Uncovering potential vulnerabilities

Sectra pentesting

In the constantly changing threat environment facing critical infrastructure operations, it is not always easy to predict how well an organization’s systems would stand up to a real attack, and what the consequences could be. One way to highlight this is through pentesting (short for “penetration testing”), where an external party evaluates the organization’s security by simply attempting to break it.

Two different pentesting methods

Uncovering potential vulnerabilities in an organization requires several years of experience and a broad knowledge base. Sectra’s employees draw on many years of experience in a variety of aspects within security when carrying out pentests. Sectra uses two different methods of pentesting: Full-spectrum pentesting or simple pentesting.

Full-spectrum pentesting

Sectra’s preferred method, a full-spectrum pentest, targets the organization as a whole, with as wide scope as possible. In these tests, Sectra uses a “red team,” a team of Sectra employees that have several years of experience and extensive expertise within security. The team starts out by performing a risk assessment and threat modelling, in order to simulate a real attacker and perform realistic attacks against critical infrastructure. The test focuses on both technical aspects, such as network infrastructure or physical security, and potential weak points related to processes, procedures and employees. An organization’s protective ability as well as its ability to detect various types of security risks are included in the test. The scope of these tests makes them more complex and thorough than other traditional testing methods. They are also more exhaustive and provide more value, as their stated goal is equivalent to likely targets for attackers and thus simulates the risk scenario that is relevant for operations.

Simple pentesting

A simple pentest means that the test focuses on individual applications or limited systems that have a specific function within an operation. For example, this kind of test can exploit user rights, where the goal is to demonstrate internal vulnerabilities and how an insider could potentially damage internal networks. A similar test is also possible through comprehensive rights, where the goal is to identify even greater vulnerabilities by testing a wide range of attack vectors.

What happens after pentesting?

A normal pentesting assignment takes from four to twelve weeks, depending on the scope of the test. When the test is complete, Sectra’s employees present the customer with a thorough report on the results. They also receive recommendations from Sectra about how they can address any vulnerabilities that the test revealed and reduce the risk of a malicious actor gaining access to their network.

Since threat scenarios are constantly changing, it is important to continue to work actively on security in critical networks, even after the pentest is complete. This can be done by installing Sectra Network Alert in the network, which constantly looks for vulnerabilities in isolated network environments. This can also be done by implementing a monitoring service to detect undesirable activity in a network.

Meet us next at