Cyber Acceptance Testing: Complex, Multifaceted, and Absolutely Necessary

by John Cusimano

All businesses today face unprecedented levels of cybersecurity risk, with attacks against vital infrastructure estimated to have risen by 30% since 2022. Industrial organizations are uniquely vulnerable. Clients in the oil and gas, chemical, water, power, and pharmaceutical industries have complex needs and operations, and when a security breach occurs, their stakes are considerably higher than those of other organizations. With industrial clients routinely conducting upgrades and installing new systems, it’s imperative that they are not just vigilant, but proactive about lowering their cybersecurity risk. Today’s industrial organizations can lessen their exposure by adopting a 360-degree view of cybersecurity—and that means validating the security of systems well before they are up and running.

Cyber Acceptance Testing is a complex, pre-deployment quality assurance process designed to prove that an industrial control system is fully functional within the cybersecurity services and technologies enabled in the production environment. It offers industrial clients an unparalleled opportunity to validate the strength of their cybersecurity systems, with care given to every scenario and vulnerability. It is built upon the premise that the earlier in a product life cycle a risk can be identified (before a system or facility is in operation), the more effectively it can be mitigated and ultimately, the less chance there is of a catastrophic outage or failure. The main objectives of this type of testing are aggressive and widespread. They include everything from verification of cybersecurity requirements—like network devices and antivirus software—to vulnerability scanning, intrusion testing, and checking the resilience of systems to network attacks. The overarching goal of Cyber Acceptance Testing? To dramatically lower the potential attack surface.

How does it work?

Cyber Acceptance Testing—a core part of our business— is conducted in two distinct phases, both of which occur before a system is deployed in the live environment. Those phases are Cyber Factory Acceptance Testing (CFAT) and Cyber Site Acceptance Testing (CSAT). Here’s a quick breakdown of what they are and how they work:

Cyber Acceptance Testing is like inspecting a newly built home. 

I’m often asked what Cyber Acceptance Testing is and I find it’s best explained with a home-building analogy. When a home is built, you have architectural and engineering work that takes place. The builder bids for products and materials and everything is constructed. There is a rigorous level of inspection that needs to happen before a building can be occupied. Home inspectors, fire marshals, and other professionals visit to check the structural integrity, code compliance, and beyond. Heating and cooling, plumbing, electrical work, and structural aspects of the home all need to be verified to ensure standards have been fulfilled. Every detail must be examined to ensure the home has been built according to the original vision and is ready to be inhabited.

Cyber Acceptance Testing is the comprehensive building inspection, so to speak. Only, instead of dealing with a home, we’re testing complex industrial security systems, both before and after they are installed. In an industrial context, building a plant is a project sequence deliverable, which means that precise steps must be followed. CFAT and CSAT happen during the “Construct and Commission” phase in a site’s project lifecycle. This means they take place after the front-end engineering and design work are finished, after specification and procurement have happened, and before the systems are live.

Every plant is inherently unique, and that means the CFAT and CSAT sequences are uniquely written and designed in each instance. In some cases, we may be testing 60 control panels strung together in a factory (CFAT) in Belgium, which then need to be reconfigured and tested again on-site in Japan (CSAT). There are always an inordinate number of variables, meaning an infinite number of things that can go wrong, both in the physical and digital environments. However, the beauty of Cyber Acceptance Testing is that the testing criteria can be uniquely designed to meet any plant’s needs and circumstances. By gradually finding and eliminating errors across two different testing environments, we are ultimately able to reduce or eliminate the number of things that could go wrong in a live environment.  While CFAT and CSAT can be standalone testing processes, the best-case scenario is one in which both testing types have been run.

Better to find a problem now than three years down the road. 

The value of Cyber Acceptance Testing becomes clear when you think of the cascade of consequences that can arise from not doing it. Imagine a client installing and configuring dozens of panels and getting an entire plant up and running. Everything appears to be working perfectly. Three years later, someone realizes the default password has been left open from the time the plant was built. It’s been three years, and no one has checked it. The switch has been replaced, but the same password was left in place. Who is responsible for a cybersecurity attack in this instance? If you’ve copied a mistake three times, then surely it’s your fault. Workers have come and gone. Thousands of devices have been involved, and the turnover of people and technology has been near-constant. This is a nightmare scenario, but it’s one that can be readily prevented with Cyber Acceptance Testing.

We trust the Cyber Acceptance Testing process because we know, as do many of our clients, that it only takes a single character being out of place for an intractable, long-term problem to arise. It takes a single human error, a single faulty keystroke. Cyber Acceptance Testing leaves no stone unturned, both in the factory and site environments. Early mitigation of risk is the desired outcome and the motivating factor for both stages of Cyber Acceptance Testing.

The biggest risk? Not doing it. 

Risks aside, it’s important to understand the inherent benefits of proactive testing. Organizations that conduct Cyber Acceptance Testing can rest assured that their cybersecurity presence has been properly implemented. Their operations engineering staff tend to be more aware and better trained prior to startup than those who haven’t gone through the process. Their staff are more technically equipped to manage, monitor, and respond to an array of security incidents. And, as many organizations have learned the hard way, “doing” cybersecurity up-front is vastly more effective and less costly than addressing it after issues arise.

To learn more about Armexa and Cyber Acceptance Testing, visit Cyber Factory Acceptance Testing | Armexa

Skills

Posted on

October 31, 2024