Building a functional OT cybersecurity program is not a spring, but rather a marathon. It can be challenging, and admittedly daunting, especially when trying to determine the foundation for establishing a mature program. When it comes to OT penetration testing, the best time to conduct one is before a breach occurs.
Unfortunately, many organizations don’t receive the resources needed until after they’ve been successfully breached. By acting in this reactive manner, it ends up costing them a lot more time and money than if they would have gotten a penetration test conducted before their reputation, data, and intellectual property took a huge hit (not to mention their bank account).
When it comes to critical infrastructure, the devastation can be quite massive. Take into account the SCADA attack where an insider released 265,000 gallons of untreated sewage into local parks and rivers, causing serious damage to the local environment. Or, the time when a malicious actor took control of an industrial control system at a steel mill, causing massive physical damage. When it comes to the industrial world, it’s important to work with professionals who have experience in the critical infrastructure industry.
If you find yourself asking these types of questions, it’s time for an OT penetration test:
- What risk(s) does my IT environment have that poses a risk to my OT environment?
- Are there any parts of my OT environment that are exposed to malicious actors?
- How can I reduce the attack surface of my OT environment?
When Should A Penetration Test Be Performed?
Penetration tests should be performed on a regular basis, typically at least once a year, in order to reveal how newly discovered threats or emerging vulnerabilities might be exploited by malicious actors. A penetration test is not a one-time task. Networks and computer systems are dynamic and always changing as new software gets deployed and changes are made, which is why regular testing is so important.
In addition, OT penetration tests should also be conducted whenever the following occur:
- New network infrastructure, systems, or applications are added.
- Significant upgrades or modifications are applied to infrastructure or applications.
- New office or field locations are established.
- Major security policies are modified.
OT Penetration Testing & System Deployment
When it comes to network or system deployment, be careful not to start a penetration test too soon. Since changes are constantly occurring, a penetration test might not catch possible future security gaps. Instead, wait until the system is no longer in a state of constant change, typically, towards the later stages of development. By conducting a penetration test just before a system is put into production, you’ll get the most value out of the assessment. Sometimes, this can be easier said than done, especially if a project has already exceeded its deadline or budget. Keep this in mind when you’re building out timelines and budgets.
Penetration Testing in Cyber Security
Some companies need to comply with regulations by getting regular penetration tests in order to prove they’re secure. But true penetration testing is much more than just a check-the-box compliance requirement. It’s a way to discover vulnerabilities so you can get them taken care of proactively before a malicious actor gets in and creates havoc on your business. It shouldn’t be taken lightly, and it needs to be conducted by a 3rd party that truly specializes in OT penetration testing.
Penetration testing isn’t a one-size-fits-all type of assessment. Understanding the company’s specific industry and their particular line of business is essential to successful penetration testing.