Home > Research > Publications & Outputs > An Analysis of Adversary-Centric Security Testi...

Electronic data

  • IT_vs_OT_DTRAP

    Rights statement: © ACM, 2022. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Digital threats: Research and practice, 4, 1 (2023) https://dl.acm.org/doi/10.1145/3569958

    Accepted author manuscript, 718 KB, PDF document

    Available under license: CC BY-NC: Creative Commons Attribution-NonCommercial 4.0 International License

Links

Text available via DOI:

View graph of relations

An Analysis of Adversary-Centric Security Testing within Information and Operational Technology Environments

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Published

Standard

An Analysis of Adversary-Centric Security Testing within Information and Operational Technology Environments. / Staves, Alex; Gouglidis, Antonios; Hutchison, David.
In: Digital Threats: Research and Practice, Vol. 4, No. 1, 14, 31.03.2023, p. 1-29.

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Harvard

APA

Vancouver

Staves A, Gouglidis A, Hutchison D. An Analysis of Adversary-Centric Security Testing within Information and Operational Technology Environments. Digital Threats: Research and Practice. 2023 Mar 31;4(1):1-29. 14. Epub 2023 Feb 9. doi: 10.1145/3569958

Author

Bibtex

@article{68485d1ce8f147aab97aeb1dbf8838fd,
title = "An Analysis of Adversary-Centric Security Testing within Information and Operational Technology Environments",
abstract = "Assurance techniques such as adversary-centric security testing are an essential part of the risk assessment process for improving risk mitigation and response capabilities against cyber attacks. While the use of these techniques, including vulnerability assessments, penetration tests, and red team engagements, is well established within Information Technology (IT) environments, there are challenges to conducting these within Operational Technology (OT) environments, often due to the critical nature of the OT system. In this paper, we provide an analysis of the technical differences between IT and OT from an asset management perspective. This analysis provides a base for identifying how these differences affect the phases of adversary-centric security tests within industrial environments. We then evaluate these findings by using adversary-centric security testing techniques on an industrial control system testbed. Results from this work demonstrate that while legacy OT is highly susceptible to disruption during adversary-centric security testing, modern OT that uses better hardware and more optimised software is significantly more resilient to tools and techniques used for security testing. Clear requirements can, therefore, be identified for ensuring appropriate adversary-centric security testing within OT environments by quantifying the risks that the tools and techniques used during such engagements present to the operational process.",
keywords = "Industrial Control Systems, Operational Technology, Information Technology, Security Testing, Risk",
author = "Alex Staves and Antonios Gouglidis and David Hutchison",
note = "{\textcopyright} ACM, 2022. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Digital threats: Research and practice, 4, 1 (2023) https://dl.acm.org/doi/10.1145/3569958",
year = "2023",
month = mar,
day = "31",
doi = "10.1145/3569958",
language = "English",
volume = "4",
pages = "1--29",
journal = "Digital Threats: Research and Practice",
publisher = "ACM",
number = "1",

}

RIS

TY - JOUR

T1 - An Analysis of Adversary-Centric Security Testing within Information and Operational Technology Environments

AU - Staves, Alex

AU - Gouglidis, Antonios

AU - Hutchison, David

N1 - © ACM, 2022. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Digital threats: Research and practice, 4, 1 (2023) https://dl.acm.org/doi/10.1145/3569958

PY - 2023/3/31

Y1 - 2023/3/31

N2 - Assurance techniques such as adversary-centric security testing are an essential part of the risk assessment process for improving risk mitigation and response capabilities against cyber attacks. While the use of these techniques, including vulnerability assessments, penetration tests, and red team engagements, is well established within Information Technology (IT) environments, there are challenges to conducting these within Operational Technology (OT) environments, often due to the critical nature of the OT system. In this paper, we provide an analysis of the technical differences between IT and OT from an asset management perspective. This analysis provides a base for identifying how these differences affect the phases of adversary-centric security tests within industrial environments. We then evaluate these findings by using adversary-centric security testing techniques on an industrial control system testbed. Results from this work demonstrate that while legacy OT is highly susceptible to disruption during adversary-centric security testing, modern OT that uses better hardware and more optimised software is significantly more resilient to tools and techniques used for security testing. Clear requirements can, therefore, be identified for ensuring appropriate adversary-centric security testing within OT environments by quantifying the risks that the tools and techniques used during such engagements present to the operational process.

AB - Assurance techniques such as adversary-centric security testing are an essential part of the risk assessment process for improving risk mitigation and response capabilities against cyber attacks. While the use of these techniques, including vulnerability assessments, penetration tests, and red team engagements, is well established within Information Technology (IT) environments, there are challenges to conducting these within Operational Technology (OT) environments, often due to the critical nature of the OT system. In this paper, we provide an analysis of the technical differences between IT and OT from an asset management perspective. This analysis provides a base for identifying how these differences affect the phases of adversary-centric security tests within industrial environments. We then evaluate these findings by using adversary-centric security testing techniques on an industrial control system testbed. Results from this work demonstrate that while legacy OT is highly susceptible to disruption during adversary-centric security testing, modern OT that uses better hardware and more optimised software is significantly more resilient to tools and techniques used for security testing. Clear requirements can, therefore, be identified for ensuring appropriate adversary-centric security testing within OT environments by quantifying the risks that the tools and techniques used during such engagements present to the operational process.

KW - Industrial Control Systems

KW - Operational Technology

KW - Information Technology

KW - Security Testing

KW - Risk

U2 - 10.1145/3569958

DO - 10.1145/3569958

M3 - Journal article

VL - 4

SP - 1

EP - 29

JO - Digital Threats: Research and Practice

JF - Digital Threats: Research and Practice

IS - 1

M1 - 14

ER -