Physical penetration test of a manufacturing facility – Case Study

In response to the enquiries that followed the publication of our first post on pentesting, we saw the need to go into this topic in more depth. Since we have already described in an earlier post what physical penetration tests are in general, the natural next step is to present the test itself in the form of a case-study. In the article, a successful penetration test was described. We must warn, however, that our client contracts and the testing itself are covered by secrecy, so the example in the article below has been crafted in such a way that it cannot be linked to any of the tests performed, but so that it retains one hundred per cent of the characteristics of a real case. All similarities to the tests performed are coincidental and unintentional.

Description of the situation

The client is a large car parts company that built a production facility several years ago on a plot of land of approximately 14 hA. Currently, the client has signed a contract with a new company providing security services for the site and wants to check how effective such security is and if there are any irregularities it wants them to be exposed and identified.

Preparing for pentesting

After signing the contract and agreeing that the test formula is Black Box, i.e. we do not get any information from the client about the facility, we proceeded.

The first step is to identify OSINT, i.e. what can be found about the facility on the internet in publicly available resources. In this case, we were able to find satellite images of the facility on Google Maps, several articles on local news portals and information obtained from the client’s official Facebook profile. On LinkedIn, 156 names of people professionally related to the facility under test were found, which could have been useful during the development of the action scenarios. The testers familiarised themselves with the location of the facility, its topography and the immediate surroundings from the material available online. They located where the entrance gates, security booths, car parks and the nearest bus stops where the facility’s employees could disembark. The testers also checked what other businesses were present in the area – this information could be used to build a legend or plan a test scenario. Once the information from the ‘cyber reconnaissance’ was complete, it was possible to proceed with physical reconnaissance on site.

Reconnaissance prior to the physical penetration test

Technicians observed the facility throughout the day, seeking to ascertain as many details as possible of the facility’s routine operations. Among other things, they were able to establish that workers arrive before 6am, 2pm and 10pm; work in the facility is done in 3 shifts; office workers arrive by car, bus and bicycle at around 7:30am and leave at 3:30pm; repair workers from the car park arrived at 7:30am and worked until 6pm. 18:00; security guards leave the security booths for various errands; security routine rounds are carried out every 45 minutes; security guards give the impression of being uninterested in what is going on near the protected area; employees use SKD cards when passing and entering the site; some people are let through after producing a pass; suppliers are served in front of the reception after passing the gate and parking in front of the reception; the second barrier next to the reception is open all the time – leading to the VIP indoor parking area; the site can be easily observed from 2 sides. Additionally, during the reconnaissance the testers noticed damaged fence panels to the north and west at the junction of the panel fence with the old concrete fence. The information gathered during the on-site reconnaissance allowed several potentially effective scenarios to be developed.

Physical penetration test

Technicians arrived on site at 5.30am to observe the movement of employees coming into work for the first shift and those leaving work after the third shift. Increased traffic often presents an opportunity for at least one of the accepted penetration test scenarios. The first opportunity did not arise until around 7:15 a.m. The tester, on the south side from the bus stop, joined a larger group of employees attempting to enter using the so-called ‘tailgeting’ method. All employees entering on foot used SKD cards at the outer gate and at reception. At the reception desk, passing through the turnstiles was done with the assistance of a security guard, but at the outer gate of the plant, the security guards were not interested in who was entering the premises and how.

The tester walked through the outside gate of the plant behind an employee he encountered holding the gate open with his hand. This was not met with any reaction from security or the staff present. At the reception desk, the tester turned right without going inside, heading towards the open barrier. The tester then walked under the raised barrier, hoping that the security guard would be busy with a group of people entering. Once inside the plant, the tester walked along the VIP car park and headed past the construction crew working straight ahead to the building marked No. 3. The tester noticed that the building with the reception desk was marked 1, and the building to the right was sequentially No. 2 and No. 5. The last large hall in the north-western part of the plant was marked No. 4. The tester walked unperturbed along the designated paths past all the buildings, pretending to make a phone call.

The first opportunity to enter the interior of one of the buildings came at the door to Building 3 – outgoing staff members, at the tester’s gesture, held the door and let him through. The tester found himself in the lobby, from which there were 3 passageways covered by an electronic SKD system. Starting from the left there was a door and a short corridor behind it turning to the right. Ahead was a large glass double door to the production hall, and to the right a door to the stairwell and lift. The tester, pretending to be preoccupied with his phone, waited in the hall for the person passing through the door to the stairwell and proceeded to the 1st floor. On the 1st floor there was a door covered by the SKD to the office area, a door from the lift and a staircase to the 2nd floor. Unfortunately, the office zones on the 1st and 2nd floors did not show much staff activity, resulting in the tester leaving the stairwell, returning to the lobby at the entrance to the building. The entrance to the production area was described as requiring the use of protective clothing, goggles, footwear and a helmet, so the tester, having nowhere to take these props from, did not attempt to enter the production area. Due to the lack of activity in the lobby, the tester left the building, seeing no opportunity to continue the attempt.

After leaving building 3, the tester went to the entrance of building 5. Pretending to talk on the phone, the tester waited about 5 minutes for a person to come out of building 5. Seizing the opportunity, the tester walked through the open door behind the exiting person. This time the tester did not even engage in a glance with the exiting person, he simply passed the person and entered. In building 5 there was a short corridor with 3 doors on the right (the first 2 closed, the last open) and 1 door opposite also closed. In the room with the open door, the tester found a cloakroom where he took the glasses, earmuffs and helmet that were lying around. The tester left building 5 with the props and returned again to building 3. After a short while, the people entering let the tester through the door into the building. The staff entering the building used their SKD cards and entered the stairwell on the right. Once in the lobby alone, the tester put on his props and waited quietly for someone entering or leaving the production floor. After waiting for about 2 minutes, the tester walked through the door to the production hall asking the person he met to lend him his SKD card, as he had forgotten his own from the car. The person agreed. The tester walked around and photographed various places in the production area for about 20 minutes, where he had unrestricted access to various types of machines, robots, control panels and bins of parts.

The further course of the test was similar. Both testers were given access to all buildings, and within them to the staff rooms, separate offices, meeting rooms, toilets, lifts, staircases, work areas with workstations at computers, production areas with direct access to assembly lines, robots and control rooms. No one asked the purpose of the visit, no one identified the testers, no one notified security. The testers acted under the constant surveillance of CCTV cameras but with no response from security. The two testers undisclosedly left the facility. One through the main reception explaining that he had left his SKD card in his car and asking for the gate to be opened, and the other through the damaged fence at the junction of the panels and the old concrete fence.

What happens next after a completed pentest?

A thorough report is drawn up from the physical penetration test, which covers all stages of the job. The testers make brief notes on an ongoing basis including times, events and locations to reflect reality as closely as possible in the report being prepared. Depending on the scope of activities, the final vulnerability assessment report may include photos, maps, transcribed conversations, snapshots of the computer programmes used, log tables and video recordings. A key element is the weaknesses identified and recommendations made regarding them.

The example given includes the simplest techniques such as basic social engineering and tailgating, but depending on the site, the item being tested, procedures or the entire security system, either at the physical or IT layer, testers use a variety of props, dummies and costumes, specialised tools, computers, etc. that fit the situation and the scenario being tested.

Summary

In conclusion, the case described illustrates perfectly how the right approach to physical security in organisations is crucial. The use of appropriate measures such as technology is not enough, staff training and regular audits are equally important to minimise risks and effectively manage possible threats. The test carried out not only demonstrates the importance of preventive strategies, but also highlights the importance of continuous adaptation to dynamically changing conditions and threats. Ultimately, the case study shows that it is the human factor that determines how well a physical security system works for us and whether it is a stable foundation on which we want to build a business.

Author: Michał Nosowski

*Client data has been anonymised prior to publication.

Read other articles on our blog:

OSINT Information Search – Case Study
Brand Protection – Case Study
Scroll to Top