A comprehensive Security Testing Framework for PLC-based Industrial Automation and Control Systems

Abstract

The thesis focuses on developing a comprehensive security testing framework for Industrial Automation and Control Systems (IACS) based on Programmable Logic Controllers (PLCs). This framework aims to evaluate the security posture of PLC-based IACS systems using methods, tools, and best practices in security testing tailored to the specific characteristics of PLC environments. It leverages existing security standards, such as the IEC 62443 standard. The methodology employed in this research is the Design Science methodology, serving as the systematic problem-solving strategy throughout the development of the framework. This methodology ensures the robustness and applicability of the framework within the domain of IACS. The framework encompasses various phases, including threat modeling, initial risk assessment, security testing tools and techniques, comprehensive risk evaluation, reporting mechanisms, and incident response planning. Throughout the development process, adherence to the IEC 62443 standard is maintained, ensuring alignment with established industrial best practices and regulatory requirements. This adherence aims to bolster the security of IACS infrastructure and facilitate compliance with European Union (EU) regulations. Validation of the framework is achieved through its illustration to an Information Technology (IT) and Operational Technology (OT) asset within an industrial context. This research significantly contributes to advancing cybersecurity practices for security testing within industrial settings. By providing a structured methodology, practitioners are empowered to systematically inspect and enhance the security of PLC-based IACS systems. The proposed framework's modular and independent nature makes it highly adaptable for deployment across various target systems. It conforms to recommended standards within the domain of IACS, aiming to establish secure and resilient industrial infrastructure capable of mitigating emerging cyber threats. Implementation of the framework's guidelines is anticipated to contribute to improved security and EU regulatory compliance within IACS environments.