Practical attack simulations in Critical National Infrastructure (CNI): Oh the perils, or oh the fun?

There are two commonly held perceptions when it comes to CNI security: that they are under constant threat, and that any form of practical security testing is a bad idea. So how can we provide demonstrable assurance that these environments are secure?

There are two commonly held perceptions when it comes to CNI security: that they are under constant threat, and that any form of practical security testing is a bad idea. So how can we provide demonstrable assurance that these environments are secure?

This talk intends to challenge the perception that practical security testing should be avoided, and will discuss successes, failures, and lessons learned when conducting goal-oriented CNI attack simulations.

The key topics of discussion will focus on:

  • Ignoring theory, what are the technologies being used in real-world CNI environments? Where does IT end and Operational Technology (OT) begin when it comes to assets that a targeted attacker would realistically look to compromise? In particular for affecting the availability and integrity of data sources, or gaining the capability to control physical processes (hint: it is more IT than you would think).

  • How can we apply red team methodologies in environments with high stability requirements, while minimising operational risk and testing time?

  • Want to know how to turn off the water, stop the gas, or simply control the control room? Commonly found ways of elevating privileges will be discussed, along with paths for moving towards key asset compromise.

About the Speaker