Automated Penetration Testing for Industrial IoT Systems: Enhancing Efficiency and Reducing Reliance on Human Expertise

Abstract

Penetration testing is an important aspect when building or deploying Industrial Internet of Things (IIoT) systems. This involves using specialised hacking tools that would help identify exploitable vulnerabilities in an industrial systems, device, and/or network. Conventionally, security experts rely on penetration testing performed by expert individuals where these individuals are expected to have considerable experience and knowledge in the specified domain. This dependence on skill evaluation makes the process unreliable as failure in a penetration test does not guarantee system security. Therefore, this paper proposes the use of automated penetration testing using script files. Tools such as Nessus are employed for vulnerability scanning, PostgreSQL serves as the database management system to store test results and configurations, and Metasploit is utilised for automating the exploitation of identified vulnerabilities. The research shows a considerable improvement in task efficiency in terms of time consumed to find a suitable exploit and execute it in comparison to manual penetration testing.