A missing component in current ICS acceptance testing practices, such as Factory Acceptance Testing (FAT) or Site Acceptance Testing (SAT), is cybersecurity. In fact, many organizations have reported that the cybersecurity of their ICS was actually compromised as a result of FAT or SAT. This is not surprising as the goal of FAT/SAT is to verify the functionality of the system – not the cybersecurity. As such, cybersecurity policies, procedures and controls are often bypassed in order to expedite completion of the testing.

aeSolutions believes that ICSs should undergo Cybersecurity Acceptance Testing (CAT) following FAT and/or SAT. CAT should include verification that the system complies with the ICS Cybersecurity Requirements Specification. For example, the required security settings were configured correctly and the necessary security components (e.g. firewalls) were installed and properly configured. Additionally, CAT should include cybersecurity robustness testing, sometimes referred to as penetration testing, which is testing designed to discover and identify the weaknesses or vulnerabilities in a system. This type of testing should not be performed on a production system, but it can be safely performed before the system is operational.

aeSolutions offers Cybersecurity Acceptance Testing procedure development and testing.