Adam Myers:

Hello and welcome to our podcast, Tales from the CyberLab. My name’s Adam Myers, I’m the Sales Director here at CyberLab, and I’ll be your host for today. Joining me is Steve Clarke, who heads up our Pen Testing division. Welcome, Steve.

Steve Clarke:

Hi. Yeah, my name is Steve, I manage the Pen Testing team here at CyberLab, and I’ve been working in the industry myself for 15 years. I now manage a very skilled and diverse team, many of which have experience in OT testing, and we have a good understanding of the difference between traditional IT testing.

Adam Myers:

So I guess Steve, just to set the scene, what is Critical National Infrastructure? And I guess, why is it target for hackers?

Steve Clarke:

Critical National Infrastructure is the backbone of all the systems that run society. They run our power, our transport, our health. So the impact of an attack against these systems is much higher than against traditional IT systems.s

Adam Myers:

And I guess some of them have been in for years, so there’s a lot of legacy systems and obviously the backbone of the UK – I guess they are a target, but there’s also an element where it might be really legacy kit or a legacy operating system.

Steve Clarke:

Yeah. The shelf life for IT kit could be three to five years, with operational technology, these are industrial systems that could be running for 20 years, 15-20 years. Quite often they’re running 24/7, so they’re not rebooted. And patching is an issue as well. So these systems are quite fragile, a very good target for attackers. But the main thing is the impact of an attack against such infrastructure is much higher due to this.

Adam Myers:

Brilliant, Steve. So I guess our first question and topic is when people hear Pen Testing, they often refer to or think of websites and corporate networks. How does testing OT environments differ from traditional IT Pen Testing?

Steve Clarke:

So IT Pen Testing, you’re obviously on a typical network, you’re scanning or testing servers and systems that most people use on their day-to-day lives. Industrial processes/operational technology controls the processes of signals and then manipulates those systems and processes. So they’ll be heavily used in manufacturing lines, transport networks, energy: so gas, water, electric. And so these systems are reading real-world signals and making decisions based on those.

Adam Myers:

Brilliant. So I guess there’s an element of trust with the engineers on site, isn’t it? Because if these systems of legacy, they’ve been in, there’s probably an element of trust that you’re trying to build with the engineers on site where I guess an IT Pen Test or a traditional Pen Test that we might be testing a system that’s relatively new. It’s building that trust with engineers, isn’t it? And I guess you’re also probably going to be in different locations and you were talking earlier off-camera around a water tower once and that’s not an usual environment to go and do a Pen Test, is it?

Steve Clarke:

Yeah, of course. So compared to a traditional Pen Test where you kind of scope it and everyone’s pretty much on board and knows what’s going to happen, an OT test needs to have a lot more preparation, risk assessment and discussions with the engineers on the floor who are working with this kit. As you mentioned, a lot of it is legacy kit and we can’t just go in there and fire our tools at it because yeah, we’re going to take something down.

Adam Myers:

Is that the impact it could have? So for example, the tools that you use in your Pen Test teams, obviously they’re not widely available, they’re very sensitive. You work to CREST and CHECK standards and all those good things. The impact could be that that could take down, I don’t know, the water network, for example. So we have to be really sensitive of how we do that.

Steve Clarke:

Yeah. Water contamination, power outages, the impact is quite high. So obviously people are reluctant for us to go onto their networks and test it as we would in a normal penetration test. So it’s very much around building the relationship, the trust and speaking with the engineers, doing an adequate risk assessment and obviously these are legacy systems. These might be 10, 15 years old. So if we go in there and use our modern tools against them, we don’t know what’s going to happen this. Whereas in IT, a Windows server we know can handle it, but these PLCs, RTUs and whatever kit they’ve got in there could be very volatile.

Adam Myers:

And I guess for you as well, you’ve got to get to know what you’re testing and learn a bit about this sort of system that you’re actually going to do. So for you, there’s an element of trying to build a bit of how you actually operate and work that technology as well.

Steve Clarke:

Exactly. Yeah. So it’s very much working with the customer, working out the best way to test the components or the environment. Quite often with some parts of it, they have a test bed, kind of a test environment, which is a replica of live hopefully. So we can sometimes go in there and test things a bit more thoroughly without some risk. But at the end of the day, it needs to be realistic to the production environment because that’s what the attackers are targeting.

Adam Myers:

Thank you, Steve. So what are some of the biggest vulnerabilities you see in OT environments today and why are they more vulnerable than other environments?

Steve Clarke:

Okay. So first of all, as mentioned, they are usually legacy systems, old, unsupported operating systems. They probably haven’t been updated for a while. The updating probably needs to happen in a maintenance window. Most of these systems need to have 100% uptime. So it’s very tricky for the engineers to regularly patch them.

Adam Myers:

And also finding that maintenance window often find there’ll be change freezes or there’ll be something that impacts that system. So I guess you don’t always get those maintenance windows do you, which then causes a potential risk and vulnerability, which we just don’t have time to fix or doesn’t impact the network.

Steve Clarke:

Absolutely.

Adam Myers:

So we talked about outdated unpatched systems. I guess there’s also things like misconfiguration of firewalls, which maybe you can allude to.

Steve Clarke:

Yeah, absolutely. So firewalls are a key defence in these environments, obviously industrial firewalls and switches. Most of these environments are air gapped, so they aren’t connected to the internet. And some of the testing we do is to obviously verify that that is the case. Firewalls often have temporary rules in them that become permanent or forgotten about, or there are weaknesses in the firewall that just have been there and haven’t been identified. Sometimes it’s due to the reluctance to having the environment tested because obviously they don’t know about these risks, so they’re unknown. Similarly, assets as well, there’s not the asset discovery or register. So a lot of these devices are unknown. So just going in there to identify the devices is the first step.

Adam Myers:

And we see that a lot in even just general IT, like you don’t know what’s on the network. Somebody probably has a spreadsheet somewhere that they’re doing. So I guess it’s hopefully a little bit more sophisticated, but there’s always an issue with visibility of assets and that happens in most businesses. And I guess at that level it’s critical.

Steve Clarke:

And also communications, we’re all used to in IT, pretty much everything being encrypted these days. You go to a website, it’s encrypted, you have a chat, it’s encrypted. A lot of the OT protocols are usually unencrypted, clear over the wire. So if someone can get on the network and listen to the traffic, it’s pretty much going to be in the clear. And that’s where the issues can spawn from as well, because you can manipulate those values on the wire and cause systems to, for example, temperature monitoring.

Adam Myers:

So you could manipulate that or you could do something to cause an impact?

Steve Clarke:

Just keep saying it’s 20 degrees, 20 degrees, but actually it’s 60 degrees and going up.

Adam Myers:

There’s a risk of fire and stuff like that.

Steve Clarke:

Yeah.

Adam Myers:

Yeah. Amazing. You mentioned air gapping. Just for our listeners at home, sounds great. Can you just explain what air gapping is and why it’s important?

Steve Clarke:

So it’s all about network segmentation. So the OT devices, they shouldn’t be accessible from the internet and they shouldn’t be able to get out to the internet really. They should be completely air-gapped and separate and away from the networks.

So there’s no way for an attacker to get in via the networks. Obviously the advent of the industrial internet of things is changing those things. We’re finding there is a crossover now to the IT side of things.

Adam Myers:

Because I guess IoT has gone through the roof hasn’t really in terms of what we see. We work very closely with the partner Forescout, great at sort of segmentation and looking at networks and whatnot, but it also discovers a lot of IOT devices that a lot of people don’t even know they have. And it’s kind of smart fridges. I think my washing machine at home is always trying to connect to the internet now, which I don’t need it to do, but that has really risen in the last say five years. And I guess that is a big risk as well at the same time.

Steve Clarke:

Yeah, absolutely. And yeah, the industrial internet things is the industrial standard for what we have at home.

Adam Myers:

Think that was very interesting, Steve. So do you have any examples of maybe where a system’s been compromised and you can maybe share that with our business?

Steve Clarke:

So the big one that everyone knows about is the Stuxnet Networm that happened quite a few years back now. And this was the first-real world example of an attack against an OT system that had a physical consequence and this obviously made big news and it’s what kind of started people being interested in testing their OT environments and realising that the air gap isn’t necessarily a prevention. I think Stuxnet was, their entry point was through USB devices that obviously an engineer at some point had plugged into the network, so they bypassed the air gap in that way. So yeah, it’s obviously important that we have the physical controls, but as well as the people matter as well, the engineers, obviously the same with IT, the human is a risk because you pick up a USB stick and-

Adam Myers:

-you do a lot of damage. And I guess hackers are always trying to manipulate that sort of social engineering and I guess that’s what you do with a lot of your testing. Often you’re trying to manipulate or get the human to do something that potentially will open doors. And Is that what you’re sometimes trying to do in those environments is stress test, the interaction the human might have with the network, for example?

Steve Clarke:

Yeah, of course we can do kind of social engineering phases if needed. We can do an assessment of the physical controls of the environment. These are all important factors as well as testing the systems themselves.

Adam Myers:

Before we jump back in, just a quick word on something that I think can make a real difference to your cyber resilience. At CyberLab, we’ve launched HackRisk, your early warning system against cyber threats, and it’s designed to help you manage vulnerabilities before attackers do with continuous monitoring across your external attack surface. It’ll look to monitor the dark web and even third party suppliers and benchmark them against industry standards. So whether you’re a small business without a cyber team, or you just want to stay protected between Pen Tests, HackRisk is your clear actionable reports that you can review weekly with your teams. You need to get a free HackRisk report in under 24 hours and just head over to hackrisk.ai to claim yours and see how exposed your business really is. And that’s HackRisk: because when it comes to cyber threats, what you don’t know can really hurt you.

Adam Myers:
So I guess topic number four, some real world stories our listeners like to understand, there’s a bit of mystery around what you do. So I guess we’re getting some insight into some real-world examples. You’ve worked on some fascinating projects, including certain lines that, train lines and whatnot that you’ve done, I can’t disclose too much. Could you just walk us through what that kind of looked like and what that project’s like?

Steve Clarke:

Yeah, of course. So obviously this was testing for a new train line. We were lucky enough, as mentioned earlier, to have a test bed environment for most of it. So we had a train station set up with the signals, the cameras, the visual signs, everything. So we were quite lucky. I pretty much go in there and test everything thoroughly without impacting any transport or train lines.

Adam Myers:

So again, that goes back to that unique example of like the water tower, for example. You’re in very different scenarios there, aren’t you? Which is kind of new to you and I guess probably part of the job, but it’s different, isn’t it?

Steve Clarke:

It’s very different. The water tower example, we have to walk through some marshes to get there. Once in the bottom of the water tower, obviously the kit was there going up to the top of the tower, it was a telemetry for the communications from there to-

Adam Myers:

Good with heights?

Steve Clarke:

Luckily, I didn’t have to go up. It was all at the ground floor, but obviously getting there, it’s all about safety and risk management again for people and for the systems. But yes, you’re not normally sitting in an office or a data centre when you’re testing OT, you’re out in the industrial environments.

Adam Myers:

So I guess that train line that you tested, what did that entail?

Steve Clarke:

So that pretty much covered all the kinds of testing we do. So from build reviews to the servers, configuration reviews of the PLCs and RTUs, firewalls, switch config reviews, they had some software as well, which we reviewed. And then the other things I mentioned, segregation testing, we did some network sniffing to see what was going over the network, clear text protocols, etc. And again, we were working very close to the vendor of the kit as well as the customer to ensure that everything was tested thoroughly and without any impact to there. Even though it was a test bed, it’s still there, their working environment, they were working on that actively.

Adam Myers:

Yeah, I guess there’s a lot of apprehension for them bringing you on site and doing that, so they kind of want it to go smoothly, but also they need to test the network, don’t they? Otherwise, there’s risk, so they need that sort of sign-off that project’s been delivered. And I guess for our listeners, if anyone is dealing with Critical National Infrastructure, reach out to us. We are skilling what we do and we have all the sort of accreditations to be able to deliver those projects. So Steve, let’s talk about the consequences and what can go wrong if OT systems are compromised and I guess how real is that risk?

Steve Clarke:

Yeah. Compromised OT systems can lead to a physical impact and could cause water contamination, blackouts, transport issues, and could even lead to loss of life. So the impact is a lot higher than your traditional data in an IT environment.

Adam Myers:

Because it is the sense of nature of what that system is sort of like maintaining and what the UK infrastructure looks like. It’s a big impact. Let’s talk transport, for example. You probably see the news quite a bit, don’t we, where somebody’s been hit with ransomware or something that’s happened or a vulnerable system and the big impact that has on everyone’s day to day lives, that’s often a hack has managed to manipulate something there and maybe find a weakness.

Steve Clarke:

Yeah. So that’s why OT networks and environments are active targets for nation state attackers. They can really cause some issues.

Adam Myers:

And also they know that people, or people that maybe the engineers that they’re trying to maintain them, but like you said, the legacy systems are sensitive. They’re also a big target probably because they are legacy systems and what they sort of maintain for nation state attacks, that’s a big area, isn’t it?

Steve Clarke:

There in theory, easy pickings, you can disrupt a lot of the UK, for example, by targeting one of these systems and the impact and the follow on effects from that could be huge.

Adam Myers:

So I guess Steve, if you give one piece of advice to organisations who are responsible for Critical National Infrastructure, what would that be?

Steve Clarke:

So it would be to, if you haven’t already set up a testing strategy for your OT environment, it’s important that you get it tested and you understand the risks within the environment. I said we can do a full risk assessment, build a relationship with the engineers and work through this together so we can be sure there will be no impact to your environment. This way you know the risks and you can keep a proactive monitor on those risks.

Adam Myers:

Amazing. Thank you so much. Really enjoyed this episode, Steve. It’s really good just to sort of understand your day to day and what you do here at CyberLab. And that concludes this episode of Tales from the CyberLab. Join us next time for a brand new episode. Until then, Stay Secure.