Utilities often focus on offline or passive methods of assessing and protecting their systems. Being able to analyze configurations and evaluate access control lists is a worthwhile pursuit, and it does give utilities a sense of how secure individual systems are at a specific point in time.

In many cases, however, these types of vulnerability assessments fail to take a holistic view of how the entire system functions together, which can result in gaps in the assessment. You may be familiar with the defender’s dilemma, which states that a defender needs to protect everything, while an attacker only needs to find one vulnerability that allows them to accomplish an objective. One approach to gaining a better perspective on a system’s vulnerabilities is through penetration testing, often shortened to pen testing.

Pen testing is a unique type of active online assessment in which the pen tester attempts to find and exploit vulnerabilities in the system or network. This is more than an active vulnerability scan, in which an automated tool enumerates the vulnerabilities in a system. Instead, in a pen test, the tester is attempting to gain access, usually requiring a more hands-on approach than a vulnerability scan. Vulnerability scans and pen tests are often complementary processes, as the pen tester will need to have some idea of the vulnerabilities to exploit them. In some cases, the pen tester is given some level of background information about the systems in question and their known vulnerabilities, while in others the pen tester’s objective is to seek out cybersecurity vulnerabilities.

In general, most utilities do not keep experienced pen testers on staff, instead procuring this expertise from outside providers. A pen testing team often includes multiple individuals with unique and complementary skillsets. For example, one may be an expert at writing exploit code, while another might be proficient in intrusion detection evasion techniques.

The results of any pen test are unique to the specific testing conditions, including the scope of the test and the configuration baselines of the target systems. In other words, don’t expect the results of a pen test of a control system to be applicable to another vendor’s control system, or even another version of the same system. For this reason, it is important to perform pen tests against representative samples of the types of systems in place at the utility. The frequency of testing may vary depending on the criticality of the targeted systems.

Pen tests generally should be performed in a lab or staging environment that closely matches the production systems. Unless there is a high tolerance for downtime, pen testing should not be performed against production systems. The process of exploiting a system can have unforeseen consequences, including the need to rebuild a system from scratch, so avoid pen testing a system that can’t be spared for a few days. If no lab environment is available, it would be wise to reconsider pen testing until such an environment can be implemented.

John Biasi is a solution architect in the Governance, Risk, Cybersecurity and Compliance Group at Burns & McDonnell. He is also an adjunct professor at the Oklahoma State University Institute of Technology. His primary focus is on protecting critical infrastructure by focusing on risk management in the context of cybersecurity and regulatory compliance. He has extensive experience directing a broad range of IT security initiatives in planning, analysis and implementation of solutions, and he has hands-on experience leading all aspects of network design on high-profile projects. He is an active participant in the NERC Security Integration and Technology Enablement Subcommittee (SITES), Smart Electric Power Alliance (SEPA) and the Utilities Technology Council (UTC), focusing on grid modernization cybersecurity and compliance. John has a bachelor's degree in information technology and a Master of Business Administration in cybersecurity management from Excelsior University.