This assessment seeks to identify the maturity of any technical risk management processes applied to ICS or OT infrastructure, through a combination of policy and procedure review, interviews with appropriate personnel, targeted inspection of equipment, and both passive and active analysis of network connections.
The specific activities performed will vary depending on the environment and the risk profile, however, they typically involve assessment of the following:
- Access control and privilege management.
- Backup and redundancy provision.
- Business continuity and disaster recovery planning.
- Change control and configuration management.
- Credential management.
- Lifecycle support and technical debt.
- Malware protection.
- Network segregation and firewalls.
- Remote access and system management processes.
- Removable media control.
- Safety considerations.
- System hardening and secure baseline configuration.
- Updates and patch management.
ICS/OT infrastructure is often associated with potentially dangerous or operationally critical activities, testing is only ever undertaken by suitably experienced and qualified team members and requires careful scoping.
The actual assessment process will generally involve direct interaction with the teams responsible for managing and operating the equipment within scope, and will avoid activites likely to damage equipment or services unless specific provision is in place to repair or replace damaged systems.