Applied Risk: An established leader in Industrial Control Systems security

Applied Risk is focussed on critical infrastructure security and combating security breaches that pose a significant threat. Operating on a global scale, we work with a wealth of large organisations that rely on our expertise to safeguard their critical assets. Our proven experience of identifying vulnerabilities and security risks is based on methodologies honed over years of conducting assessments in industrial environments.

Our engineering experience and cyber security knowledge proves invaluable in securing the critical infrastructures and industrial assets of companies across the globe. We understand the need to maintain secure and reliable control environments, working across a range of industries we deliver solutions tailored to asset owners’ and manufacturers’ security requirements.

Industrial Control Systems (ICS) security is an engineering-based problem that requires an engineering-focused solution. Our offerings includes a wealth of engineering and technical assurance services, combined with comprehensive security assessments that cover the full spectrum of our client’s critical asset requirements while meeting industry standards.

SignupBannerGeneral.png

Solutions

Guarding mission-critical industrial systems from the threat of cyber attacks requires a specific and focused security skill set that only comes with deep industry knowledge and associated experience.

Applied Risk helps clients to address and maintain defences against the ever-increasing threats targeting Industrial Automation and Control Systems environments. We enable asset owners, operators, government agencies and suppliers to stay up-to-date and identify appropriate mitigating controls for protecting Process Control and Industrial Automation systems against the latest threats.

Select a product or service below:

  • Products

    ICS Cyber Security Awareness Training
  • Services

    Industrial Automation and Control Systems (IACS) Security
  • ICS/SCADA Security Assessment & Penetration Testing
  • Risk and Vulnerability Assessment (RVA)
  • Embedded Security Assessment
  • Medical Devices Security Assessment
  • IoT Security Assurance Services

Industries

  • Power
  • Pharmaceutical
  • Oil & gas
  • Water
  • Manufacturing
  • Chemicals

Heightened levels of interconnectivity, driven by business requirements, are now leaving Industrial environments increasingly exposed to costly and dangerous cyber attacks, including Denial of Control (DoC); Loss of Control (LoC); Loss of View (LoV); and Manipulation of View (MoV).

> Read more

Labs

Applied Risk maintains a significant leadership in the IACS community through its interactions with end users and manufacturers as well as its advanced research initiatives. It is through this work that we can provide unmatched service delivery to its customers and partners.

This section outlines our dedicated research, with a focus on advisories and white papers for ICS/SCADA environments.

  • Advisories

    Our security advisories are the results of research activities conducted by our in-house research team. These focus exclusively on ICS/SCADA devices and technologies.

    Read more

  • Vulnerability Disclosure Policy

    It is the policy of the company to exercise the responsible disclosure of security vulnerabilities in a manner that is of maximum value to all affected parties.

    Read more

About us

  • Safety
  • Integrity
  • Customer focused
  • Innovation

Applied Risk was founded with one core mission: to secure critical assets in the industrial domain against emergent cyber threats. As a major cyber security player within the Industrial Automation and Process Control field, our primary objective is to offer the most advanced Industrial Control Systems (ICS) security technology solutions.

> Read more

Careers

The Industrial Automation and Control Systems (IACS) security field is growing rapidly and Applied Risk continues to grow to meet current and future customers’ needs. As a global IACS leader, we maintain very high levels of cyber security skills, engineering experience, and business confidentiality. If you have a solid background in Control Systems security or industrial automation engineering and are looking for the next level of challenge and commitment, we would like to hear from you.

> Read more

Advisory board

Auke Huistra

Auke Huistra
International Cyber Security Expert

> Read more

Auke Huistra

Christian Martorella
CISSP, CISM, CISA, OPSA and OPST

> Read more

Blog

Why IT Security Alone Is Not Enough For Building Management Systems

When facility managers consider cyber security for Building Management and Automation Services (BMS for short), they tend to follow corporate IT security policies and procedures. This is primarily because these systems are interconnected through the corporate network. Besides, the designers of the BMS - facility management engineers or the vendor - are primarily focusing on delivering a safe and secure physical environment. Cyber security is considered to be in the caring hands of the IT-professionals. As these may be seasoned in securing the IT world, BMS does not perfectly fit the IT controls. BMS systems control and monitor physical circumstances such as doors, lights and climate, and as such these systems should be considered as Operational Technology (OT), with OT cyber security practices in mind.

To better understand cyber security for BMS - facility management and IT should take time with the information security department to mutually understand what BMS is about, get acquainted on risks and controls and make sure to prepare for these from the design phase. If BMS is already implemented, it is still important to cooperatively assess the cyber security posture to see if extra measures are needed.

BMS Cyber Security Controls

One of the most effective cyber security controls for OT environments is network segregation. This is a very important control to keep in mind, as the protocols on the network were designed with 'security by isolation'. When automation and digitalisation in OT appeared late 20th century, it was first used in plants, where physical access was very restricted and no connectivity to the corporate network existed. There was no need for this connectivity, since all operators and engineers would be onsite. It was also believed that the proprietary nature of the protocols would make them very hard to attack (and hence they were 'secure by obscurity'). These insecure protocols are still in business, even in modern BMS systems.

When applying cyber security to this model, conduits are recognised as controlled channels for data-flow between levels. Along with segregation, it is important to get monitoring in place on the conduits to enable alerting on deviations from baseline traffic. Deviations from baseline traffic are potential indicators of an adversary getting to know your environment or even started trying to exploit vulnerabilities.

iStock-171573656.jpg

Segregating Your Network

Network segregation in OT environments can be achieved by following the Purdue reference model that describes functional layers and controlled data-flow in between these layers over conduits.

The Purdue Model contains five levels, labelled zero through four:

Level 0 – The physical process – Defines the actual physical processes.

Level 1 – Intelligent devices – Sensing and manipulating the physical processes. Process sensors, analysers, actuators and related instrumentation.

Level 2 – Control systems – Supervising, monitoring and controlling the physical processes. Real-time controls and software; DCS, human-machine interface (HMI); supervisory and data acquisition (SCADA) software.

Level 3 – Manufacturing operations systems – Managing production work flow to produce the desired products. Batch management; manufacturing execution/operations management systems (MES/MOMS); laboratory, maintenance and plant performance management systems; data historians and related middleware. Time frame: shifts, hours, minutes, seconds.

Level 4 – Business logistics systems – Managing the business-related activities of the manufacturing operation. ERP is the primary system; establishes the basic plant production schedule, material use, shipping and inventory levels.

Some may say Purdue is not applicable anymore for modern BMS, I argue that for - at least the main 'physical influencing components of' BMS, that Purdue still does apply.

Monitoring Your Network

Monitoring of anomalies, being deviations in the data-flows between the defined Purdue zones, can be achieved by introducing specialised - industry specific probes - specialised in anomaly detection and supporting whitelisting based alerting. These systems will "passively" inspect the network traffic on the conduits in between the zones. Passively in this context means that a network device is configured to mirror all network packets to a so-called mirror-port. The probes are connected to the mirror port and cannot intervene with the data-flows, it can only analyse the data. Analysing the data-flows requires in depth knowledge about the protocols that are transporting the data, and that is what creates the need for industry (OT) specific IDS-systems. Common IDS devices that are set up in IT-environments are great at analysing corporate network traffic (like file- and print services, webservices, DNS traffic etc.). These devices lack in depth analysis for protocols that are used in Operational Technology (ModBus, BACNET, ZigBee, DALI etc.).

Challenges Ahead

The main challenge in designing and implementing a secure BMS is getting the involved facility management and IT responsible on the same page. Facility management is not used to take cyber security into account and trust on the IT-expertise. The IT-controls do not fully cover the OT cyber security segregation model and required monitoring intelligence. This is not directly noticed, since BMS will work well when connected to the IT network, although by not explicitly taking OT specific cyber security measures into account, the BMS might be more vulnerable to cyber-attacks.

The main differences in understanding become apparent when the question arises of how the BMS should be connected to the network. Often, for the sake of 'security', a separate VLAN is provisioned and all BMS devices should be connected there. A VLAN is a way to separate network segments, to force the traffic in and out of the VLAN through a router or firewall. However, by default IT delivers large VLANs that can host up to 1024 hosts. A typical zone in the Purdue based design of a Building Management System would need no more than 10 hosts. By effectively mixing multiple Purdue zones in one big VLAN, it diminishes the value of a possible monitoring tool or firewall.

Taking The Next Steps

A common understanding of what Cyber security for your BMS means is important. Facility management and IT should spend time together with the information security department to assess the security posture of the BMS that is being designed or already in use. During these sessions, specific OT cyber security controls should be considered and compared with the in-force IT controls. This will bring gaps to the table that can be assessed for risk. Based on the risk assessment additional controls can be decided upon and planned for implementation. Implementation of a well segregated and monitored BMS, processes to follow up on alerts and policies for connecting new devices are necessary to be discussed.

Applied Risk has extensive experience in securing operations technology and our experts can assess your Building Management Systems - providing tailored security recommendations based on industry best practices and international standards. Check for more information on our approach to conducting Risk & Vulnerability Assessments or contact us directly to learn how we can reinforce the security of your Building Management Systems.