20/11/2019

Lifecycle Requirements for Industrial Systems #Part 1 “Automated vulnerability testing”

In the area of ISO/IEC 62443-4-1 (Secure product development lifecycle requirements), so-called vulnerability tests are indispensable. In the 4-1 standard, this is defined under ‘Practice 5 – Security verification and validation testing’ in the requirement ‘SVV-3 Vulnerability testing’.

The process of “Vulnerability Testing” requires that at least the following areas are considered:

  • Unexpected malicious input: Tests should be performed to identify vulnerabilities generated by unexpected input. All external interfaces should be tested. Fuzzing tools are used for this purpose.
  • Attack surface analysis: The attack interface should be analysed regularly to identify all incoming and outgoing connections. In addition, it should be determined whether unplanned services are running or whether the active services have the correct rights.
  • Blackbox tests: So-called blackbox tests are designed to identify and remove known system vulnerabilities. Automated vulnerability scanners can be used for this purpose.
  • Compiled software tests: If compiled program parts are available, the executable data must be checked. At least known vulnerabilities, known vulnerable libraries and compiler settings must be checked.
  • Dynamic runtime tests: Dynamic tests are necessary to identify vulnerabilities that cannot be identified by static code analysis tests. Among other things, possible DoS attacks, memory leaks and similar vulnerabilities are to be identified. These tests are to be implemented, if it is possible with tools.

One tool is not sufficient to cover this extensive portfolio. Rather, a combination of different types of tools is required.

  • Fuzzing Tools: The use of a fuzzing software makes sense for testing the unexpected harmful input. Fuzzing software generates semi-random data that can be used as input parameters.
  • Service Scanner: To analyze the attack surface, it is recommended to use a service scanner that is able to identify services and confirm that they are up-to-date.
  • Vulnerabilities Scanner: For black box testing, it makes sense to use an automated testing tool to identify known vulnerabilities.

Limes Security recommends

Companies use different analysis tools to comply with the ISO/IEC 62443-4-1 standard in the SVV-3 requirement. Which ones exactly can be found in part #2 in one of the next blogposts.

 



Should you encounter any inconsistencies or requirements in your company that cannot be handled alone, the IT/OT specialist team at Limes Security is at your disposal – call us today!