scenarios
could present to a system or environment.
At Booz Allen Hamilton (Booz Allen), we
combine the results of all of these
Exhibit 1: Reported Cyber Incidents, Sept. 2014 to Feb. 2015
COMMUNICATIONS | 14, 6%
COMMERCIAL FACILITIES | 7, 3%
CHEMICAL | 4, 2%
UNKNOWN | 6, 2%
WATER | 14, 6%
TRANSPORTATION | 12, 5%
NUCLEAR | 6, 2%
INFORMATION TECHNOLOGY | 5, 2%
CRITICAL
HEALTHCARE | 15, 6% MANUFACTURING
65, 27%
GOVERNMENT FACILITIES | 13, 5%
FINANCE | 3, 1%
FOOD AND AGRICULTURE | 2, 1%
ENERGY
79, 32%
1
 components into a comprehensive Security
Analysis Framework for ICS Security
(SAF-ICS, pronounced Safe ICS), which we
apply to help our clients prioritize and
mitigate risks in the Industrial Internet.
WHEN AND WHY TO PERFORM A
PENETRATION TEST
Penetration testing in OT environments
is often met with skepticism, fear, and
even outright rejection. Without the
necessary precautions, penetration
testing can pose significant risks to
production systems. However, the only
way to accurately assess the resilience
of your cyber defense strategy is to
test it against a strong offense.
If you use American football as an example,
a coach would never send their defense
into a game without first holding a
scrimmage. The team could have the most
athletic players in the most strategic
formations, but defensive strategies
depend on the ability of the players to
react as the offensive plays develop.
Likewise, you can blanket your OT
environment with best practices and
multiple layers of in depth defense, but
2
you cannot assess the efficacy of these
approaches, nor test your mitigation
strategies, without penetration testing. The
bottom line is that you must understand
the techniques and methods attackers use
to exploit your vulnerabilities, how malware
infects your systems, and whether or
not your countermeasures are effective.
Penetration testing provides you with that
intelligence.
Penetration testing should be conducted
throughout your risk assessment lifecycle,
including:
+ Validating vulnerability assessment
findings to weed out false positives
+ Evaluating existing cybersecurity controls
at the beginning of the project
+ Assessing controls and responses after
remediation and mitigations have been
deployed
Ultimately, penetration testing should be
part of a complete risk management
lifecycle, which also includes creating
attack scenarios and providing critical
risk rating data to create more efficient
and cost-effective risk mitigation/
remediation plans.
INCORPORATING INDUSTRIAL
SECURIT Y STANDARDS
Asset owners and operators often want
the confidence provided by using method-
ologies and processes backed by industry
standards. While common industrial
security standards (e.g., NERC CIP, NIST
SP800-82, ISA-99/IEC 62443) have
matured to provide excellent guidance on
OT cybersecurity best practices, there is
still limited guidance for OT penetration
testing. NIST SP800-115 provides signif-
icant guidance on vulnerability assess-
ment and penetration testing, but it is not
specific to OT systems. As a result, OT
penetration testers must formulate their
strategies by combining their traditional
penetration testing skills, actual indus-
trial experience, and implied guidance
from industrial security standards (ideas
interpreted from general OT cybersecurity
guidance). The lack of industry standards
should not be an impediment to deploying
penetration testing as a part of your
overall risk assessment lifecycle, but
you should ensure that your penetration
testers possess the right mix of expertise
and experience with OT systems to prevent
inadvertent effects on your infrastructure.
IDENTIFYING ZERO-DAY
VULNERABILITIES
One of the most specialized and technical
aspects of penetration testing is 0day,
or zero-day, vulnerability research and
discovery. A task suited for only the most
highly skilled penetration testers, zero-
day vulnerability research is the process
of finding vulnerabilities that have not
yet been reported or even discovered,
much less patched. The vendor has
had zero days to fix the vulnerability.
Vendors and advisors, such as ICS-CERT,
help facilitate vulnerability discovery,
patching, and reporting processes for
enterprise IT, but when it comes to OT
vulnerabilities, the industrial community
lags behind for several reasons:
+ OT devices and protocols were not
originally developed with security in mind
and therefore have several decades of
catch up, patching, and redesign to
complete.
+ Many vendors are reluctant to patch
these vulnerabilities or redesign their
products with more security in mind
because of lack of resources or disrup-
tion to operations.
3
 Attackers think differently.
When you lock all your
doors, they will get the spare
key from your unlocked
neighbors house. When you
change the locks, theyll come
in through a window. When
you lock all the windows, they
will clone your garage door
opener. Once theyre in your
garage, they will have access
to all your power tools, as well
as your hidden spare key.
The only way to validate your
security is to have it checked
by a trained penetration
tester.
MICHAEL WATERS,
Manager of Enterprise Information
Security, Booz Allen Hamilton
4
+ Most of the vulnerabilities that are
discovered are not necessarily being
reported to the information sharing
and advisory services, such as ICS-
CERT and the Information Sharing
and Analysis Centers (ISAC).
When it comes to OT vulnerabilities, you
should not rely solely on ICS-CERT and
the ISACs (by no fault of their own) to get
the most up-to-date vulnerability adviso-
ries and information. Perform zero-day
vulnerability research on the devices
and systems that are specific to your
organizations operations, in conjunction
with monitoring ICS-CERT and the ISACs,
for the most accurate and relevant
vulnerability situational awareness.
RULES OF ENGAGEMENT
The rules of engagement are one of the
first considerationsand one of the most
important aspectsof any penetration
testing project. This statement could not
be any more accurate when considering
OT systems. The rules of engagement
describe what methods and techniques
are allowed and what is prohibited to keep
from disrupting business and operations.
These rules are the cornerstone of OT
penetration testing projects when it comes
to maintaining safety and production.
Rules of engagement are unique to
each project and are determined based
on the needs and requirements of the
project, systems, and organization.
STRATEGIES
In addition to the rules of engagement, the
specific testing strategies are a critical
consideration that set an OT penetration
testing project apart from a traditional
enterprise IT penetration test. These
strategies are relevant to the specific
design and functionality of OT systems,
applications, protocols, and devices,
and attempt to take advantage of flaws,
weaknesses, and vulnerabilities in that
design and functionality. As part of the
SAF-ICS process, it is important to ensure
that all of the penetration testing findings
constitute a valid and realistic risk to OT
systems. For example, gaining access to
a particular asset with limited impact on
critical systems, or no communication
path to these systems, provides little
overall value to the risk assessment
resultsaside from establishing that
particular asset and/or communication
path as a low risk. Strategies and findings
that have value will demonstrate a
realistic potential for a successful attack
to negatively or even critically affect
safety, production, or brand reputation.
FOOTPRINTING
Finding useful information about the
target on the Internet, also known as
footprinting (aka recon, open source
intelligence, or OSINT), is not specific to
just OT systems; however, it is typically the
first step and a critical part of the overall
process that provides data to be used
in subsequent strategies. The methods
 Exhibit 2: Recreation of the Purdue Model, as illustrated in ISA-99/IEC 62443

Level
5 Enterprise Network Enterprise
Zone
Level Enterprise Servers
4
Web Historian Terminal Application Security
Services (Mirror) Services Server Server
DMZ

used in footprinting are no different

from any other penetration test, such as Production Optimizing Engineering
Control Control Historian Workstation
researching company information on the Level
Internet and discovering IP address blocks 3
and URLs associated with the target. Operations and Control
EXTERNAL TESTING Supervisory Supervisory
Control HMI HMI Control Control
Level Zone
External penetration testing refers to 2
testing Internet-facing environments Supervisory
Control
from the Internet. This can include tradi-
tional enterprise IT systems, as well as Level

OT systems. However, we want to avoid
actively pentesting production OT systems
and devices, even if they are directly
accessible from the Internet. Instead,
we use Internet-facing adjacent networks,
such as the enterprise network, as a
pathway to the OT networks. The idea is
that, in the absence of Internet-facing
OT systems and devices, attackers can
attempt to gain access to these other
enterprise networks and work their way into
the OT networks through connected paths.
Pivoting is a term that refers to using
a compromised system as a relay
for further attacking the network.
What makes pivoting so effective and
useful is that it keeps the attacker from
having to download additional tools
onto a compromised system. Using
a compromised system directly often
has complications, such as additional
network traffic that could be detected
by an intrusion detection system (IDS)
or antivirus. The host-based IDS could
detect and/or prevent the activity,
C02.036.16_003
1 Batch Discrete Continuous Hybrid
Control Control Control Control Control
Level Process
0
and other limitations imposed by the
compromised system could also prevent
certain tools from being installed. However,
pivoting allows the attacker to use the
compromised system as a relay, or
essentially a router, to continue attacks
within the inside network while using
the entire arsenal of their original attack
platform. The goal is to gain access
to the OT networks. According to most
industrial security standards, especially
the Purdue Model (Exhibit 2) found in
ISA-99/IEC 62443, not only should the
network architecture separate the OT
networks from the other networks, but
data should typically not flow from higher
zones (levels 4 and 5) to lower zones
without a properly established trust
conduit. Systems should communicate

5

Everything is about
attempting to take control
of or affect OT processes in
a way that could pose a
meaningful risk to safety
and production.
6
using a push model from the OT network
(levels 0 to 3) to higher zones.
There are still a few limitations to network
segmentation strategies that make adja-
cent networks a viable attack vector to the
OT networks. OT network architects do not
always adhere to this network segmenta-
tion and data communication standard.
Engineers often bypass these restrictions
by creating a dual-home workstation,
which is a workstation with two network
interface cards, one connecting to the OT
network and one connecting to an adja-
cent network. This effectively negates any
firewalls. Due to the nature of transmission
control protocol communication, sessions
can potentially be hijacked, allowing an
attacker to gain access to the communi-
cating system in the OT network. Internet
control message protocol (ICMP) commu-
nication is often allowed through to the OT
network, which creates an opportunity for
an attacker to launch ICMP-related attacks
or use the ICMP protocol as a data tunnel.
A LT E R N AT I V E AT TA C K V E C T O R S
When formulating attack strategies or
considering defensive countermeasures,
it is important to look beyond the obvious
attack vectors, such as the Internet and
adjacent connected networks. Other attack
vectors, such as physical weaknesses
and social engineering, can provide
additional alternative attack vectors for
your OT systems. Comprehensive red
team testing, which includes physical
attack vectors, simulates threats that will
seek to gain access to your OT systems.
Social engineering takes advantage of
one of the weakest links in any security
program: the human factor. Technical
social engineering methodssuch as
spear phishing, social media vectors,
and planting infected social media
combined with specialized tools, allow
penetration testing teams to test some of
the most effective attack vectors used by
modern threats today. The use of social
engineering, insiders, and planted devices
renders perimeter-focused layered
defense relatively useless. Layered
defense needs to be comprehensive and
also include elements such as network/
intrusion monitoring, end-point protection,
and awareness training designed to
counter social engineering threats.
TESTING THE ACTUAL OT NETWORK
At this point, we are staging the test
as if the attacker is on the OT network.
Everything is about attempting to take
control of or affect OT processes in a
way that could pose a meaningful risk to
safety and production. If exposures were
found in adjacent networks, we do not
recommend continuing to pivot onto the
production OT systems. Most, if not all, of
the strategies and techniques at this stage
should be performed in a lab or a test and
development network that most accurately
represents the actual production systems.
It does not have to be to scale. As long
as a sampling of each type of device,
server, workstation, configuration, and
version is tested, you should end up
with a reasonable representation of the
exploitable risks that exist within your OT
systems. One of the best ways to achieve
thisbesides physically including each
device type, model, and versionis to
virtualize the servers and workstations.
Many asset owners use virtualized images
for their backups, so creating a virtual
replica of the systems and network should
be straightforward. For environments
that do not produce virtualized backups,
it is best to start with a test and
development network and go from there.
TESTING OT DEVICES
OT device control or disruption is the
end goal of a threat determined to cause
maximum impact. Unfortunately for asset
owners, causing these devices to behave
in a way that is outside of their designated
function is not that difficult, since security
was probably not an inherent design
consideration. For example, a network
stack is often unable to handle traffic
that it is not intended to receive. Other
hardware components of the device
also have limited thresholds that can be
exploited, for example, by creating a load
that causes a spike in processor utilization.
Scenarios such as this have been known to
cause devices to malfunction, reset, and
fault. To further complicate things from a
security perspective, most of the IP-based
industrial protocols these devices use are
equally weak. Due to the lack of encryption
and authentication mechanisms in many
of these protocols, they are susceptible
to being altered, hijacked, or even crafted
from scratch to potentially manipulate,
disrupt, or even control OT devices.
TESTING OT SERVERS AND
W O R K S TAT I O N S
The vast majority of OT servers and
workstations are now Microsoft Windows-
based, while a scattered few still remain
UNIX- or Linux-based. Regardless of the
operating system used, there is nothing
unique about exploiting an OT computer
versus those in the traditional enterprise
IT world. The use of Windows actually
presents an even larger security issue
when considering the limited patching
availability and extended lifecycles of
legacy systems. Outdated and unpatched
versions of Windows are known for
7

For More Information
BRAD MEDAIRY
Senior Vice President
medairy_brad@bah.com
+1-703-902-5948
SCOT T STABLES
Chief Technologist
stables_scott@bah.com
+1-630-776-7701
CLINT BODUNGEN
Lead Associate
bodungen_clint@bah.com
+1-281-832-3129
www.boozallen.com/data-science
being quite insecure, and we continue
to see even Windows XP workstations
still in production to this day. While
this provides a ripe penetration testing
environment, it also means an ample
target-rich environment for real-world
threats and big problems for asset owners.
SUMMARY
While the keystroke-by-keystroke details
of an entire penetration testing project
would be too extensive for a single
article, this discussion should help asset
owners conceptualize OT specific threats,
attacks, and risks when considering
defensive strategies and mitigations.
Here are a few key takeaways you should
consider when building, managing, or
hiring a penetration testing team:
+ Ensure penetration testers have the
necessary pertinent skills commensu-
rate with traditional penetration testing
techniques and strategies.
+ For OT penetration testing, ensure the
testers have a thorough understanding
of OT systems, devices, and applications.
+ Establish clear rules of engagement and
avoid performing active, potentially
harmful, penetration testing techniques
on production systems.
+ If possible, employ an OT engineer as a
subject matter expert.
+ Know, study, and understand existing OT
vulnerabilities, and stay up to date on
the trends and techniques of OT-focused
malware campaigns.
+ Perform zero-day vulnerability research
on your organizations specific systems
(do not rely on advisories and ISACs to
be a definitive source of information).
+ Ensure that attack scenarios and
findings represent meaningful, realistic,
and actual risk to OT systems (e.g., risks
to safety, production, and company
reputation).
The need for special precautions when
conducting penetration testing for OT
systems cannot be overemphasized.
At Booz Allen, our OT security experts
apply their cybersecurity and industrial
systems expertise through our proven
models to help our clients identify
and mitigate potential risks before
they expose critical assets to threat
sources. As part of that overall strategy,
our SAF-ICS incorporates penetrations
testing to optimize OT security through
a complete risk assessment lifecycle.

8
 About Booz Allen

Booz Allen Hamilton has been

at the forefront of strategy and
technology for more than 100
years. Today, the firm provides
management and technology
consulting and engineering
services to leading Fortune 500
corporations, governments, and
not-for-profits across the globe.
Booz Allen partners with public and
private sector clients to solve their
most difficult challenges through
a combination of consulting,
analytics, mission operations,
technology, systems delivery,
cybersecurity, engineering, and
innovation expertise.

With international headquarters in

McLean, Virginia, the firm employs
more than 22,500 people globally,
and had revenue of $5.27 billion
for the 12 months ended March
31, 2015. To learn more, visit
www.boozallen.com. (NYSE: BAH)

2016 Booz Allen Hamilton Inc.

C.02.036.16
03/09/16

www.boozallen.com/cyber