Lessons Learned for Practical penetration test against Industrial Control Systems

Lessons Learned for Practical penetration test against Industrial Control Systems

연구 분야: Strategies

학회: 2023 IEEE International Conference on Computing (ICOCO)

Cyber risk in Industrial Control Systems (ICS) has recently been increasing because ICS technologies are getting open. On the other hand, in ICS, cyber security awareness is still low, and generally, the budget for cyber security is limited. Moreover, desktop risk analysis on cyber attacks against ICS is challenging since it could bring physical impacts. Penetration tests against ICS devices or plants are effective in clarifying the actual risks of cyber attacks against ICS. IEC62443, an international standard of ICS cyber security, also requires penetration tests by third parties. However, penetration tests against ICS are challenging since they require IT and ICS skills, and specifications differ depending on the devices. Furthermore, pen testers should conduct tests manually since automated ICS test tools are unavailable. This research proposes practical lessons for ICS penetration tests obtained from several penetration test experiences against different types of ICS. We pick up and introduce the general essence for creating test scenarios, test methods, and how to organize the test results that are useful even if ICS types devices, and protocols differ. We also introduce some case studies of the penetration tests and free tools useful for ICS penetration tests.