Every year, numerous big and small incidents in industrial environments, like power plants, factories, or food supply find their way into newspapers. All those affected industries are backed by highly branched and historically grown Operational Technology (OT) networks.
A big portion of such incidents would have been avoidable, if network segmentation was done correctly and patches for user devices (not always possible in OT) were installed. Despite such known problems, that also lead to compromisation of traditional IT networks, a bunch of unknown vulnerabilities are unfortunately also present in OT infrastructure. OT in modern factories contains of networked (and smart) devices, especially on level 1, also called the control level, of the Purdue model. Devices, like PLCs, industrial router/switches, data diodes, and more are cannot be easily tested if they are in use by the factory.
Therefore, solutions for classification and monitoring from different vendors are in use to not put the running infrastructure at risk. These non-intrusive ways for getting a picture about the running infrastructure only give a partial overview from the vulnerability landscape in the OT network but cannot detect unknown vulnerabilities. Testing of such expensive devices instead of using them is often not desired due to the price, and spare items must be available, which is the reason why those devices can’t be touched too. For this reason, digital twins – in terms of virtualization – from the devices in the factory should be created for pentesting purposes.
This twins can be build with different tools (open source/ closed source) and have been used for identifying 0-days during an ongoing research project. After the creation, the virtual appliances were connected to form a full fletched OT network, to imitate a real industrial environment. Testing those virtual appliances does not harm the real infrastructure, but provides a lot of valuable information about the systems in scope. This was tested in practice during engagements and has been recreated and edited for a talk which also includes vulnerabilities that were discovered during such a test setup.