Applied Risk: An established leader in Industrial Control Systems security

Applied Risk is focussed on critical infrastructure security and combating security breaches that pose a significant threat. Operating on a global scale, we work with a wealth of large organisations that rely on our expertise to safeguard their critical assets. Our proven experience of identifying vulnerabilities and security risks is based on methodologies honed over years of conducting assessments in industrial environments.

Our engineering experience and cyber security knowledge proves invaluable in securing the critical infrastructures and industrial assets of companies across the globe. We understand the need to maintain secure and reliable control environments, working across a range of industries we deliver solutions tailored to asset owners’ and manufacturers’ security requirements.

Industrial Control Systems (ICS) security is an engineering-based problem that requires an engineering-focused solution. Our offerings includes a wealth of engineering and technical assurance services, combined with comprehensive security assessments that cover the full spectrum of our client’s critical asset requirements while meeting industry standards.


Guarding mission-critical industrial systems from the threat of cyber attacks requires a specific and focused security skill set that only comes with deep industry knowledge and associated experience.

Applied Risk helps clients to address and maintain defences against the ever-increasing threats targeting Industrial Automation and Control Systems environments. We enable asset owners, operators, government agencies and suppliers to stay up-to-date and identify appropriate mitigating controls for protecting Process Control and Industrial Automation systems against the latest threats.

Select a product or service below:

  • Products

    ICS Cyber Security Awareness Training
  • Services

    Industrial Automation and Control Systems (IACS) Security
  • ICS/SCADA Security Assessment & Penetration Testing
  • Risk and Vulnerability Assessment (RVA)
  • Embedded Security Assessment
  • Medical Devices Security Assessment
  • IoT Security Assurance Services


  • Power
  • Pharmaceutical
  • Oil & gas
  • Water
  • Manufacturing
  • Chemicals

Heightened levels of interconnectivity, driven by business requirements, are now leaving Industrial environments increasingly exposed to costly and dangerous cyber attacks, including Denial of Control (DoC); Loss of Control (LoC); Loss of View (LoV); and Manipulation of View (MoV).

> Read more


Applied Risk maintains a significant leadership in the IACS community through its interactions with end users and manufacturers as well as its advanced research initiatives. It is through this work that we can provide unmatched service delivery to its customers and partners.

This section outlines our dedicated research, with a focus on advisories and white papers for ICS/SCADA environments.

  • Advisories

    Our security advisories are the results of research activities conducted by our in-house research team. These focus exclusively on ICS/SCADA devices and technologies.

    Read more

  • Vulnerability Disclosure Policy

    It is the policy of the company to exercise the responsible disclosure of security vulnerabilities in a manner that is of maximum value to all affected parties.

    Read more

About us

  • Safety
  • Integrity
  • Customer focused
  • Innovation

Applied Risk was founded with one core mission: to secure critical assets in the industrial domain against emergent cyber threats. As a major cyber security player within the Industrial Automation and Process Control field, our primary objective is to offer the most advanced Industrial Control Systems (ICS) security technology solutions.

> Read more


The Industrial Automation and Control Systems (IACS) security field is growing rapidly and Applied Risk continues to grow to meet current and future customers’ needs. As a global IACS leader, we maintain very high levels of cyber security skills, engineering experience, and business confidentiality. If you have a solid background in Control Systems security or industrial automation engineering and are looking for the next level of challenge and commitment, we would like to hear from you.

> Read more

Advisory board

Auke Huistra

Auke Huistra
International Cyber Security Expert

> Read more

Auke Huistra

Christian Martorella

> Read more

Auke Huistra

Joe Weiss
PE, CISM, CRISC & ISA fellow

> Read more


Securing Industrial Control Systems Through Design

Trends continue to indicate that cyber-attacks specifically targeting Industrial Control Systems (ICS) are increasing over time. Within the last 18 months’ new malware strains have been identified which have had a direct and significant impact on ICS environments.

With user-friendly frameworks and tools readily available which automate the discovery and attack of systems, it has never been easier for threat actors to engage in cybercrime. Combining this fact with the growing trend to connect inadequately secured ICS to public networks and the global ICS cyber security skills shortage, it is unlikely that attacks targeted against ICS will decrease anytime soon.


The benefits of addressing cyber security early

Despite these trends, cyber security is so often seen as a burden to a project where a commonly displayed attitude is to ‘sweep the issue under the carpet’ or ‘deal with it at a later stage’.

A common argument for not properly addressing cyber security on a project is the ‘lack of budget or time’ available. In such instances, is it likely that the budget or time will be available to facilitate reworking the design to address cyber security requirements in the latter phases of the project life cycle?

When executing an ICS project, the importance of addressing the cyber security requirements of the project at the ‘Analysis & Planning’ phase cannot be stressed enough. This statement applies to all ICS projects, regardless of whether the project is a completely new, yet to be deployed ICS, or a service pack to augment the functionality of a legacy system, such as adding remote functionality.

By taking this early approach of addressing cyber security requirements as soon as possible, there are several benefits to be reaped, which include;

Increased Reliability: Addressing cyber security requirements during the ‘Analysis & Planning’ phase means control systems are less likely to be afflicted with cyber security issues such as product compatibility or cyber-attack in later phases.

Positive Company Image: Delivering control systems that are secure shows responsibility and portrays the company in a positive manner. Many do not address cyber security correctly so taking the time to deliver compliant and secure systems could potentially lead to repeat business.

Security Assurance: By developing and conducting tailored Security Factory Acceptance Test (SFAT) and Security Site Acceptance Test (SSAT) procedures, it is possible to provide the required security assurance level for asset owners, integrators and suppliers. This principle is no different from the FAT/SAT testing that would be conducted on any other project.

Time and Financial Savings: By properly planning for cyber security in the ‘Analysis & Planning’ phase it is far less likely there will be unexpected issues later in the project life cycle which could in turn impact on project budget and deadlines.

More support available than ever to address cyber security requirements

The good news is that despite trends indicating attacks against ICS are rising, the support available to help organisations properly address the cyber security requirements placed on projects is also increasing.

In response to the growing need to consistently and effectively address cyber security, the International Electrotechnical Commission (IEC) released their new IEC 62443 standard, ‘Security for industrial process measurement and control’, to help mitigate against cyber security vulnerabilities and attacks on asset owners. In collaboration with the International Society of Automation (ISA), IEC 62443 describes how security practitioners, integrators, and manufacturers should interact to ensure the security and safety of their facilities and components. Applied Risk has in-depth knowledge of reviewing and designing complex process control networks based on ISA99/IEC 62443, taking into consideration functional and security requirements. With this knowledge, Applied Risk can help asset owners, operators and suppliers to address the risks and challenges of process control security and design.

Contact us to learn more about Applied Risk’s Industrial Automation and Control Systems(IACS) Security services.