Automated penetration testing for industrial IOT systems: enhancing efficiency and reducing reliance on human expertise

Lists

Sbai, Fatim, Asif, Waqar ORCID: https://orcid.org/0000-0001-6774-3050, IvaylovMarkov, Lyubomir and Saeed, Nagham ORCID: https://orcid.org/0000-0002-5124-7973 (2025) Automated penetration testing for industrial IOT systems: enhancing efficiency and reducing reliance on human expertise. In: 2025 IEEE International Symposium on Circuits and Systems (ISCAS), 25-28 May 2025, London, England.

Preview

PDF (PDF/A)
Automated Penetration Testing for Industrial_SbaiF & SaeedN_accessible.pdf - Accepted Version
Available under License Creative Commons Attribution.
Download (627kB) | Preview

Official URL: https://ieeexplore.ieee.org/document/11044276

Abstract

Penetration testing is an important aspect when building or deploying Industrial Internet of Things (IIoT) systems. This involves using specialised hacking tools that would help identify exploitable vulnerabilities in an industrial systems, device, and/or network. Conventionally, security experts rely on penetration testing performed by expert individuals where these individuals are expected to have considerable experience and knowledge in the specified domain. This dependence on skill evaluation makes the process unreliable as failure in a penetration test does not guarantee system security. Therefore, this paper proposes the use of automated penetration testing using script files. Tools such as Nessus are employed for vulnerability scanning, PostgreSQL serves as the database management system to store test results and configurations, and Metasploit is utilised for automating the exploitation of identified vulnerabilities. The research shows a considerable improvement in task efficiency in terms of time consumed to find a suitable exploit and execute it in comparison to manual penetration testing.

Item Type:	Conference or Workshop Item (Paper)
ISSN:	2158-1525
ISBN:	9798350356830
Identifier:	10.1109/ISCAS56072.2025.11044276
Identifier:	10.1109/ISCAS56072.2025.11044276
Additional Information:	For the purpose of open access, the authors have applied a Creative Commons Attribution (CC BY) license to any Accepted Manuscript version arising.
Keywords:	Performance evaluation, Large language models, Manuals, Security, Object recognition, Integrated circuit reliability, Penetration testing, Industrial Internet of Things, Testing, Network systems, IIoT, Nessus, PostgreSQL, Metasploit
Subjects:	Computing > Information security
Related URLs:	Publisher Organisation
Depositing User:	Fatim Sbai
Date Deposited:	22 Jul 2025 13:18
Last Modified:	15 Aug 2025 09:00
URI:	https://repository.uwl.ac.uk/id/eprint/13903
Sustainable Development Goals:	Goal 9: Industry, Innovation, and Infrastructure

Downloads

Downloads per month over past year

Actions (login required)

View Item

References

Zscaler ThreatLabz. Zscaler threatlabz finds a 400% increase in iot
and ot malware attacks year-over-year, underscoring need for better zero
trust security to protect critical infrastructures. Zscaler, 2023. Accessed:
2024-10-11.
[2] GOV.UK, Department for Digital. Cyber security breaches survey 2022,
gov.uk, 2022.
[3] S. C. Vetrivel, R. Maheswari, and T. P. Saravanan. Security challenges
for industrial iot. Wireless networks and industrial IoT: Applications,
challenges and enablers, 2021.
[4] Dirk Johannes Beukes. The importance of vulnerability assessments
and penetration testing in cybersecurity. Journal of Cybersecurity and
Privacy, 2(4):123–138, 2019. Accessed: 2024-10-11.
[5] Farah Abu-Dabaseh and Esraa Alshammari. Automated penetration
testing: An overview. In The 4th International Conference on Natural
Language Computing, pages 121–129, Copenhagen, Denmark, 2018.
[6] Ralph Ankele, Stefan Marksteiner, Kai Nahrgang, and Heribert Vallant.
Requirements and recommendations for iot/iiot models to automate
security assurance through threat modelling, security analysis and penetration
testing. In Proceedings of the 14th International Conference
on Availability, Reliability and Security (ARES 2019), pages 1–8. ACM,
2019.
[7] L.P. Ledwaba and G.P. Hancke. Security challenges for industrial
iot. Wireless networks and industrial IoT: Applications, challenges and
enablers, pages 193–206, 2021.
[8] Pengfei Shi, Futong Qin, Ruosi Cheng, and Kunsong Zhu. The
penetration testing framework for large-scale network based on network
fingerprint. In 2019 International Conference on Communications,
Information System and Computer Engineering (CISCE), pages 378–
381. IEEE, 2019.
[9] Yaroslav Stefinko, Andrian Piskozub, and Roman Banakh. Manual
and automated penetration testing: Benefits and drawbacks. modern
tendency. In 2016 13th International Conference on Modern Problems
of Radio Engineering, Telecommunications and Computer Science (TCSET),
pages 488–491. IEEE, 2016.
[10] Sarah Tutton. The disadvantages of manual penetration testing. IT
Governance Blog, 2023.
[11] Zhenguo Hu, Razvan Beuran, and Yasuo Tan. Automated penetration
testing using deep reinforcement learning. In 2020 IEEE European
Symposium on Security and Privacy Workshops (EuroS&PW), pages 2–
10. IEEE, 2020.
[12] Fabio Massimo Zennaro and Laszlo Erdodi. Modeling penetration
testing with reinforcement learning using capture-the-flag challenges:
Trade-offs between model-free learning and a priori knowledge. arXiv
e-prints, pages arXiv–2005, 2021.
[13] Ferheen Ayaz, Zhengguo Sheng, Daxin Tian, Maziar Nekovee, and
Nagham Saeed. Blockchain-empowered ai for 6g-enabled internet of
vehicles. Electronics, 11(20):3339, 2022. Accessed: 2024-02-04.
[14] O Valea and C Opris¸a. Towards pentesting automation using the
metasploit framework. In 2020 IEEE 16th International Conference
on Intelligent Computer Communication and Processing (ICCP), pages
171–178. IEEE, 2020.
[15] Oracle Corporation. Virtualbox user manual. Oracle VirtualBox, 2024.
Accessed: 2024-02-02.
[16] Offensive Security. Kali linux documentation. Kali Linux, 2024.
Accessed: 2024-02-02.
[17] Rapid7. Metasploitable 2: Vulnerable machine for testing. Metasploit
Framework, 2024. Accessed: 2024-02-02.
[18] Tenable. Nessus essentials: The most comprehensive vulnerability
scanner, 2023. Accessed: 2024-10-11.
[19] Python Software Foundation. XML Processing Modules, 2024. Accessed:
2024-10-11.
[20] Rapid7. Metasploit RPC API Documentation, 2023. Accessed: 2024-
10-11.
[21] WhatIsMyIPAddress.com. Classless inter-domain routing (cidr) and
notation for beginners, 2022.
[22] PostgreSQL Global Development Group. PostgreSQL: The World’s Most
Advanced Open Source Relational Database, 2023. Accessed: 2024-10-
11.

Tools

CORE (COnnecting REpositories)

The University of West London

Automated penetration testing for industrial IOT systems: enhancing efficiency and reducing reliance on human expertise

Abstract

Downloads

Actions (login required)

Menu