Building more resilient CNI: what industry pen testers told us
Building more resilient CNI: what industry pen testers told us
Pen testers suggest what organisations can do to make their job more difficult.
Our advice & guidance covers a broad range of topics
Resources for individuals and organisations in the UK who have experienced an online scam or cyber attack.
Find a range of products & services from NCSC and certified 3rd party suppliers
Working with industry, government and academia to support the next generation of researchers, students and cyber security professionals
All the latest information to help you keep track of what's happening
Pen testers suggest what organisations can do to make their job more difficult.
primeimages via Getty Images
For those of us working in operational technology here at the NCSC, part of our job is to engage with penetration testers. Also known as ‘pen testers’, it’s their job to try to break into systems, poke holes in your infrastructure and find any weak spots. These can then be patched to improve the system’s resilience against attackers who have the same skills, but bad intentions.
In this blog, we’ll explain what pen testers told us when we asked: ‘What can organisations do to make your job harder?’
The pen testers all felt that when vulnerabilities are found (and they are rarely absent), it’s much easier to implement remediations if the system is ‘secure by design’, meaning it has been designed with security as one of the key requirements from the outset. Designing systems this way lays the groundwork for many of the technical controls that make attacks more difficult to carry out.
One of the clearest examples of ‘secure by design’ is the adoption of network segmentation, particularly where it has been considered as part of the system design rather than added later. Network segmentation involves splitting a network up into smaller segments, either through high-level network design, the use of VLANs or firewalls, or through the management of users or groups with separate accounts for different network areas.
OT systems should always be designed with clear separation between the OT control systems and the rest of your business infrastructure: the IT. From a security standpoint, segmentation helps to prevent hackers from moving laterally through your network, hampering pen testers who may have gained a foothold from making further progress. In the context of OT, this can mean avoiding impacts on your process and a potential loss of availability.
Segmentation is not just about separating IT from OT; it is about controlling what crosses that boundary. Cross domain thinking helps define zones of trust and tightly manage data flows between them. Secure OT connectivity should minimise exposed connections, standardise access routes, and harden boundaries, while privileged access workstations (PAWs) provide trusted devices for privileged administration, reducing shortcuts and making lateral movement harder.
Building on a securely designed and well-segmented environment, logging and monitoring become far more effective. One thing that certainly makes life harder for pen testers (but doesn’t necessarily hinder them) is when a system has:
With both of these in place, you can have fun telling your pen tester whenever you see them popping up and trying things in different parts of your system. A purple team approach (a purple team combines blue teaming and red teaming activities) can help ensure that any vulnerabilities uncovered are understood and remediated.
We can’t stress enough that even the best logging and monitoring capability is useless unless an organisation collects the right data, and responds to that data in the right way. Make sure that alerts are properly investigated, and that incident response plans are built, regularly communicated, and exercised with your teams.
The NCSC has published extensive guidance on the topics above. If building a system from scratch, be sure to take into account our secure design principles. We also have pointers on how to implement effective logging and monitoring.
If you are looking to have a system pen tested, and we recommend that you do, please consider one of the organisations on the NCSC’s list of assured providers, part of our CHECK scheme. If you are looking to pen test a system that includes operational technology, ensure that the people you hire have relevant experience in this area. Without this, a pen tester could miss vulnerabilities that may exist in that particular environment or, worse, could have unintended effects on your system that have real-world consequences.
The points we cover here aren’t a complete checklist for defending a system against cyber threats, but they might just make pen testers work that bit harder to earn their fee.
How it works
Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.
Questions are cached — you'll always get the same 5 for this article.