It’s 2 a.m . at a major industrial facility, and about 20 yards from the rear perimeter, two figures dressed in full camouflage gear are slinking along the tree line just outside the plant fence. They’re wearing backpacks and carrying various paraphernalia, pausing occasionally to peer through night vision monoculars to scan the plant perimeter.

Suddenly, a plant guard patrol vehicle rounds the corner of a building, its headlights shining in the direction of the pair. Both quickly drop, falling on their bellies in the mud and standing water from the previous night’s rain. The guard vehicle passes, and the pair remain undetected.

Minutes later, the two figures reach a spot where trees and tall grass provide some cover; they pull out a laptop computer and attach an antenna, which they aim toward the plant campus. They remain in the area for an additional two hours, deploying their gear to scan for radio frequencies emanating from the plant, while observing guard patrol schedules and looking for holes in the fence or other perimeter breach points. At around 4 a.m., the pair end their surveillance and sneak away undetected.

Only a few days later, the intelligence gathered during the nighttime surveillance by these two individuals—members of a four-man covert team—will be put to use, together with information from other daytime and nighttime reconnaissance visits. In broad daylight, the team will use what they’ve learned to send one of their members through a weak point in the perimeter fence and into the plant campus.

Once inside, this individual, disguised as a contractor, will brazenly walk directly into the plant’s control room, where he will plug his laptop computer into the plant’s control network. Meanwhile, another of the team members will be simultaneously attempting to talk his way past the guard at the plant’s front gate. At the same time, the team’s other two members will be infiltrating a nearby plant office building. None of these covert activities will be discovered by plant security, though the second imposter will be held up by a suspicious front-gate guard.

Covert operations

These men could have been bad guys, intent on doing harm. Thankfully, however, they were only posing as bad guys—members of an industrial “Red Team” hired by the plant’s owner. The team’s mission: to covertly gain access to the plant’s critical control systems, using whatever means necessary, short of doing any harm.

“A Red Team test is basically an all-out attempt to gain access to the client’s systems, whether it be completely through the network from a remote location, or by gaining physical access at one of their sites that is networked together,” explains Jonathan Pollet, one of the four Red Team members, and founder of PlantData Technologies Inc., a Houston-based industrial security consulting company that was acquired last year by Verano Inc., Mansfield, Mass. Verano recently changed its corporate name, and is now known as Industrial Defender Inc.

The company specializes in cyber security for real-time control and SCADA environments (for supervisory control and data acquisition) in critical infrastructure industries. Clients include oil and gas, chemical, power, water and transportation companies. Pollet serves as vice president of professional services for Industrial Defender, and continues to head up the former
PlantData consulting operation, now known as Industrial Defender Consulting Services. Over the past six years, this organization has conducted more than 60 control system cyber security assessments for clients. These range from standard cyber vulnerability assessments to more extensive cyber penetration tests and all-out Red Team attacks.

In most cases, only top personnel at a plant know when a Red Team test has been commissioned. Information technology (IT) and security staffs are not tipped off. “We carry letters from the top people in the [client] company with 24/7 phone numbers, so that if we do get caught, we don’t go to jail that night,” says Clint Bodungen, a security consultant who is a member of the Industrial Defender Red Team.

A Red Team test can sometimes be mostly cyber-based. “If we can penetrate through the Internet, get through the corporate network and find the specific plant network that we’re looking for, then almost all of it is cyber,” says Ty Bodell, another of the Red Team members. But that scenario is rare, he adds; in most cases, a covert physical entry into the plant
is required.

A major objective of the physical entry is to attach a wireless access device to the plant network. Once this is accomplished, the team can access the ...