Risk-Based Safety Scoping of Adversary-Centric Security Testing on Operational Technology

Staves, Alexander and Gouglidis, Antonios and Maesschalck, Sam and Hutchison, David (2024) Risk-Based Safety Scoping of Adversary-Centric Security Testing on Operational Technology. Safety Science, 174: 106481. ISSN 0925-7535

Text (Risk_Based_Scoping_of_Adversary_Centric_Security_Testing-accepted) - Accepted Version
Restricted to Repository staff only until 1 January 2040.
Available under License Creative Commons Attribution.
Download (0B)

Text (Risk_Based_Scoping_of_Adversary_Centric_Security_Testing-accepted)
Risk_Based_Scoping_of_Adversary_Centric_Security_Testing-accepted.pdf - Accepted Version
Available under License Creative Commons Attribution.
Download (859kB)

Abstract

Due to the recent increase in cyber attacks targeting Critical National Infrastructure, governments and organisations alike have invested considerably into improving the security of their underlying infrastructure, commonly known as Operational Technology (OT). The use of adversary-centric security tests such as vulnerability assessments, penetration tests and red team engagements has gained significant traction due to these engagements' goal to emulate threat actors in preparation for genuine cyber attacks. Challenges arise, however, when performing security tests on these as the nature of OT results in additional safety and operational risk needing to be considered. This paper proposes a framework for incorporating the assessment of safety and operational risks within an overall scoping methodology for adversary-centric security testing in OT environments. Within this framework, we also propose a hybrid testing model derived from the Purdue Enterprise Reference Architecture and the Defense in Depth model to identify and quantify safety and operational risk at a per-layer level, separating high and low-risk layers and being subsequently used for defining rules of engagement. As a result, this framework can aid vendors and clients in appropriately scoping adversary-centric security tests so that depth-of-testing is maximised while minimising the risk to safety and to the operational process. The framework is then evaluated through a qualitative study involving industry experts, confirming the framework's validity for implementation in practice.