Applied Risk: An established leader in Industrial Control Systems security

Applied Risk is focussed on critical infrastructure security and combating security breaches that pose a significant threat. Operating on a global scale, we work with a wealth of large organisations that rely on our expertise to safeguard their critical assets. Our proven experience of identifying vulnerabilities and security risks is based on methodologies honed over years of conducting assessments in industrial environments.

Our engineering experience and cyber security knowledge proves invaluable in securing the critical infrastructures and industrial assets of companies across the globe. We understand the need to maintain secure and reliable control environments, working across a range of industries we deliver solutions tailored to asset owners’ and manufacturers’ security requirements.

Industrial Control Systems (ICS) security is an engineering-based problem that requires an engineering-focused solution. Our offerings includes a wealth of engineering and technical assurance services, combined with comprehensive security assessments that cover the full spectrum of our client’s critical asset requirements while meeting industry standards.

SignupBannerGeneral.png

Solutions

Guarding mission-critical industrial systems from the threat of cyber attacks requires a specific and focused security skill set that only comes with deep industry knowledge and associated experience.

Applied Risk helps clients to address and maintain defences against the ever-increasing threats targeting Industrial Automation and Control Systems environments. We enable asset owners, operators, government agencies and suppliers to stay up-to-date and identify appropriate mitigating controls for protecting Process Control and Industrial Automation systems against the latest threats.

Select a product or service below:

  • Products

    ICS Cyber Security Awareness Training
  • Services

    Industrial Automation and Control Systems (IACS) Security
  • ICS/SCADA Security Assessment & Penetration Testing
  • Risk and Vulnerability Assessment (RVA)
  • Embedded Security Assessment
  • Medical Devices Security Assessment
  • IoT Security Assurance Services

Industries

  • Power
  • Pharmaceutical
  • Oil & gas
  • Water
  • Manufacturing
  • Chemicals

Heightened levels of interconnectivity, driven by business requirements, are now leaving Industrial environments increasingly exposed to costly and dangerous cyber attacks, including Denial of Control (DoC); Loss of Control (LoC); Loss of View (LoV); and Manipulation of View (MoV).

> Read more

Labs

Applied Risk maintains a significant leadership in the IACS community through its interactions with end users and manufacturers as well as its advanced research initiatives. It is through this work that we can provide unmatched service delivery to its customers and partners.

This section outlines our dedicated research, with a focus on advisories and white papers for ICS/SCADA environments.

  • Advisories

    Our security advisories are the results of research activities conducted by our in-house research team. These focus exclusively on ICS/SCADA devices and technologies.

    Read more

  • Vulnerability Disclosure Policy

    It is the policy of the company to exercise the responsible disclosure of security vulnerabilities in a manner that is of maximum value to all affected parties.

    Read more

About us

  • Safety
  • Integrity
  • Customer focused
  • Innovation

Applied Risk was founded with one core mission: to secure critical assets in the industrial domain against emergent cyber threats. As a major cyber security player within the Industrial Automation and Process Control field, our primary objective is to offer the most advanced Industrial Control Systems (ICS) security technology solutions.

> Read more

Careers

The Industrial Automation and Control Systems (IACS) security field is growing rapidly and Applied Risk continues to grow to meet current and future customers’ needs. As a global IACS leader, we maintain very high levels of cyber security skills, engineering experience, and business confidentiality. If you have a solid background in Control Systems security or industrial automation engineering and are looking for the next level of challenge and commitment, we would like to hear from you.

> Read more

Advisory board

Auke Huistra

Auke Huistra
International Cyber Security Expert

> Read more

Auke Huistra

Christian Martorella
CISSP, CISM, CISA, OPSA and OPST

> Read more

Blog

A Secure Workforce Means a Strong Security Asset

Everybody has a different mindset. No matter how extreme your level of vigilance is, an industrial facility cannot be a one-man band. People from different backgrounds, levels of education and awareness surrounding industrial cyber security are operating your critical infrastructures on a day to day basis. Operations Technology (OT) personnel are often unaware of potential dangers, as the elevated level of relevance regarding cyber security has been a recent shift in industrial environments over the last decade.

As dedicated as your team may be – by not understanding basic cyber security practices, employees could be welcoming security threats with open arms unbeknownst to themselves and your company. Whilst your workforce is often targeted as the weakest link within security – by introducing the correct practices, it has the potential to become one of the strongest.

Picture1.png

Open Eyes to Security

An understanding for management needs to be reached that security for Industrial Control Systems cannot be fixed with a one-size-fits-all technology solution. In the CISCO 2018 Annual Cybersecurity Report, only 26% of security issues could be addressed by technology alone, leaving 74% requiring people or policies to form a solution to these issues. There is no single best way to enhance security; The best approach is a combination of technology, policies and training. Without employee education, an organisation is leaving themselves open to a range of security issues.

In traditional IT environments, emphasis usually placed on confidentiality as a priority, whereas availability of systems takes precedence in an OT environment. This means it is particularly important to pay attention events with the potential to disrupt any production processes. Corporate networks have the privilege of being more accessible to system patching for up-to-date protection, whilst availability issues in updating industrial devices causes patching to occur far too infrequently. This is also discouraged by many device vendors, who refuse to provide ongoing support if initiative to update systems is taken internally.

People operating systems in an industrial environment need to be regularly made aware of the elements of an attack and to report suspicious behavior through correct channels. Basic security practices such as understanding the importance of password policies, leaving around sensitive documents, processes for connecting external devices and scanning removeable media need to be explained to employees in a loud and clear format and reinforced with periodic awareness programs.

Seemingly Harmless, Potentially Harmful

Employees may not be able to understand how sharing information online could be assisting potential attackers. Disclosing experiences with systems online in the form of LinkedIn profiles or job listings on public websites could allow external parties to gain an understanding about frameworks, protocols and devices used inside facilities. By educating staff to understand the potential consequences of disclosing seemingly harmless information online, an organisation can become one step closer towards cyber secure operations.

More sophisticated social engineering approaches can be utilised against staff to access facilities. Spear phishing takes the form of a heavily targeted communication scam designed to steal company information. Campaigns are carefully researched and individually tailored to lead recipients to believe they are receiving communications via a trustworthy source. Tailgating (often referred to as piggybacking) revolves around gaining access to the premises via trailing behind employees through security checkpoints – something not even a retina scanner may prevent. Bringing awareness to these methods will empower your workforce to speak up when suspicions arise and reduce the chances of an incident slipping through the cracks.

For employees interacting with critical OT systems, security trainings should be mandatory to ensure a competent front-line defense against cyber threats. In industries such as nuclear power, qualified personnel are necessary to operate and maintain nuclear facilities in all modes of operation; requiring regular training and certification of personnel. This sets a precedent for safety standards, although a similar approach can be taken to ensure your personnel are qualified to identify and handle potential security risks - keeping staff prepared and effectively lowering risks to your operations.

A Secure Company Culture

There are no effective bandage solutions for security. Security awareness needs to be a rolling snowball from the top management levels, all the way to people on the ground level operating facilities. A top down approach is critical and the proactive role of a Chief Information Security Officer (CISO) is crucial for this to take responsibility for security. Without it becoming part of everyone’s job, principles are easily sidelined until a security incident serves as a reminder.

The rise of safety culture has protected the wellbeing of employees and against events that could potentially jeopardies organisations, such as fatal occupational accidents. The mindset that safety is a priority is often seen embedded within company values, although the security of operations technology is yet to see the same level of treatment. The impact of a major security incident has the capability to put the continuity of a business at risk and therefore it should be reflected as such in the mentality of management and workers alike.

If cyber security is recognised as a company value with everyone held accountable, your team is more likely able to spot the risks and take the correct course of action. Physical security is often taken very seriously, although less emphasis is placed on the equally as important cyber counterpart. Employees should be encouraged to intervene with actions that have the potential to jeopardize industrial operations and report near misses to prevent similar actions from taking place in the future.

The First Steps To Awareness

Introducing safe computing discipline for system operators should be a priority. Limiting the information shared in publicly available locations and enlightening employees in regard to techniques which may utilised against them in the future is essential. Without the correct training, it is unreasonable to expect suspicious or accidentally harmful activity to be detected and thus providing greater opportunities to malicious threat actors to impact your systems. As availability of systems becomes a priority in an ICS landscape, allowing security incidents to go unnoticed could lead to financial, reputational and safety damages upon exploitation, which are of upmost importance to prevent.

Applied Risk is a provider of on-site and online ICS Security Awareness programs and can help your staff handle sensitive data and interact with your industrial control systems on a secure basis. Find out more about our Online ICS Security Awareness Training and see how we can help implement programs to enable your workforce to become a strong security asset.