An Analysis of Adversary-Centric Security Testing within Information and Operational Technology Environments

Staves, Alex and Gouglidis, Antonios and Hutchison, David (2023) An Analysis of Adversary-Centric Security Testing within Information and Operational Technology Environments. Digital Threats: Research and Practice, 4 (1): 14. pp. 1-29.

[thumbnail of IT_vs_OT_DTRAP]
Text (IT_vs_OT_DTRAP)
IT_vs_OT_DTRAP.pdf - Accepted Version
Available under License Creative Commons Attribution-NonCommercial.

Download (735kB)


Assurance techniques such as adversary-centric security testing are an essential part of the risk assessment process for improving risk mitigation and response capabilities against cyber attacks. While the use of these techniques, including vulnerability assessments, penetration tests, and red team engagements, is well established within Information Technology (IT) environments, there are challenges to conducting these within Operational Technology (OT) environments, often due to the critical nature of the OT system. In this paper, we provide an analysis of the technical differences between IT and OT from an asset management perspective. This analysis provides a base for identifying how these differences affect the phases of adversary-centric security tests within industrial environments. We then evaluate these findings by using adversary-centric security testing techniques on an industrial control system testbed. Results from this work demonstrate that while legacy OT is highly susceptible to disruption during adversary-centric security testing, modern OT that uses better hardware and more optimised software is significantly more resilient to tools and techniques used for security testing. Clear requirements can, therefore, be identified for ensuring appropriate adversary-centric security testing within OT environments by quantifying the risks that the tools and techniques used during such engagements present to the operational process.

Item Type:
Journal Article
Journal or Publication Title:
Digital Threats: Research and Practice
Additional Information:
© ACM, 2022. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Digital threats: Research and practice, 4, 1 (2023)
?? industrial control systemsoperational technologyinformation technologysecurity testingrisk ??
ID Code:
Deposited By:
Deposited On:
04 Nov 2022 16:25
Last Modified:
15 Jun 2024 00:27