Testing the Un-Testable presented at NISC 2014

by Ross Paterson,

Summary : SCADA (supervisory control and data acquisition) systems are used to control much of the country’s national infrastructure and are increasingly becoming a target for hackers. Despite being seen as a soft target for hackers, SCADA systems are still fragile and pose a number of unique difficulties from a penetration testing stand point. SCADA systems are a convergence point of the virtual and physical, running in an ‘always on’ world where downtime is unacceptable. Penetration testing in this arena is high risk due to the potential of causing system failure, which in SCADA could cause physical damage, loss of critical services and even loss of life. This session will discuss some of the fundamental problems that make SCADA ‘un-testable’ and some of the techniques that can be used to mitigate the risks.