Penetration testing is a security practice that proactively discovers and assesses the potential exploitation of system vulnerabilities by simulating real-world attacks. Penetration testing of industrial control systems is a complex, time-consuming and demanding process requiring expertise in information technology and operational technology systems. Effective penetration test planning is crucial to prioritizing activities and optimizing time and resources. This chapter describes a seven-stage methodology for penetration testing newly-deployed industrial control systems and demonstrates its practical application using a real-world case study of a newly-designed microgrid system. The methodology leverages threat modeling outcomes from the design phase to define the penetration testing scope and guide test choices, leading to an efficient testing process. Furthermore, it engages a novel MITRE ATT&CK to STRIDE mapping, which bridges the design phase that focuses on high-level threats and the planning phase that employs medium-level granularity. The methodology benefits security practitioners by enhancing planning efficiency and streamlining collaboration with third-party penetration testers. The methodology in conjunction with the MITRE ATT&CK to STRIDE mapping can be used to develop detailed, effective and efficient industrial control system penetration testing efforts.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Penetration Testing of Newly-Deployed Industrial Control Systems

  • Shaymaa Mamdouh Khalil,
  • Hayretdin Bahsi,
  • Tarmo Korotko

摘要

Penetration testing is a security practice that proactively discovers and assesses the potential exploitation of system vulnerabilities by simulating real-world attacks. Penetration testing of industrial control systems is a complex, time-consuming and demanding process requiring expertise in information technology and operational technology systems. Effective penetration test planning is crucial to prioritizing activities and optimizing time and resources. This chapter describes a seven-stage methodology for penetration testing newly-deployed industrial control systems and demonstrates its practical application using a real-world case study of a newly-designed microgrid system. The methodology leverages threat modeling outcomes from the design phase to define the penetration testing scope and guide test choices, leading to an efficient testing process. Furthermore, it engages a novel MITRE ATT&CK to STRIDE mapping, which bridges the design phase that focuses on high-level threats and the planning phase that employs medium-level granularity. The methodology benefits security practitioners by enhancing planning efficiency and streamlining collaboration with third-party penetration testers. The methodology in conjunction with the MITRE ATT&CK to STRIDE mapping can be used to develop detailed, effective and efficient industrial control system penetration testing efforts.