Applied Risk: An established leader in Industrial Control Systems security

Applied Risk is focussed on critical infrastructure security and combating security breaches that pose a significant threat. Operating on a global scale, we work with a wealth of large organisations that rely on our expertise to safeguard their critical assets. Our proven experience of identifying vulnerabilities and security risks is based on methodologies honed over years of conducting assessments in industrial environments.

Our engineering experience and cyber security knowledge proves invaluable in securing the critical infrastructures and industrial assets of companies across the globe. We understand the need to maintain secure and reliable control environments, working across a range of industries we deliver solutions tailored to asset owners’ and manufacturers’ security requirements.

Industrial Control Systems (ICS) security is an engineering-based problem that requires an engineering-focused solution. Our offerings includes a wealth of engineering and technical assurance services, combined with comprehensive security assessments that cover the full spectrum of our client’s critical asset requirements while meeting industry standards.


Guarding mission-critical industrial systems from the threat of cyber attacks requires a specific and focused security skill set that only comes with deep industry knowledge and associated experience.

Applied Risk helps clients to address and maintain defences against the ever-increasing threats targeting Industrial Automation and Control Systems environments. We enable asset owners, operators, government agencies and suppliers to stay up-to-date and identify appropriate mitigating controls for protecting Process Control and Industrial Automation systems against the latest threats.

Select a product or service below:

  • Products

    ICS Cyber Security Awareness Training
  • Services

    Industrial Automation and Control Systems (IACS) Security
  • ICS/SCADA Security Assessment & Penetration Testing
  • Risk and Vulnerability Assessment (RVA)
  • Embedded Security Assessment
  • Medical Devices Security Assessment
  • IoT Security Assurance Services


  • Power
  • Pharmaceutical
  • Oil & gas
  • Water
  • Manufacturing
  • Chemicals

Heightened levels of interconnectivity, driven by business requirements, are now leaving Industrial environments increasingly exposed to costly and dangerous cyber attacks, including Denial of Control (DoC); Loss of Control (LoC); Loss of View (LoV); and Manipulation of View (MoV).

> Read more


Applied Risk maintains a significant leadership in the IACS community through its interactions with end users and manufacturers as well as its advanced research initiatives. It is through this work that we can provide unmatched service delivery to its customers and partners.

This section outlines our dedicated research, with a focus on advisories and white papers for ICS/SCADA environments.

  • Advisories

    Our security advisories are the results of research activities conducted by our in-house research team. These focus exclusively on ICS/SCADA devices and technologies.

    Read more

  • Vulnerability Disclosure Policy

    It is the policy of the company to exercise the responsible disclosure of security vulnerabilities in a manner that is of maximum value to all affected parties.

    Read more

About us

  • Safety
  • Integrity
  • Customer focused
  • Innovation

Applied Risk was founded with one core mission: to secure critical assets in the industrial domain against emergent cyber threats. As a major cyber security player within the Industrial Automation and Process Control field, our primary objective is to offer the most advanced Industrial Control Systems (ICS) security technology solutions.

> Read more


The Industrial Automation and Control Systems (IACS) security field is growing rapidly and Applied Risk continues to grow to meet current and future customers’ needs. As a global IACS leader, we maintain very high levels of cyber security skills, engineering experience, and business confidentiality. If you have a solid background in Control Systems security or industrial automation engineering and are looking for the next level of challenge and commitment, we would like to hear from you.

> Read more

Advisory board

Auke Huistra

Auke Huistra
International Cyber Security Expert

> Read more

Auke Huistra

Christian Martorella

> Read more

Auke Huistra

Joe Weiss
PE, CISM, CRISC & ISA fellow

> Read more


A target in the crosshairs – how should the energy sector respond to Dragonfly?

Dragonfly is back. That was confirmed in September 2017 when Symantec published a report disclosing that, during a two year period, Dragonfly-affiliated hackers had been attempting to compromise energy industry infrastructure. The sticking point in this latest security revelation is what damage was caused by the breach; none. It seems the hackers were trying to discover how power supply systems work and what could be compromised and controlled as a result, rather than inflicting chaos on our critical infrastructures. But the signs are there… Those of us in the security industry know how important it is that we communicate openly, clearly and with transparency about the threats that we face in today’s networked world. However, all too often, this still doesn’t have the required effect of motivating those responsible for protecting critical systems into adopting good security practice. While in this instance we are fortunate our infrastructures continued to operate as normal, there are lessons to be learned.


What were the attack vectors?

The energy sector is caught in the cross hairs. Industrial Control Systems and critical national infrastructure have always been lucrative targets. Everyone from bedroom hackers to state sponsored spies have wanted to breach critical systems since the dawn of the networked era.

The important revelation in this latest research, that could help prevent a breach in the future, is the methods detected. Techniques such as email phishing, Trojan malware and watering hole websites were utilised, attack vectors which are all well understood and can be easily mitigated against. The lesson for those of us who protect industrial infrastructure, then, is not that our power stations are at risk. Rather, we must focus on improving our ability to detect a breach and ensure that if one occurs, we can get our clients back to productivity as soon as possible.

Mitigating the risk

The energy sector can’t afford to view security as a necessary evil. It’s every bit as vital as the power stations and supply lines themselves. At Applied Risk, we recommend that firms build multi-layered defences which combine strong access control (2 factor authentication), segmentation of critical systems and networks, logging and monitoring, user education and regular penetration testing.

We also encourage closer collaboration with partners and peers to ensure that the security we put into one part of a networked system isn’t undermined by a weakness elsewhere. That means better communications between energy companies, vendors and integrators.

Time is not on the industry’s side. Now we know these weaknesses exist, energy companies must get the implementation of new technologies right to strengthen their defences. Get it wrong, and those cross hairs could prove fatal.

Contact us to learn more about Applied Risk’s ICS/SCADA Security Assessment & Penetration Testing.