Analysing Security without Risk: Testbeds

The increased level of security in control systems requires not only the inclusion of defensive measures, such as security tools in the form of firewalls, IDS/IPS, etc., but they must also be complemented by other offensive actions, such as penetration tests and vulnerability analysis. Carrying out these actions on production environments can greatly disturb the process of the control system and therefore a testbed or test laboratory might provide a solution.

Moreover, the constraints placed on control systems continue to see cybersecurity left at the bottom of the list of priorities, with safety measures for the protection of human life and devices and factors relating to the environment considered more important. The use of testbed and test laboratories that help integrate cybersecurity by design of control systems is increasingly essential.

What is a testbed and what is it used for?

A testbed is no more than a controlled environment in which to carry out all kinds of actions in a secure and isolated manner without prejudicing the process being controlled. In these environments, the typical actions of control processes are carried out, such as process monitoring, data collection, specific process real devices (PLC, engines, sensors, actuators, etc.), HMI and supervisory equipment; and they emulate sector technology. With all this material, the aim is to collect the maximum possible information in relation to exposure to different types of attacks and the impact that they might have through the necessary monitoring tools.

-Example of testbed architecture-

A testbed has two operating modes. On the one hand is to serve as a cybersecurity test environment to establish the impact of potential attacks on real infrastructures, and on the other it serves as an environment for research into, and raising awareness of, cybersecurity for control systems. As a test environment the mission is clear: to establish the scope of an attack or the level of security of an entire infrastructure. As a research environment, the mission consists of testing the efficiency of different intrusion detection methods or mitigation measures, along with forensic analysis.

Collection of Information

Process information obtained through simulation or testing using a testbed comes in two forms:

• Static data: encompasses all those aspects that define the control process. This includes documentation like manufacturer datasheets, electronics diagrams, network diagrams, functional specification, programming, etc. All of this information is very valuable for making an initial selection of the tests to be carried out or of the information that is hoped to be obtained through the process. It also allows for the identification of standards and best practice to apply, along with the identification of possible vulnerabilities

• Dynamic data: those gathered during normal operation of the process or under the conditions the testbed is subject to. Among dynamic information, we can highlight the different logs available on equipment, the network messages exchanged or the changes that may have been introduced during operator job.

The information collected, whether static or dynamic, requires advance analysis in order to obtain the data that allows for the improvement of both the operation of the industrial process and the application of different security measures that elevate the level of security.

Tests and Scenarios

The tests to be carried out on a specific testbed will differ based on the results sought. If you want to test cyber resilience the actions performed will be very different from a penetration test.

Basically, the tests and scenarios can be classified as follows:

• Attacks and network monitoring: Network attacks include man-in-the-middle (MitM) type attacks as well as ARP, DNS, etc. spoofing. These attacks attempt to demonstrate the level of security that the incorporation of new equipment and attack techniques and the strength of the configuration applied in the increasingly extended Ethernet protocol in the plant networks.
• Network congestion and delay tests: These tests are confined to checking the behaviour of the system in the face of DoS or DDoS type attacks in such a way so as to identify the most fragile equipment and correct the architecture to better protect them.
• Attacks on controllers, sensors and other control devices: Network control equipment constitutes a greater risk for the industrial process. If control of a device is lost in this network, the process can be modified which can lead to losses in the millions for the company as a result of damage occurred. This group includes attacks arising from modifications to firmware in the devices and software injection attacks with the intention of executing malicious code.
• Attacks on devices based on commercial operating systems, (HMI, engineering station, etc.): Some parts of control system devices use commercial operating systems (Windows, Linux, etc.) but are not equipped with antivirus/antimalware protection. Attacks targeting these items of equipment are related to malware and can arise from both removable devices (CDs, USBs, etc.) or from the network (possible accesses from corporate network, etc.).

Public and Private Testbeds: RNLI and Testbeds in Spain

Testbeds have been traditionally linked to universities, where research was primarily carried out. Today there are numerous companies who have their own laboratories which they use to train employees, test new security tools and investigate new attack vectors that might affect control systems.

From the public sector, there have been attempts to foster different initiatives to make these available to companies that need these types of tests.

At European level, ENISA Agency recommends that members states create these types of environments (see report Protecting Industrial Control Systems). In fact, the ERNCIP INVENTORY initiative provides a tool with which we can identify the existing testbeds at European level.

In the United States, there is an entity called the National SCADA Test Bed, housed within the United States Department of Energy, which combines the capacities of a national network of laboratories with the experience of researchers, developers and analysts to discover and treat vulnerabilities and threats that affect industrial components.

On the domestic front, the RNLI (Spain's National Grid of Industrial Laboratories) is a success. It seeks to balance security supply and demand in industrial environments at national level, promote laboratory capacities, foster collaboration and cooperation between the stakeholders involved, create new services and elevate the security level of infrastructures supported by Industrial Control Systems.

Within one year of being set up, the RNLI already has 21 national laboratories belonging to 17 different organisations. On the other hand, 5 projects have arisen on a collaborative basis from this entity.

Don't you think it's about time you carried out an analysis of your control system?