<< Security of critical infrastructure has always been a chief concern of security agencies. One of the very important parts of security review is penetration testing. The article talks about how penetration testing can help to validate or identify gaps in security controls within the power sector >>
Making the grid smarter and more secure has been the goal of military and civilian industry for years. As an example, military is investing in microgrids that rely on smart grid technology. With increased feedback and control at all points between generation and consumption, military will gain significant efficiencies in the battlefield. Just as importantly, civilian grids have long been considered the most critical infrastructure and hence a primary target to defend. Making the grid smarter – including enhancing Industrial Control Systems’ (ICS) security through penetration testing – will help to address concerns around the need protect the current infrastructure for both the military and civilians.
However, the cultural and technological differences between control systems and traditional IT systems have caused confusion around how to perform a penetration test safely and effectively. Further, the challenges around upgrading components of the grid have historically been significant and have included the immaturity of the technology and the cost of upgrades. In fact, the biggest inhibitor to adopting new, more technically advanced systems in the grid has been a lack of confidence in the new technologies. Recognising the industry’s almost zero-fault service expectation, companies are even more apprehensive about adopting new technologies.
But through extensive testing, review, and careful grid construction, these technologies are now being rolled out to customer grids. Currently, ICS for electric utilities are focused on the integration of Advanced Metering Infrastructure (AMI) and a migration to internet protocol (IP)-based networks for control systems in order to keep up with emerging smart grid technology. Utility companies are focused on taking advantage of advances in electricity distribution and generation technology, and the industry is actively seeking to upgrade its infrastructure to support the new technologies.
The level of effort required to perform such an upgrade can be high; however, many companies recognise that the benefits associated with supporting smart grid technology overshadow the costs. Along with the many benefits promised after implementing the smart grid, additional security concerns will be introduced and current ICS environment vulnerabilities will also be uncovered. For utility companies to eventually get what smart grid promises, it is necessary to deploy this technology on a very strong foundation.
In the ICS environment, the prioritisation of security attributes is reversed in comparison to corporate IT environment. Availability is usually a key concern, while integrity and confidentiality are pushed aside in order to ensure easy and fast data flow between critical components operating in realtime. As a result, the approach to securing ICS environments differs dramatically from the one followed in corporate environments. Knowing that, penetration tests should be customised to meet the reality of the ICS environment so that conclusions and recommendations are valuable and realistic.
In most cases, penetration testing of ICS networks follows the same basic steps as tests performed on traditional IT networks. However, the manner in which the test is conducted must be tightly controlled, with special attention given to concerns specific to an ICS environment. The key to successful penetration testing within an ICS environment is through communication and understanding between the ICS support engineers and the penetration testers. ICS support engineers should be given the opportunity to ask any questions concerning the testing process, the methodology used, and the precautions taken by the tester to maintain the operational integrity of production systems. Penetration testers must have a clear understanding of the implications of testing within an ICS environment and any testing activities that could potentially disrupt critical servers must be excluded. It is important for any company doing penetration testing in the ICS environment to consult with experts to ensure proper methodology and rigor.
The benefits of increasing the efficiency of ICS and smart grid systems are significant, as are those derived from enhanced confidence around its security. Effectively done penetration testing allows companies to move ahead with confidence towards leveraging these efficiencies. Penetration testing should be done correctly and safety, targeting control gaps and assisting with quantifying risks to the ICS environment. Done right, penetration testing can help a company prioritise available security resources and improve the effectiveness of a well-rounded security programme, thereby improving the potential impact of smart grid ICS technologies and investments.
For many years, ICS were designed primarily to be reliant, but they were not necessarily designed with security in mind. In order for grids to be smarter, they have become dependent on computer system. And while there has been some progress in security with the smart grid technology, it is imperative that the military understands the vulnerabilities in the systems they use and defend so they can proactively engage vendors, understand how to respond, and be able to protect. As the battlefield continues to move to the cyber front, so must the training and simulations, that is, penetration testing.
PENETRATION TESTING PROCESS OVERVIEW
There are a number of fundamental steps towards robust penetration testing, as well as other smart grid/ ICS considerations that can enhance efficiency and build confidence.
1.The Rules of Engagement
Before a penetration test begins, the rules of engagement should be clearly defined and should include the expected outcome of testing. In addition, ICS support engineers should work with the testing team to understand the team’s approach and what tools will be used during the test. If automated or invasive tools are to be used, both teams should understand the impact of the tools on the environment and, if necessary, use special precautions to prevent adverse effects.
- The ICS team should identify the specific scope of the engagement in terms of network ranges, hosts or applications to be included in the test as well as those explicitly excluded from specific types of testing or from the assessment altogether.
- Communication protocols should be established – in advance of testing – that define the means of escalating vulnerabilities identified and any system availability issues observed by the testing team.
- All individuals performing the testing should provide contact information to ICS support engineers in case testing is be halted for any reason.
- ICS support engineers should provide regular briefings to system operators throughout all evolutions of testing; otherwise companies, as well as electricity consumers, may end up with very expensive metering infrastructure that will deliver inaccurate and unreliable data.
Once the rules of engagement of the penetration testing are identified, testing objectives should be discussed to determine the right use of testing resources. In some cases, a ‘blind’ approach is preferred to simulate an attacker that is unfamiliar with the environment. The use of ‘stealth’ techniques – while not always as thorough as others – may also be desirable in order to identify gaps in detective controls, such as intrusion detection systems or other monitoring activities. However, these specialised testing techniques also have drawbacks that should be considered in determining the scope of testing.
An important issue for penetration testing to deliver proper results is selecting a sample for testing. It is rarely possible or feasible to test all components of a particular system, so the results of testing performed on a selected sample are extrapolated to other similar components. However, such an approach includes the possibility of vulnerabilities being missed that only affect select systems of a particular kind, due to a false assumption that the configuration for all like components is exactly the same.
Once the administrative tasks are complete, the testing begins with the technical discovery of the environment. The objective in this phase is to identify key technologies and attempt to determine the network or web application architecture. Fingerprinting activities are conducted to identify characteristics of the network or web application being tested.
Network fingerprinting typically involves using port scanners to identify IP addresses being used by live systems as well as the services running on those systems. The use of active network fingerprinting techniques, such as port scanning, in production should only be conducted on non-critical systems running a robust network stack capable of handling all of the requests initiated by the scanner without noticeable degradation in service availability. Testers may also employ passive network fingerprinting techniques such as the use of network traffic analysers or ‘sniffers’ to examine network traffic. Network traffic analysers can be placed in key areas throughout the environment and can be used to fingerprint ICS-related networks without causing any additional network traffic or interference.
3. Vulnerability Identification
After the various technologies being used within the environment are identified, manual and automated tests are performed to identify potential vulnerabilities. These tests may include using general vulnerability scanners as well as service-specific scans or checks that attempt to identify services or operating systems with well-known vulnerabilities. This is typically accomplished by matching a response given by a host or service to a defined signature that reflects the characteristics of a specific vulnerability. Passive network sniffing can also be used to identify vulnerabilities on the network.
PENETRATION TESTING CONSIDERATIONS
Ideally, penetration tests should be conducted in an environment that exactly mimics the systems and web applications deployed in production; however, many organisations lack the resources to create and maintain a test environment identical to production.
When targeting critical ICS hosts or web applications in a production environment, it is imperative that both parties have a clear understanding of how those systems can be safely identified, and specifically define the testing activities deemed in scope in order to safely meet the testing objectives. If testing objectives cannot be completed in a way that can ensure the health of the system, the objective should be removed or redefined. In many cases, this will involve a ‘table top’ exercise where the penetration testers and ICS engineers discuss the capabilities of the target, the software in use, and configurations that may contain vulnerabilities.
Potential areas for vulnerabilities should be replicated in a test environment on non-critical systems if possible. The ability to replicate the configuration in a test environment that would include the potential vulnerability without replicating the entire system should be explored. This would allow the penetration tester to help validate the existence of the vulnerability without jeopardising the health of the system.
The accuracy of vulnerability identification techniques depends heavily on the specificity and accuracy of the signatures used to identify the vulnerabilities. Additionally, existing controls or other countermeasures might make an identified vulnerability impossible to exploit or not worth exploiting. Therefore, all potential vulnerabilities identified must be examined for validity, and the impact of their exploitation should be considered when determining the actual risk to the organisation.
Finally, exploitation activities that provide additional access within the environment are explored to determine how the additional access could be leveraged to escalate privileges within the environment, potentially leading to compromising defined targets or meeting other test objectives. In most cases, the initial system compromised will be the security environment’s weak link, the ‘low-hanging fruit,’ which provides the path of least resistance to gaining initial access into the ICS environment. A network designed using the principle of defence in depth is built to withstand this initial compromise and should exhibit the same or a similar amount of resistance to allowing additional access as before the initial access was obtained. During the design of ICS networks, functional requirements such as high availability and redundancy usually take priority over security requirements such as proper access control and least privilege.
Smart Meter Analysis
Attacks against a smart grid are not exclusive to network-based attack vectors. A natural target for attack within the advanced metering infrastructure (AMI) is the smart meter itself. Hardwarebased penetration testing requires a specialised skill set, which usually includes a strong electrical engineering background, specialised tools that may include a separate laboratory environment and a highly technical approach that may require significant resources. Performing this type of review involves a significant investment of time and expense; however, testing can be conducted on a single device or smart meter and the results applied to the thousands of identical devices already deployed. Penetration testing of smart meters may include the following categories:
- Tamper protection and detection
- Interface and configuration review
- Bus analysis
- Microcontroller dumping
- Erasable Programmable Read- Only Memory (EPROM) dumping
Tamper Protection and Detection
Tamper protection includes all physical security controls contained within the meter itself that prevent (tamper-resistant) or detect (tamper-indicating) physical tampering. These protections vary from simple controls such as tamper-evident labels and physically hardened casing to highly sophisticated controls such as self-destruction mechanisms and alerting sensors. Selection of appropriate tamper protection controls should balance the cost of the controls with the level of protection they provide. Controls should be proportional to the level of impact caused by compromising the device.
Attacking the smart grid can also involve non-technical methods, such as social engineering. Social engineering is the art of influencing people into divulging information, performing actions or unintentionally providing unauthorised access through the use of deception, coercion, fear or intimidation. The use of social engineering during a penetration test can help uncover gaps in security policies and procedures and identify weaknesses in personnel awareness training against such attacks. Social engineering also helps to enhance or complement technical activities during a penetration test and more closely resembles the array of activities and methods that would be used by an attacker.
Penetration testing should be used to identify control gaps and assist with quantifying risks to the ICS environment in order to prioritise available security resources and improve the effectiveness of a wellrounded security programme.