28 September 2021 Mie

Penetration testing in critical environments

Søren Egede Knudsen is CEO & IT/OT Security expert. He is also one of the keynote speakers at the international Industrial Security Conference 15-16-17 November in Copenhagen, where he will talk about why we should use penetration testing in our critical environment, and how it can be done. You can also hear about how you can use the information from the penetration tests using technical examples from the real world.

In this article, you can read an interview with Søren Egede Knudsen.

How did you get into working with security and how did it develop throughout your career?

Since I was young, I have been interested in electronics and computers. In the mid 90’s I was working with servers and at that time, I got introduced to firewalls. I believe it was BorderManager, but at that time it was not a fulltime job. Later, I worked as a Cisco specialist with networking and security. Since my first introduction to security, it has had my special interest and it has been a core part of my career as subject matter expert, as CTO, and as CEO. Since 2009 I have specialized in industrial networks and penetration tests.

What are the biggest challenges within cybersecurity in your eyes?

I believe the biggest challenge is the shortage of knowledgeable resources in the industry. In the IT sector there is a lack of cybersecurity resources, but when we talk about the industrial area, the problem is at least ten times as severe. Recruiting people who are knowledgeable not only in IT, but also in industrial networks, is critical for the industrial companies but it is very difficult to find people with this profile.

How do we get ahead of ‘the bad guys’?

I think it can be a difficult path, but I still believe it is possible if two actors improve their act: The company boards and the vendors. The board in most companies now talk about cybersecurity, but they also need to understand the processes, techniques and tactics of the offensive part of cybersecurity. Most companies look mostly into protection (blue team). To understand the attackers better they need to understand the offensive part (red team). Without understanding both sides, they will not have sufficient information to set up adequate protection mechanisms.  This also holds true for vendors that supply devices and software to industrial networks. They have to improve the quality of their code in order to limit the vulnerabilities that give the attacker a possibility to develop a potentially successful attack.

When looking forward just 5-10 years, what do you think will be different?

In 5-10 years, companies will be able to better integrate the blue team and red team information into their risk management process. In addition, I believe that there will be a higher pressure on vendors to make software with less vulnerabilities. So, in short, changes will come in both management, the technical personnel and the vendors.

Besides more funds for security, what do you think would make a difference in the industry?

Better understanding and communication between people: At board level, between the board and leadership, and between the leaders and the technical personnel. To be able to protect your systems, you need all information, not just parts of it. This is not different from other areas of a business.

What will your keynote be about?

My keynote is about how you do penetration testing in industrial networks. I hope that participants will learn not only how this can be done, but also why a penetration test in an industrial network is very different than in an IT network. I also hope that the participants will understand the importance of having someone in the staff who can think like a hacker, i.e., who masters offensive thinking.

What are your own expectations for the conference?

There are many great speakers at the conference and am pleased to see that the conference is international, which, I believe, increases the value of the conference. I am especially looking forward to attending this new, international part.

Do you want to hear more about security and penetration testing?

Join the international Industrial Security Conference. Read more here and sign up here.