Applied Risk: An established leader in Industrial Control Systems security

Applied Risk is focussed on critical infrastructure security and combating security breaches that pose a significant threat. Operating on a global scale, we work with a wealth of large organisations that rely on our expertise to safeguard their critical assets. Our proven experience of identifying vulnerabilities and security risks is based on methodologies honed over years of conducting assessments in industrial environments.

Our engineering experience and cyber security knowledge proves invaluable in securing the critical infrastructures and industrial assets of companies across the globe. We understand the need to maintain secure and reliable control environments, working across a range of industries we deliver solutions tailored to asset owners’ and manufacturers’ security requirements.

Industrial Control Systems (ICS) security is an engineering-based problem that requires an engineering-focused solution. Our offerings includes a wealth of engineering and technical assurance services, combined with comprehensive security assessments that cover the full spectrum of our client’s critical asset requirements while meeting industry standards.

Solutions

Guarding mission-critical industrial systems from the threat of cyber attacks requires a specific and focused security skill set that only comes with deep industry knowledge and associated experience.

Applied Risk helps clients to address and maintain defences against the ever-increasing threats targeting Industrial Automation and Control Systems environments. We enable asset owners, operators, government agencies and suppliers to stay up-to-date and identify appropriate mitigating controls for protecting Process Control and Industrial Automation systems against the latest threats.

Select a product or service below:

  • Products

    ICS Cyber Security Awareness Training
  • Services

    Industrial Automation and Control Systems (IACS) Security
  • ICS/SCADA Security Assessment & Penetration Testing
  • Risk and Vulnerability Assessment (RVA)
  • Embedded Security Assessment
  • Medical Devices Security Assessment
  • IoT Security Assurance Services

Industries

  • Power
  • Pharmaceutical
  • Oil & gas
  • Water
  • Manufacturing
  • Chemicals

Heightened levels of interconnectivity, driven by business requirements, are now leaving Industrial environments increasingly exposed to costly and dangerous cyber attacks, including Denial of Control (DoC); Loss of Control (LoC); Loss of View (LoV); and Manipulation of View (MoV).

> Read more

Labs

Applied Risk maintains a significant leadership in the IACS community through its interactions with end users and manufacturers as well as its advanced research initiatives. It is through this work that we can provide unmatched service delivery to its customers and partners.

This section outlines our dedicated research, with a focus on advisories and white papers for ICS/SCADA environments.

  • Advisories

    Our security advisories are the results of research activities conducted by our in-house research team. These focus exclusively on ICS/SCADA devices and technologies.

    Read more

  • Vulnerability Disclosure Policy

    It is the policy of the company to exercise the responsible disclosure of security vulnerabilities in a manner that is of maximum value to all affected parties.

    Read more

About us

  • Safety
  • Integrity
  • Customer focused
  • Innovation

Applied Risk was founded with one core mission: to secure critical assets in the industrial domain against emergent cyber threats. As a major cyber security player within the Industrial Automation and Process Control field, our primary objective is to offer the most advanced Industrial Control Systems (ICS) security technology solutions.

> Read more

Careers

The Industrial Automation and Control Systems (IACS) security field is growing rapidly and Applied Risk continues to grow to meet current and future customers’ needs. As a global IACS leader, we maintain very high levels of cyber security skills, engineering experience, and business confidentiality. If you have a solid background in Control Systems security or industrial automation engineering and are looking for the next level of challenge and commitment, we would like to hear from you.

> Read more

Advisory board

Auke Huistra

Auke Huistra
International Cyber Security Expert

> Read more

Auke Huistra

Christian Martorella
CISSP, CISM, CISA, OPSA and OPST

> Read more

Blog

Are Insecure Medical Devices Eroding Patient Safety and Security?

Illness, private health issues or even false alarms. The last thing medical patients need to worry about is the leakage of their health data or the safety of their treatment. In an age where modern connected medical devices are becoming a prevalent scene, these devices pose an increasingly large risk to the exposure of safeguarded operations and health data. Due to the rapid advancement in health technology, what risks does releasing insecure medical devices really pose?

Much like industrial equipment, medical technology requires the same attention to keep sensitive data and operations secure. Within industrial environments, machinery contains actuators, controllers and human interfaces to machine operators. In the medical realm, devices with similar components include drug administration devices, X-ray machines, MRI scanners and on a consumer scale, implantable devices such as cardiac pacemakers. Many of these devices also have capabilities to become remotely accessible, and when not properly secured, are susceptible to loss of data, loss of control attacks and other forms of manipulation. As such, medical devices require the same amount of attention to cyber resilience protecting prospective patients as the attention placed on protecting any other critical infrastructure. Whilst having a focus on improving patient healthcare and service efficiency will yield beneficial results for hospitals, the potential for disaster looms around the corner of the not-so-distant future without a greater emphasis being placed on secured technology.

What kind of impact does healthcare technology feel today?

In the case of last year’s paralysis of the UK’s National Health Service’s systems, it showed the potential for a very bad day for patients. Legacy systems at the state-run facility faced the wrath of the Wannacry malware, shutting down operations as it spread through unprotected systems. Evidence suggested that immobilizing the hospital was not the goal of the attack, although fell victim due to the sub-par security. Knowing this shutdown of operations existed as collateral damage, what kind of chaotic damage could have taken place if the system had been specifically targeted?

CardVascularIllustration-01.png










The FDA recall of St Jude Medical’s implanted cardiac pacemakers highlighted security vulnerabilities within the devices, with possible exploitation enabling access to manipulate pacing patterns and modify programming commands for rapid battery depletion. It is critical to ensure extensive testing for implantable patient devices for both the wellbeing of the patient and maintaining a health brand image for manufacturers. Healthcare providers are responsible for personal health data, the administration of treatments and the operation of heavy-duty machinery on patients. This spells the potential to damage personal lives, or even worse, the alteration of possibly lethal dosages administered to patients and unsafe operating procedures for machinery. Sadly, it is likely for further disruptions to the security of patient safety before industry-wide action is to be taken to secure connected devices.

Steps to securing a healthy future of medical devices

For the betterment of patient safety, the relationships between security providers and device manufacturers must be focused on improving. The concept of “Secure by Design” is essential to combatting design flaws in device security, and an important step to securing the safety and private health data of patients. Systems should incorporate principles of the secure development lifecycle ensuring security requirements are identified early on, systems can suitably withstand threats, security checkpoints are implemented correctly and verified before release. Beyond development, a response plan detailing retaliation against malicious attacks should be outlined to minimize the impact of a successful breach.

By addressing security issues at the early stage of device development, product reliability will increase through better compatibility with security programming, less unexpected issues will draw out timelines and financial budgets and your company will likely be avoiding a negative image should a breach or testing conclude that an afterthought approach to security led to compromise. Let’s ensure Doctor-Patient Confidentiality stays confidential.

As specialists in Operation Technology Security, Applied Risk has both the means and the knowledge to seamlessly assist with enhancing security for your medical IoT devices and networks. See our Medical Devices Security Assessment page for how we can further assist with your progress.