The Industry 4.0, or in the other word, the IIoT, has mad a lot of changes in the operations and maintenance of industrial control system, especially if we see it from the cyber security perspective.
The seamless integration of the traditional IT into OT environment leads to the new era on how we deal with control system. Back to a decade in the past, we never hear about any kind of vulnerability assessment by using traditional IT security tools, such Nessus, OpenVAS, etc. But in current ICS revolution, the needs of having automated VA seems like it is new mainstream approach when we deal with SCADA security holes checking.
Despite of the pro and cons with their respective reasons against the automated VA in any ICS environment, we do believe that this method has bring deeper and more thorough assessment with detail exposure using activr approach to the system. The best practice is not to do the automated VA on thr online ICS environment, but we can find the window to perform this activities such as during the FAT, or using offline production system (mimic system), or we can collaborate with our ICS OEM vendor in order to perform the VA on their mimic system that reflect the installed system at site.
Some other consideration that needs to be noted if we will pursue with the VA by dealing with specific vendor to perform it under their mimic system is the system integration and its complex architecture that blend with the other ICS products that will bring more challenging approach on how to ensure all the installed ICS at site will be vulnerability assesed properly.