In most todays ICS networks, security testing is already being performed to know allweaknesses and issues. At least I hope that is the fact…. These tests are either run by the ICS owners themselves or by an trusted external party. However in a lot of occasions, security testing is performed in a too limitative scope and hence security issues often get overlooked because of this or potential drafted scenario’s to abuse the found weaknesses are incomplete and do not give a full picture. Next to that, a lot of talk is still focussed on testing industrial devices such as PLCs and other network components. Which is fine on its own but again the bigger picture is not looked at. In this presentation, a broader view is shown on how thorough security tests can be performed (without performing illegal actions) in an attempt to provide the ICS owners with a complete view on what their risks are. It is explained why you have to combine physical, logical and human elements within the different security tests you run and why it is sometimes better to take a step back instead of just plunging in and perform logical security testing. The different viewpoints on how you can perform testing to know your weakest elements are shown along with the different requirements to run testing from a particular viewpoint. Combinations of discovered weaknesses are then put together within realistic scenario’s. The advantages as well as pitfalls are explained of performing security testing this way using realworld experience examples.
The things mentioned within this presentation are all actions that can be done by ICS owners themselves, or should they decide in doing so by a third party, yet the ICS owners will then be able to follow along and understand what is going on instead of being left in the FUD zone.