guard shack on several occasions. “I could have grabbed a handful of badges, because they were just hanging there, or I could have sneaked out the back and gone on into the plant,” says Bodungen. He does neither. But he is there long enough to observe the strict exit procedures practiced by the guard; Bodungen calls Pollet and advises him not to try leaving by the front gate—the original plan—but to instead exit the same way he entered, through the rear perimeter.

Meanwhile, Bodell and Turner are trying a different penetration approach. During surveillance, the team had identified an office building that is not within the plant fence boundaries, but has cables running from it into the plant environment.
They suspect the building may be on the plant network. Dressed in office casual clothing, they enter through the front door, walk past an unmanned security desk, ignoring the sign-in sheet, and proceed unchallenged into the building. “We have our laptops out, with antennas sticking out, looking around as though we’re doing a wireless signals survey,” says Bodell. “But

The pair locate a printer room, where they attach and conceal a wireless access point, then quickly leave the building. Back in their car in a nearby lot, they successfully connect to the access point, and find themselves on the plant network. They call Pollet, who is still in the plant control room, and tell him to retrieve his access point and get out. “Since we had an access point working outside, we didn’t need to risk having to do the more difficult penetration back into the plant later to retrieve an access point there,” Bodell explains.

Bodell and Turner drive to the plant front gate and pick up Bodungen, then pick up Pollet exiting the plant at the designated spot, and the team goes home for the day.

From here on, the physical work is done, and rest of the Red Team attack is cyber penetration testing. With an access point in place, team members are free to come back, park on a nearby street or a plant parking lot, and take their time probing the network. “We usually choose a time that’s late at night on the weekend, or maybe at 5 p.m. on a Friday so the cars are still there and we don’t look suspicious,” says Bodell.

“At this point, since we have access to a production plant network, our next steps have to be really careful ones, because we don’t want to shut the plant down,” Bodell observes. While probing the network, the team may grab screen shots or evidence data to prove that they were there. Depending on the client contract rules of engagement, the team may stop the test once network administrator access is obtained, for example, or when it achieves whatever is deemed to be “the keys to the city,” as Bodell puts it.

Wrap up

At the end of an engagement, Industrial Defender’s Red Team consultants provide a complete report with narrative, photos and screen shots detailing vulnerabilities uncovered and mitigation recommendations.

Commonly encountered cyber vulnerabilities include uninstalled control system software patches that are not yet on vendors’ approved patch lists, says Bodell, as well as weaknesses involving unsecured legacy network hardware. The team typically stresses the importance of “layered” security defenses. On the physical side, fixes often include obvious items such as repairing holes in perimeter fences and correctly positioning motion sensors. The team often also recommends stepped-up user awareness training and testing for plant guards, control staff and other employees.

In all, the Industrial Defender consultants have performed a total of five full-blown Red Team tests, in each case achieving their objective without being discovered. Based on what they’ve seen to date, the team believes that most industrial plants could benefit from better coordination between traditionally separate cyber security and physical security staffs.

“One thing that is important for companies to understand is that even if they have strong cyber controls, their physical security, or
lack thereof, can also provide a huge attack vector into their process control networks,” Bodungen advises.  

For more information, search keywords “ cyber security ” and “ physical security ” at www.automationworld.com.