Exploitation and impact demonstration¶

The Patrician of Ankh Morpork, seated at a grand wooden desk cluttered with brass gears, cog-driven calculators, and arcane mechanical devices.

The Patrician has a particular skill for making people understand consequences without actually having to demonstrate them. A meaningful glance at the window, a thoughtful comment about the drop, and perhaps a casual mention of terminal velocity is usually sufficient. The art lies in making the consequence feel real without making it actually real, which is considerably harder than it sounds but infinitely preferable to the alternative.

This is essentially what exploitation and impact demonstration in OT penetration testing requires. We must prove that terrible things are possible without actually doing terrible things. We need to demonstrate sufficient technical evidence that stakeholders believe us, take action, and allocate budget for remediation.

The challenge is finding that precise balance between “this is theoretically possible but I can not prove it” (which nobody takes seriously) and “I have just caused a safety incident and there are people wearing fluorescent vests running in multiple directions” (which everyone takes seriously but also gets us arrested).

Demonstrating: