Home > Research > Publications & Outputs > Risk-Based Safety Scoping of Adversary-Centric ...

Electronic data


Text available via DOI:

View graph of relations

Risk-Based Safety Scoping of Adversary-Centric Security Testing on Operational Technology

Research output: Contribution to Journal/MagazineJournal articlepeer-review

E-pub ahead of print
Article number106481
<mark>Journal publication date</mark>30/06/2024
<mark>Journal</mark>Safety Science
Publication StatusE-pub ahead of print
Early online date29/02/24
<mark>Original language</mark>English


Due to the recent increase in cyber attacks targeting Critical National Infrastructure, governments and organisations alike have invested considerably into improving the security of their underlying infrastructure, commonly known as Operational Technology (OT). The use of adversary-centric security tests such as vulnerability assessments, penetration tests and red team engagements has gained significant traction due to these engagements' goal to emulate threat actors in preparation for genuine cyber attacks. Challenges arise, however, when performing security tests on these as the nature of OT results in additional safety and operational risk needing to be considered. This paper proposes a framework for incorporating the assessment of safety and operational risks within an overall scoping methodology for adversary-centric security testing in OT environments. Within this framework, we also propose a hybrid testing model derived from the Purdue Enterprise Reference Architecture and the Defense in Depth model to identify and quantify safety and operational risk at a per-layer level, separating high and low-risk layers and being subsequently used for defining rules of engagement. As a result, this framework can aid vendors and clients in appropriately scoping adversary-centric security tests so that depth-of-testing is maximised while minimising the risk to safety and to the operational process. The framework is then evaluated through a qualitative study involving industry experts, confirming the framework's validity for implementation in practice.