Applied Risk: An established leader in Industrial Control Systems security

Applied Risk is focussed on critical infrastructure security and combating security breaches that pose a significant threat. Operating on a global scale, we work with a wealth of large organisations that rely on our expertise to safeguard their critical assets. Our proven experience of identifying vulnerabilities and security risks is based on methodologies honed over years of conducting assessments in industrial environments.

Our engineering experience and cyber security knowledge proves invaluable in securing the critical infrastructures and industrial assets of companies across the globe. We understand the need to maintain secure and reliable control environments, working across a range of industries we deliver solutions tailored to asset owners’ and manufacturers’ security requirements.

Industrial Control Systems (ICS) security is an engineering-based problem that requires an engineering-focused solution. Our offerings includes a wealth of engineering and technical assurance services, combined with comprehensive security assessments that cover the full spectrum of our client’s critical asset requirements while meeting industry standards.



Guarding mission-critical industrial systems from the threat of cyber attacks requires a specific and focused security skill set that only comes with deep industry knowledge and associated experience.

Applied Risk helps clients to address and maintain defences against the ever-increasing threats targeting Industrial Automation and Control Systems environments. We enable asset owners, operators, government agencies and suppliers to stay up-to-date and identify appropriate mitigating controls for protecting Process Control and Industrial Automation systems against the latest threats.

Select a product or service below:

  • Products

    ICS Cyber Security Awareness Training
  • Services

    Industrial Automation and Control Systems (IACS) Security
  • ICS/SCADA Security Assessment & Penetration Testing
  • Risk and Vulnerability Assessment (RVA)
  • Embedded Security Assessment
  • Medical Devices Security Assessment
  • IoT Security Assurance Services


  • Power
  • Pharmaceutical
  • Oil & gas
  • Water
  • Manufacturing
  • Chemicals

Heightened levels of interconnectivity, driven by business requirements, are now leaving Industrial environments increasingly exposed to costly and dangerous cyber attacks, including Denial of Control (DoC); Loss of Control (LoC); Loss of View (LoV); and Manipulation of View (MoV).

> Read more


Applied Risk maintains a significant leadership in the IACS community through its interactions with end users and manufacturers as well as its advanced research initiatives. It is through this work that we can provide unmatched service delivery to its customers and partners.

This section outlines our dedicated research, with a focus on advisories and white papers for ICS/SCADA environments.

  • Advisories

    Our security advisories are the results of research activities conducted by our in-house research team. These focus exclusively on ICS/SCADA devices and technologies.

    Read more

  • Vulnerability Disclosure Policy

    It is the policy of the company to exercise the responsible disclosure of security vulnerabilities in a manner that is of maximum value to all affected parties.

    Read more

About us

  • Safety
  • Integrity
  • Customer focused
  • Innovation

Applied Risk was founded with one core mission: to secure critical assets in the industrial domain against emergent cyber threats. As a major cyber security player within the Industrial Automation and Process Control field, our primary objective is to offer the most advanced Industrial Control Systems (ICS) security technology solutions.

> Read more


The Industrial Automation and Control Systems (IACS) security field is growing rapidly and Applied Risk continues to grow to meet current and future customers’ needs. As a global IACS leader, we maintain very high levels of cyber security skills, engineering experience, and business confidentiality. If you have a solid background in Control Systems security or industrial automation engineering and are looking for the next level of challenge and commitment, we would like to hear from you.

> Read more

Advisory board

Auke Huistra

Auke Huistra
International Cyber Security Expert

> Read more

Auke Huistra

Christian Martorella

> Read more


Open Source Intelligence (OSINT) for OT: What adversaries can learn about your organisation and what you can do

Although 2018 has already drawn to a close, offensive cyber security campaigns targeting critical infrastructure show no signs of slowing down. Most recently, threat researchers discovered a global campaign, dubbed ‘Operation Sharpshooter’, which attempts to infiltrate nuclear, defence, energy and financial companies. Similarly, Italian oil services firm Saipem recently fell victim to an attack which crippled hundreds of servers and personnel computers.

Threat intelligence shows that a significant percentage of attacks against organisations in the critical infrastructure sectors occur as a result of adversaries using phishing techniques to compromise IT enterprise networks. With access obtained to IT environments, the interconnectivity between IT and ICS environments could allow adversaries to traverse between these networks.

Considering the ‘ICS Cyber Kill Chain’ model which defines the first stage of a cyber intrusion as ‘reconnaissance’, it is important to understand what information attackers can obtain about your organisation by simply using open source intelligence (OSINT) to craft targeted attacks.


OSINT: What can attackers learn about your organisation?

One definition for OSINT is “intelligence derived from public information--tailored intelligence which is based on information which can be obtained legally and ethically from public sources.”

Such techniques allow attackers to passively take advantage of the information available on the Internet to develop information about their target and refine their attack methodology without being noticed. Whether an attacker uses dedicated tools, or simply Google, the type of information about an organisation that can be obtained may include;

  1. Technical details of ICS from job adverts;
  2. Sub-domains;
  3. Potential software vulnerabilities;
  4. Employee e-mail addresses (note: best practices advisee against directly connecting OT systems to the internet/e-mail services);
  5. Employee information from social media platforms i.e. LinkedIn, Facebook, Twitter;
  6. Reused credentials from previous password breaches;
  7. Internal organisational information from document metadata;
  8. Case studies by system integrators or vendors which detail ICS;
  9. Direct discovery of ICS assets using ‘Shodan’ or ‘Censys’.

How can this information be used against you?

While some of the aforementioned bullet points may seem innocuous, let’s consider just some ways in which these details could be leveraged to perform a targeted attack against an organisation.

By obtaining a list of corporate e-mail addresses using tools such as ‘’ an attacker can;

  1. check obtained e-mail addresses against LinkedIn profiles to identify suitable targets for phishing or social engineering depending on their end goal i.e. Technical Leads, Engineers, Management, etc.;
  2. cross reference obtained e-mail addresses against corporate e-mail address/passwords combinations exposed as a result of website breaches and create targeted phishing e-mails or hope for credential reuse;

Job adverts can provide;

  1. details of ICS assets within the organisation;
  2. terminology that can be used to enhance the realism of phishing e-mails;
  3. a method for an attacker to submit malicious applications/files to the organisation;

Extracted metadata from publicly available documents can reveal;

  1. operating systems used within the organisation;
  2. folder path structure;
  3. usernames and format;
  4. software and versions used within the organisation;
  5. network locations and paths;
  6. printers;
  7. e-mail addresses;
  8. technical data;

Performing subdomain enumeration to identify potential weak points in an organisation including;

  1. management interfaces;
  2. remote access or web mail portals with LDAP integration (can sometimes be used to validate domain credentials);
  3. remote access portals;
  4. forgotten test applications running outdated software (which may contain critical vulnerabilities).

Querying Shodan or Censys can reveal additional potential entry points in to an organisation including;

  1. web interfaces to industrial control systems or subcomponents;
  2. network attached storage (NAS) drives with vulnerable firmware;
  3. remote desktop interfaces;
  4. management interfaces on routers (HTTP, Telnet, SSH);
  5. FTP servers.

Reducing your attack surface

While it’s true that once information is shared on the Internet it’s difficult to remove, there are steps your organisation can take to help reduce their digital footprint and in turn, make reconnaissance more difficult for would be attackers. These steps include, but are not limited to;

  1. Use tools like Shodan to monitor your own CIDR ranges (can be performed in real time via the command line interface);
  2. Block the IP addresses and ranges that Censys and Shodan scan from to help prevent your assets from potentially appearing in publicly available scan results;
  3. If you must upload documents, ensure that not only the content of the documents is void of sensitive information that may be beneficial to an attacker, but that the document or file itself is sanitised of metadata;
  4. For public facing interfaces or applications, disable that which is not required;
  5. Map all external interfaces and perform regular vulnerability scans of those interfaces to try and identify weaknesses in a timely manner;
  6. Implement blacklisting on all public facing assets to limit traffic originating from known ‘bad’ addresses;
  7. Carefully review ‘case studies’ that vendors have created based on your assets to ensure they don’t disclose sensitive information;
  8. Deliver ICS Cyber Security Awareness Training to personnel to help ensure they are aware about good password practices and the content they post online (i.e. LinkedIn, blogs, etc.)

To understand the attack surface of your organisation, contact us to learn more about Applied Risk’s ICS/SCADA Security Assessment & Penetration Testing services.