Exploitation and impact demonstration¶
The Patrician has a particular skill for making people understand consequences without actually having to demonstrate them. A meaningful glance at the window, a thoughtful comment about the drop, and perhaps a casual mention of terminal velocity is usually sufficient. The art lies in making the consequence feel real without making it actually real, which is considerably harder than it sounds but infinitely preferable to the alternative.
This is essentially what exploitation and impact demonstration in OT penetration testing requires. We must prove that terrible things are possible without actually doing terrible things. We need to demonstrate sufficient technical evidence that stakeholders believe us, take action, and allocate budget for remediation.
The challenge is finding that precise balance between “this is theoretically possible but I can not prove it” (which nobody takes seriously) and “I have just caused a safety incident and there are people wearing fluorescent vests running in multiple directions” (which everyone takes seriously but also gets us arrested).
- Internet entry and the triple-homed pivot
- Enterprise zone: legacy, accumulated privilege, and dual-homed bridges
- Operational zone: the unintended filing cabinet
- Control zone: the crossing point and the equipment
- Exfiltration: the architectural fact that ties it together
- DMZ direct: parallel chains from the internet
- Runbooks