Special challenge for CRITIS and industry: "Pentesting is usually very individual"

Pentests can significantly increase IT security in companies, but the range of services is large and it is not easy to find the right provider. If you want to get the most out of a penetration test, it is not possible without preparation. The area of critical infrastructures (CRITIS) and industrial security have additional requirements.

Companies rarely know all the dangers to which their IT systems are exposed. Security service providers therefore offer to detect vulnerabilities. Various organisational and economic aspects play a role in finding the right decision criteria for selecting the appropriate offer.

 

Pentests are standard for detecting vulnerabilities

 So-called penetration tests are a standard means of analysing vulnerabilities. Security specialists act as if they were attackers and attack a company with their tools and methods. It is "a simulated attack on the client's IT components to check their security. This can be an app on a mobile phone or a web service, but also an entire company network or a data centre," explains pentest expert Timo Müller. He has been conducting penetration tests for TÜV Informationstechnik (TÜViT), a subsidiary of TÜV NORD Group, for many years. "We are a BSI-approved and certified IT security service provider," he adds. This is also a distinguishing feature of the providers, "because by no means all providers have had themselves certified," Müller explains. Certification goes even further, because employees can also be certified. But experience and references should also be taken into account when choosing a provider, Müller recommends. "References provide information about the size of the companies belonging to the service provider's clientele and the sectors represented," he adds. Another factor is the independence from product providers, "many of them also sell software, so there may be a lack of neutrality," says Müller and adds: "In our case, data protection experts are usually also involved and we can draw on sector and industry expertise from other areas of TÜV NORD.

 

KRITIS and Industrial Security with special requirements

Most pentesters are guided by international standards. These are particularly important for operational technology (OT) security, also commonly referred to as industrial security. Not all providers have mastered pentesting in this segment, for example of production plants, but it is becoming more and more important. "Industrial security brings its own challenges, and the KRITIS requirements also contribute to this," Müller confirms the development. As a result, many companies are forced to pay more attention to the IT security of their industrial plants. With the amendment of the IT Security Act, the KRITIS area was recently expanded. Müller reports: "This means that more industries are obliged to take additional security measures, and more pentests are being carried out". Affected companies often have to comply with standards, such as IEC 62443, which deals with IT security in industrial communication networks. "This involves the certification of components used in the industrial environment; this is currently still voluntary, but an obligation is being discussed," Müller reports. Depending on the level of certification, pentests are also required. Therefore, he recommends: "In general, penetration tests should always be an integral part of a product development process, a system acceptance or a secure operating process.

 

Pentests require time and money

The extensive tests are costly and require time. "While a conventional small business network can be tested in a week, testing a complete production line of, say, a chemical company takes at least two to three weeks," Müller explains. "But you can also set a certain focus for the test," he qualifies. The costs depend on the amount of work involved. Müller explains: "Web applications start in the upper four-digit range, typical company networks or production lines, on the other hand, are in the five-digit range".

In order for customers to get the maximum benefit from a pentest, certain preparations are necessary. "We need technical contacts, because access points may have to be set up on site or other measures taken," the expert knows. Furthermore, contracted security service providers must be approachable. Technical documentation is also needed, but not all customers have it. "Then it becomes a black box test, which requires detective work because, for example, the components in the network have to be determined first," he says. Some clients, however, would demand black-box testing and require the pentesters to see what could be found out without any prior information. "Pentesting is usually very individual," Müller sums up.

Information on the technology and methodology of pentesting can be found in another article.

Author: Uwe Sievers