Electrical Engineer, Cyber Security (purple hat), Drones & Robotics, Professor, And an entrepreneur

Industrial Automation Systems Cybersecurity Pentest & Audit

Tamimi August 07, 2015 [Professional] #Pentesting #Cybersecurity #IIoT #SCADA #PLC #red team #NERC CIP #NIST #ISO27001


After the project Industrial Automation SCADA System completion, the client wanted a full security audit on the installed system, and while the security by design concept was already considered when implementing the architecture, a dedicated assessment and audit was required. As a cybersecurity professional, I have worked on various projects and tasks related to the cybersecurity including the industrial control systems (ICS) or IoT. ICS are essential for the operation and management of critical infrastructure, such as power grids, water treatment plants, oil and gas pipelines, and manufacturing facilities. However, these systems also face increasing cybersecurity threats from various actors, such as nation-states, cybercriminals, hacktivists, and even insiders. These threats can compromise the availability, integrity, and confidentiality of ICS data and processes, leading to severe consequences for public safety, national security, and economic stability, since those threats can cause physical harm, unlike the usual cyberattacks, where in most cases it is a password reset or at worse, a financial loss.


Conducting Cybersecurity Assessments and Planning for ICS

One of the key steps for improving the cybersecurity posture of ICS is to conduct regular and comprehensive assessments and planning. These activities aim to identify and prioritize the cyber risks and vulnerabilities that affect ICS, and to establish and implement appropriate countermeasures and controls to reduce them.

Some of the main types of cybersecurity assessments and planning that I performed for the system are:

System and Industrial Networks compliance with standars

NERC CIP Cybersecurity Requirements

One of the crucial steps for securing the ICS is to ensure the cybersecurity of the industrial networks that connect the ICS components, such as SCADA, PLC, and related systems. These networks are often exposed to external and internal threats, such as unauthorized access, data tampering, denial of service, and malware infection. Therefore, it is essential to apply security standards and best practices to protect the industrial networks from cyberattacks, and to comply with the regulatory requirements that apply to the power industry. These are mandatory and enforceable regulations that apply to the North American power industry, and aim to ensure the reliability and security. They specify the minimum security requirements for the identification and protection of critical cyber assets, such as the ICS components that support the operation of the power grid. I used these requirements to comply with the NERC CIP standards and audits, and to report and respond to the cyber incidents that affect the ICS. Also to implement security measures and controls to prevent, detect, and mitigate the cyberattacks that could compromise or disrupt the reliable operation of SCADA system.

These are specific standards and technical reports that define the requirements for cybersecurity robustness and resilience at each stage of the ICS lifecycle. They apply to all types of industrial automation and control systems, including PLC, SCADA, DCS, and other control system configurations. These standards were used to design, implement, and operate secure industrial networks for the ICS, and to address and mitigate the current and future security vulnerabilities in the ICS components. And also to apply security policies, standards, and guidelines to govern the ICS environment, and to enforce access control and encryption mechanisms to protect the ICS data and processes.

NIST, ISO27001, and SANS standards

These are general frameworks and guidelines that provide a comprehensive and flexible approach to manage and improve the cybersecurity of information systems and organizations. They cover various aspects of cybersecurity, such as risk management, security controls, governance, awareness, and incident response. I used these standards to establish and maintain a cybersecurity program for the ICS environment, and to align the security objectives and strategies with the business goals and needs. I also used these standards to benchmark and measure the cybersecurity performance and maturity of the ICS, and to identify and address the gaps and weaknesses, although the system was not connected to external services, it was still beneficial to use these standards in the assessments.

The work was rewarding, after several years I heard some news from a previous colleague that the client internal organization network was breached and hit with a ransomware, thankfully, the system was fully protected and operational when the whole company network was down!

Note: The comment section is powered by Cactus/Matrix. If you use the official Matrix server, you are good to go. However, if you use your personal Matrix server, make sure to log in with the first button and use your own client. This is because my CSP only allows Cactus/Matrix domains to connect from this site, and most likely, your profile picture will be broken!

Back to top