Recently, my experiences in the ICS/OT cybersecurity space have compelled me to address a few pertinent issues concerning penetration tests and vulnerability assessments. Through this post, I hope to shed light on some common misconceptions and underscore the genuine value behind these activities.

The Frustrations of Premature Penetration Testing

It’s not uncommon for organizations to jump onto the penetration testing bandwagon and without truly understanding its prerequisites. I have frequently found myself in situations where a client wasn’t prepared for a penetration test. This invariably leads to them missing out on the immense value these tests can bring. A car can’t be expected to run flawlessly without the necessary tune-ups. Similarly, an organization needs the foundational cybersecurity hygiene in place to extract the best from a penetration test.

Vulnerability Assessments ≠ Vulnerability Scans

The dilution of the term ‘Vulnerability Assessment’ is a growing concern. I’ve witnessed many companies merely running vulnerability scans and rebranding the output as a ‘Vulnerability Assessment’. The heart of a real vulnerability assessment is human analysis. It’s the effort to understand, contextualize, and prioritize vulnerabilities. Without this, you’re merely handing over a list, not a roadmap to enhance security. You’re also missing the potential misconfigurations and areas of opportunity for improvement for things that cannot be scanned.

The Art and Science of Severity Assignation

Another grievance is how certain assessments arbitrarily assign severities to their findings. Let’s be clear: a finding’s severity should not hinge solely on the opinion of the person(s) jotting down the report. A more holistic approach is necessary, incorporating facets like potential impacts, attack feasibility, and whether the vulnerability has or is being exploited in the wild. The outcome of these assessments should be objective, understandable, and actionable.

In conclusion, while the ICS/OT cybersecurity space is continually evolving, the onus is on us as professionals and practitioners to maintain the sanctity and efficacy of the tools and methods at our disposal.

Let’s strive for clarity, depth, and genuine value in everything we undertake.