My compliments if you have decided to have a penetration test ('pen-test') performed on your infrastructure, web applications, mobile apps or software code. This shows that you are cybersecurity aware and attach importance to the cyber resilience of your organization. Bravo!
While a pen test is a useful tool to test your cybersecurity, it does not provide the required cyber resilience that an organization needs in today's challenging world where increasingly sophisticated attackers are finding innovative ways to gain access to your organization's infrastructure.
Don't get me wrong. Pen testing is still a useful tool to test the exploitability of discovered vulnerabilities so that they can be managed and the situation can be improved . Pen testing is also recommended when it is clear in advance which device , system or element of the infrastructure network needs to be tested and why (because there has been a security incident, or other tests have revealed vulnerabilities , or the organization needs to comply with new regulations or it is required by an insurer ) .
The main problem with a pen test is that it is only a snapshot and does not cover the entire infrastructure . When the pen test is finished and the project is completed, new vulnerabilities can be discovered the next day. In addition, a pen test is mainly focused on the IT domain and the OT and IoT domains are not or hardly ' tested' .
This results in certain 'blind spots' ( potential vulnerabilities in the OT and IoT domain) not being detected, which can then be abused by hackers to gain access to the organization's infrastructure. Technically, after every update on every relevant system , the entire technical infrastructure must be retested and audited , which ultimately makes a repetitive pen test necessary , but also extremely expensive. In other words, a pen test is an expensive snapshot of the current situation . In concrete terms, this means that the OT/ IoT attack surface (attack surface = the entirety of possible access vectors for hackers ) of the tested organization is not optimally covered, resulting in blind spots remaining open for hackers . And a hacker only needs one blind spot to gain access .
To prevent these blind spots , organizations will have to opt for continuous security monitoring of the entire OT/IT/ IoT infrastructure. Not only the 'continuous' aspect is important here , but also monitoring the OT and IoT elements for security aspects is essential. Security monitoring must take place continuously for the simple reason that the infrastructure of an organization is constantly changing. New vulnerabilities are regularly discovered, systems break down and /or are replaced , and people make mistakes ( read: incorrect configurations or incorrect implementations of systems). Another argument for this monitoring is that a change in the infrastructure does not only apply to IT systems, but also applies to OT and IoT systems. To give an example: at a certain point, a temperature sensor in a cold room or in a data center breaks down and needs to be replaced . If this replacement is not monitored for security, this sensor can be unsecured and /or directly connected to the internet, with all the consequences that entails. That may seem like a small blind spot, but it can have far-reaching consequences.
In addition, it is good to realize that the number of cyber attacks on OT systems has increased significantly in recent years . This increase is a logical consequence of the fact that these systems are often connected to the internal network - and sometimes even directly to the internet . Since these OT systems were never ' secure - by -design ' and developed for connection to the internet and therefore have no or minimal built-in security tools , these systems are inherently unsafe and vulnerable . This makes these systems very attractive targets for hackers.
In order to truly improve cyber resilience , which is also required in the NIS2 Directive, organizations must have full visibility over their entire OT/IT/ IoT infrastructure . Simply because you cannot secure what you do not have visibility of and do not know about . Once the entire infrastructure has been made transparent, it will also have to be continuously monitored for security . It is important that this security monitoring is performed from a Security Operations Center (SOC) with analysts who actually have knowledge of the OT/IoT environment and can identify changes in the infrastructure. In contrast to a pen test, this continuous security monitoring is not a snapshot of the current situation. Another difference with a pen test is that this monitoring approach is not limited to attacks from outside, but also detects all infrastructural changes and therefore also configuration changes to internal systems and networks.
In summary, one can conclude that a pen -test can indeed contribute to improving the cybersecurity of an organization , but only to a limited extent . However, if an organization really wants to improve its cyber resilience and also wants to comply with international standards /guidelines such as the NIS2 , then continuous security monitoring of the entire IT/OT/ IoT infrastructure should not and cannot be missed. A pen-test is GOOD , but continuous security monitoring is THE BEST !
