Penetration testing is a vital part of a critical infrastructure assessment that allows all parties to assess risks and implement cybersecurity mitigations and standards. It’s the follow-on portion to a vulnerability assessment, which is where you take a deeper look at a network through the lens of informed knowledge. You’re looking for a broad range of problems, such as software vulnerabilities, network issues and even things like phishing schemes and other human-based attacks. You assess and score these potential exploits, and then the penetration testing involves executing those exploits within the environment.
Penetration testing, as a market, continues to see robust growth, with data showing a value of $1.51 billion in 2021 and an expected growth to $4.1 billion by 2030, for a robust 12.1% CAGR during the eight-year span starting in 2022. The report points to many drivers for this growth, including smartphone-driven data consumption, new data center construction, connected devices through the Internet of Things and the rise of smart infrastructure.
On the critical infrastructure side, testing is important because the stakes are so high. Examples such as the February 2021 hacking of a municipal water supply in Oldsmar, Florida highlight the potential for hackers to commit great harm. Attackers tried to disrupt the city’s drinking water by increasing the levels of lye. Thankfully, workers stopped the act before implementation, but the intrusion underscores the threats such infrastructure providers face.
A Matter Of When
The increasing threat landscape and the growth and turmoil in cyber insurance are both driving the interest in penetration testing, risk and vulnerability assessments for critical infrastructure providers. Penetration testing is not a new practice, but it’s heightened now due to the increase in nation-state attacks and people seeing successful attacks like Colonial Pipeline.
Now, critical infrastructure providers are searching for someone they can trust to conduct penetration testing. It’s an important part of mitigation strategies to expose what they might have missed (for potentially years) and need to address before it’s too late.
As of mid-2022, it’s a question of “when” (not “if”) an attack happens to an organization. This realization drives CISOs to no longer think the odds are in their favor, so they push for a risk or vulnerability assessment and penetration testing to make their organization a less appealing target. After the testing and mitigations, there’s still vulnerability because determined actors can breach any system. The mitigation makes it less likely and improves overall resiliency.
In the OT world, more people see penetration testing as a necessity. It’s a marker of the cyber hygiene of an organization, under the overall vulnerability management umbrella. While penetration testing brings forth anxiety, it also prompts change. When an experienced firm conducts the testing, they’ll not only simulate attacks but also train the security team on best practices to react and survive an attack from a threat.
Continual Targeted Testing
Avoiding testing heightens risks. The risks increase within critical infrastructure, where management cannot ask for penetration testing once and consider it a “checked box” to never revisit. Testing is an ongoing requirement, one that reflects the ever-changing threat landscape.
Penetration testing carries its own risks, and it’s vital to enlist an experienced provider who understands and manages the risks. For example, with IT penetration testing, the vendor will throw some of the particulars of an organization’s environment over the internet through encrypted channels. This requires first assessing all the possible perimeter defenses in the network, so it uses public links to carry ICS traffic and protocols. If this is done improperly, then it does increase the attack surface.
With OT, some systems have never had a myriad of threats performed against them. An infrastructure provider, for example, might have facilities designed 10 to 15 years ago which were the “latest and greatest” at the time. The hardware supporting these designs is another five to 10 years back in time.
The implementation of protocols for these older OT network environments is not as robust as modern devices, so the tester needs to tread carefully. They might send a simple ping to a device with an improperly implemented TCP IP stack, but a few days later, that device fails because of its tiny 36 kilobits of memory.
The Evolving CISO Role
While testing and assessments can uncover myriad threats and exposures, critical infrastructure managers, of course, work with limited budgets. They cannot fix everything, but they often just need to mitigate the highest and most impactful risks immediately and then add the others to an ongoing task list.
The CISO still faces difficulty relaying the risks and mitigations to the other senior leaders because they need to map it out in business or operational terms instead of through technical jargon. They also need to manage cultural barriers within OT organizations, for example, in control engineers versus system administrators. A penetration testing company and the CISO need to translate the IT threat vectors to the operational engineers who’ve run the systems for 10 to 20 years without a problem. But now, the penetration testing exposes potential problems, and the CISO needs to navigate both sides while relaying the problem to the COO or CEO with urgency.
Penetration testing plays a key role in preemptive cybersecurity. Leadership at water districts, power plants and other critical infrastructure can no longer think “it will happen to others, but not us.” They’re seeing the impacts of successful attacks in the news and a correlated rise in their cyber insurance premiums.
Penetration testing will continue its growth because the people in charge are humbler about their current safeguards and the scope of attacks. They’ve accepted that if they do a good job at running a plant or other facility, then someone out there is interested in compromising their hard work, whether it’s for ransom, intelligence gathering or simply promoting chaos.