Abstract
Interest in security assessment and penetration testing techniques has steadily increased. Likewise, security of industrial control systems (ICS) has become more and more important. Very few methodologies directly target ICS and none of them generalizes the concept of “critical infrastructures pentesting”. Existing methodologies and tools cannot be applied directly to critical infrastructures (CIs) due to safety and availability requirements. Moreover, there is no clear understanding on the specific output that CI operators need from such an assessment. We propose a new methodology tailored to support security testing in ICS/CI environments. By analyzing security assessments and penetration testing methodologies proposed for other domains and interviewing stakeholders to identify existing best practices adopted in industry, deriving related issues and collecting proposals for possible solutions we propose a new security assessment and penetration testing methodology for critical infrastructure.
This work has been partially supported by the European Commission through project FP7-SEC-285477-CRISALIS funded by the 7th Framework Program.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Deraison, R., Meer, H., Walt, C.V.D.: Nessus Network Auditing. Syngress Media Incorporated (2004)
Searle, J.: NESCOR Version 3 - Guide to Penetration Testing forElectric Utilities (2012). http://www.smartgrid.epri.com/nescor.aspx
Herzog, P.: OSSTMM 3–The open source security testing methodologymanual (2010). http://www.osstmm.org/
Scarfone, K., Souppaya, M., Cody, A., Orebaugh, A.: NIST Special Publication 800–115: Technical Guide to Information Security Testing and Assessment (2008)
Rathore, B., Brunner, M., Dilaj, M., Herrera, O., Brunati, P., Subramaniam, R.K., Raman, S., Chavan, U.: ISSAF 0.2.1 - Information Systems Security Assessment Framework (2006)
CRitical InfrastructureSecurity AnaLysIS (CRISALIS) (2012). http://www.crisalis-project.eu/
Duggan, D., Berg, M., Dillinger, J., Stamp, J.: Penetration testing of industrial control systems. Sandia National Laboratories (2005)
Metasploit, L.: The metasploit framework (2007). http://www.metasploit.com/
Tenable, SCADA Security. http://www.tenable.com/solutions/scada-security
UtiliSec, Samurai Project’s Security Testing Framework for Utilities (Samu-raiSTFU). http://www.samuraistfu.org/
Offensive Security Ltd., Kali Linux. http://www.kali.org/
Radvanovsky, R., Brodsky, J.: SCADA Strangelove or How Ilearned to StartWorrying and Love Nuclear Plant. http://www.scadasl.org/
Matherly, J.: Expose online devices, May 2013. http://www.shodanhq.com/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Caselli, M., Kargl, F. (2016). A Security Assessment Methodology for Critical Infrastructures. In: Panayiotou, C., Ellinas, G., Kyriakides, E., Polycarpou, M. (eds) Critical Information Infrastructures Security. CRITIS 2014. Lecture Notes in Computer Science(), vol 8985. Springer, Cham. https://doi.org/10.1007/978-3-319-31664-2_34
Download citation
DOI: https://doi.org/10.1007/978-3-319-31664-2_34
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31663-5
Online ISBN: 978-3-319-31664-2
eBook Packages: Computer ScienceComputer Science (R0)