Applied Risk: An established leader in Industrial Control Systems security

Applied Risk is focussed on critical infrastructure security and combating security breaches that pose a significant threat. Operating on a global scale, we work with a wealth of large organisations that rely on our expertise to safeguard their critical assets. Our proven experience of identifying vulnerabilities and security risks is based on methodologies honed over years of conducting assessments in industrial environments.

Our engineering experience and cyber security knowledge proves invaluable in securing the critical infrastructures and industrial assets of companies across the globe. We understand the need to maintain secure and reliable control environments, working across a range of industries we deliver solutions tailored to asset owners’ and manufacturers’ security requirements.

Industrial Control Systems (ICS) security is an engineering-based problem that requires an engineering-focused solution. Our offerings includes a wealth of engineering and technical assurance services, combined with comprehensive security assessments that cover the full spectrum of our client’s critical asset requirements while meeting industry standards.

Solutions

Guarding mission-critical industrial systems from the threat of cyber attacks requires a specific and focused security skill set that only comes with deep industry knowledge and associated experience.

Applied Risk helps clients to address and maintain defences against the ever-increasing threats targeting Industrial Automation and Control Systems environments. We enable asset owners, operators, government agencies and suppliers to stay up-to-date and identify appropriate mitigating controls for protecting Process Control and Industrial Automation systems against the latest threats.

Select a product or service below:

  • Products

    ICS Cyber Security Awareness Training
  • Services

    Industrial Automation and Control Systems (IACS) Security
  • ICS/SCADA Security Assessment & Penetration Testing
  • Risk and Vulnerability Assessment (RVA)
  • Embedded Security Assessment
  • Medical Devices Security Assessment
  • IoT Security Assurance Services

Industries

  • Power
  • Pharmaceutical
  • Oil & gas
  • Water
  • Manufacturing
  • Chemicals

Heightened levels of interconnectivity, driven by business requirements, are now leaving Industrial environments increasingly exposed to costly and dangerous cyber attacks, including Denial of Control (DoC); Loss of Control (LoC); Loss of View (LoV); and Manipulation of View (MoV).

> Read more

Labs

Applied Risk maintains a significant leadership in the IACS community through its interactions with end users and manufacturers as well as its advanced research initiatives. It is through this work that we can provide unmatched service delivery to its customers and partners.

This section outlines our dedicated research, with a focus on advisories and white papers for ICS/SCADA environments.

  • Advisories

    Our security advisories are the results of research activities conducted by our in-house research team. These focus exclusively on ICS/SCADA devices and technologies.

    Read more

  • Vulnerability Disclosure Policy

    It is the policy of the company to exercise the responsible disclosure of security vulnerabilities in a manner that is of maximum value to all affected parties.

    Read more

About us

  • Safety
  • Integrity
  • Customer focused
  • Innovation

Applied Risk was founded with one core mission: to secure critical assets in the industrial domain against emergent cyber threats. As a major cyber security player within the Industrial Automation and Process Control field, our primary objective is to offer the most advanced Industrial Control Systems (ICS) security technology solutions.

> Read more

Careers

The Industrial Automation and Control Systems (IACS) security field is growing rapidly and Applied Risk continues to grow to meet current and future customers’ needs. As a global IACS leader, we maintain very high levels of cyber security skills, engineering experience, and business confidentiality. If you have a solid background in Control Systems security or industrial automation engineering and are looking for the next level of challenge and commitment, we would like to hear from you.

> Read more

Advisory board

Auke Huistra

Auke Huistra
International Cyber Security Expert

> Read more

Auke Huistra

Christian Martorella
CISSP, CISM, CISA, OPSA and OPST

> Read more

Blog

Understanding the Importance of Physical Security for Industrial Control Systems (ICS)

As we read or hear about industrial control system (ICS) security, the focus is often placed on ‘cyber’ protection measures.However, a true security program for ICS and supporting systems should be a holistic to ensure integration of both cyber security and physical security measures. Unfortunately, physical security tends to be ignored in too many instances.

Afbeelding1.png

ISA/IEC-62443-2-1

Cyber security standard; ISA/IEC-62443-2-1, Security for Industrial Automation and Control Systems, includes a section on Physical and Environmental Security.The two subsections are focused on Secure Areas (11.1) and Equipment (11.2).

The objective of Physical and Environmental Security is “To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.”Essentially a key aspect of this standard is to implement effective access control and protection of systems and equipment from damage.

Physical Security Perimeter (PSP)

One of the first actions an ICS security review should include is identification and verification of the physical security perimeter(s) surrounding the Industrial Control Systems.With this perimeter, physical access points (e.g. entry/exit points) should be identified.These perimeter barriers should be physically sound with no gaps or weak points where break ins could easily occur.Additionally, consideration should be given to the ‘6-sided-barrier’concept of ceiling, floor and four walls.

All external doors or gates to the perimeter should be protected against unauthorized access with control mechanisms such as locks, CCTV, alarms, etc.Doors and windows should be locked when unattended and ground-level windows need extra protection such as bars, metal mesh, for example.

As a reminder, the defence in depth concept also applies to the PSP.It is satisfactory and even necessary to have multiple layers of physical protection around systems – especially those which perform sensitive functions where intellectual property and proprietary operations are stored and occur respectively.

Access Controls

Although the PSP is in place to keep intruders and outsiders from accessing the ICS systems and information, access controls also need to be in place for approved personnel, vendors and escorted visitors.

The following access controls should be considered:

  1. A physical log book or electronic audit trail of all access, along with date and time of PSP entry/exit, should be securely maintained, stored and monitored;
  2. All visitors must be escorted and supervised when inside the PSP;
  3. Access to areas containing confidential/proprietary information should be restricted to authorised individuals and only via strong access controls such as an access card and PIN;
  4. All employees, contractors, third-party vendors, and/or visitors inside the PSP should wear some form of visible identification;,
  5. Access rights to secure areas should be regularly reviewed and updated (recommended monthly), and unnecessary access permissions should be revoked.

Equipment Siting and Protection

Industrial Control Systems and information should be protected from damage, loss, theft or compromise.Some key considerations in this domain include:

  1. Fire detection/protection systems should be installed and activate automatically in the event of a fire;
  2. Temperature and humidity should be maintained within acceptable levels – especially for servers and workstations;
  3. ICS should be protected from water damage due to broken plumbing lines, HVAC drains, etc.;
  4. Lightning protection and effective grounding should be applied to all buildings housing ICS;

Utilities

  1. Loss of key utility services can disable an operating environment very quickly.Such disruptions should be analysed and protected against by considering some of the following techniques:
  2. Power and telecommunications infrastructure should be protected from interception, interference or damage (e.g. backhoe cuts or sabotage);
  3. Electric service, telecommunications, internet, etc. should be provided by means of primary and secondary feeds for large or critical facilities.These feeds should be geographically separated and originate from separate sources if possible.Consider having the feeds at opposite ends of the facility.
  4. Provide short-term uninterruptible power supplies (UPS) to facilitate an orderly shutdown of the ICS in the event of a primary power source loss;
  5. Emergency lighting should be in place that activates in the event of a power outage and covers emergency exits and evacuation routes.

Secure Disposal or Reuse of Equipment

As part of systems lifecycle, servers, workstations or ICS components are marked for disposal or reuse.In these instances, it is critically important that all equipment containing storage media (e.g., hard drives) is sanitised to ensure any sensitive data and licensed software has been removed and securely overwritten (or physically destroyed) prior to disposal or reuse.

Staying on Top of Physical Security is a Full-Time Job

The list of physical security parameters above is not complete but will give you a sense of the scope and depth of what needs to be addressed.Treating physical security as a part-time job is simply not effective and will often result in more crises rather than improved security.

Find out more about Applied Risk's industrial cyber security services designed specifically to identify and mitigate cyber risks for end-users of critical infrastructure.