SCADA Testing

Assess the effectiveness of your security controls
through the manual analysis of your SCADA systems.

Discover security gaps through safely, and expertly, simulated attacks against your SCADA or Industrial Control Systems (ICS).

SCADA Penetration Testing vs.
Commercial Penetration Testing

SCADA systems are different from most TCP/IP-based system in that many ICS vendors use proprietary protocols to communicate within their systems. Additionally, movements within establishing industry standards such as DNP 3.0 and Modbus and methods of communicating on ICS LANS with minimal authentication put ICS systems at risk of a cyber attack. Additionally, due to the differences between commercial and proprietary SCADA/ICS systems, the same vulnerability assessment or penetration testing tools/methods that maybe used in a standard commercial penetration test can have a serious impact on a SCADA/ICS network if improperly applied. MainNerve’s experts work with the customer’s Assessment Team to understand the implications of testing on a production system and when possible to mitigate operational effects by testing offline or on a backup ICS. To MainNerve, the best possible outcome is the proper testing of a SCADA/ICS that provides adequate details around identified vulnerabilities and the provision of mitigation information for the SCADA/ICS Administrator or Security staff to address them.

SCADA Penetration Testing:
A Hybrid Approach

SCADA Penetration Testing with MainNerve is designed to assess the effectiveness of your security controls as applied to NERC-CIP, NIST 800-53 v4 or ISO 27001 through the manual analysis of your SCADA systems and application of best practices to Information Technology and Operational Technology systems for Critical Infrastructure. SCADA/ICS penetration tests are highly sophisticated due to the combination of customized technology, the criticality of the infrastructure that is dependent on it, and the knowledge necessary to penetration test these systems without taking them off-line. To conduct SCADA/ICS penetration tests, MainNerve assesses these systems with a combination of the disparate knowledge base of the actual SCADA language environment itself as well as industry leading penetration testing expertise to ensure that all vulnerabilities identified and exploited do not jeopardize customer operations or its infrastructure. Depending on the customer’s needs, MainNerve can provide White, Grey, or Black box testing and can accelerate to Red Team operations if needed.

SCADA Penetration Testing Process:

THE MAINNERVE PROCESS

While there are numerous standards that apply to SCADA Penetration Testing, MainNerve’s process takes into consideration the care that must be taken to fully address a SCADA/ICS penetration test. While its personnel and tests conform to NERC-CIP and NIST 800-53 standards, the company’s methodology follows the “Cyber Security Assessment of Industrial Control Systems” published by the Department of Homeland Security.

Computer chip

ASSESSMENT TEAM SELECTION

The SCADA/ICS customer should ensure that the assessment team has two components: qualified personnel from within its own organization from Security, IT and Management as well as qualified persons from the assessment team that are familiar with the standards that apply to the assessment as well as the proprietary protocols and methodologies specific to the customer. It is not unheard of to have a penetration tester assigned to the customer’s side to ensure that the vendor is appropriately certified and can “vet” their personnel. Additionally, MainNerve provides IT Assessment and ICS Assessment personnel that assist in identifying vulnerabilities on the SCADA/ICS network for the penetration testers to exploit.

Computer chip

SCADA/ICS TEST PLAN DEVELOPMENT

MainNerve works with the customer’s assessment team to develop a SCADA/ICS test plan so that both the customer and MainNerve know how the assessment will progress. Similar to the test plans developed by MainNerve on its other assessments, key areas that are covered include rules of engagement, attack vectors, in and out of scope areas of IT and OT and Points of Contact for both elements. MainNerve works with the customer to identify attack vectors to focus on that are part of their ongoing cyber assessment program or areas that they want to concentrate on such as DMZ, penetration between corporate and control servers, downstream or remote access or administration etc.

Computer chip

ASSESSMENT EXECUTION

MainNerve will conduct the Assessment according to the test plan and in alignment with the attack vectors identified in a process composed of three stages: reconnaissance, exploration and exploit. The reconnaissance phase is usually conducted with passive detection scanners and monitoring/mapping software that can identify key vulnerabilities as well as assessing the networking equipment used, as well as authentication mechanisms and firewall rules. The exploration phase then commences where MainNerve penetration testers with ICS and IT experts alongside them, attack the system to determine which vulnerabilities identified during the reconnaissance phase are actually exploitable thru methods such as buffer overflows, improper authentication and improper access controls. Based on those findings the assessment team will then opt to develop an exploit and to deploy that exploit based on the Rules of Engagement.

Computer chip

ASSESSMENT REPORTING

At MainNerve, we consider the final phase of the SCADA/ICS penetration testing process, reporting, to be the most crucial and instrumental step. Due to the varying audiences that may see the report i.e. Management, Security, Customers and the public, MainNerve takes great care to ensure we effectively communicate our findings and mitigation strategies as clearly as possible and, when necessary, can provide varying levels of reporting based on the audience. MainNerve’s reports are considered some of the best in the industry by our vendors and are written by the actual penetration tester or ICS/IT Assessor that was on the team. As part of a comprehensive risk assessment, MainNerve can provide consultants to advise as to how to integrate findings into an Information security plan. Our main goal is to ensure that all information is clearly understood and that a roadmap toward remediation/mitigation is crystal clear.

WANT TO LEARN MORE?

VALUE-ADDED SERVICES

Checklist

Web App Penetration Testing

Web application penetration testing is designed to assess and test the state of your web-facing applications, and provide actionable remediation recommendations for enhancing your security. Ensure that your web applications are protected from malicious cyber threat actors. MainNerve web app pen tests are designed to review all types of web servers.

Checklist

Compliance Solutions

MainNerve’s compliance solutions are designed to help fill one of the biggest challenges for businesses: staying in alignment with the exhaustive list of Governance, Risk Management, and Compliance (GRC) requirements. From PCI DSS and HIPAA, to CJIS and FINRA, MainNerve can help your business navigate the GRC landscape with specialized penetration tests.

Checklist

Social Engineering

Social engineering, in the context of information security, is commonly defined as the of persuasion and/or manipulation techniques in order to influence people into performing actions or divulging confidential information. Ensure that your business is secure by testing and evaluating your employees against general phishing and “spear-phishing” attacks.