Applied Risk: An established leader in Industrial Control Systems security

Applied Risk is focussed on critical infrastructure security and combating security breaches that pose a significant threat. Operating on a global scale, we work with a wealth of large organisations that rely on our expertise to safeguard their critical assets. Our proven experience of identifying vulnerabilities and security risks is based on methodologies honed over years of conducting assessments in industrial environments.

Our engineering experience and cyber security knowledge proves invaluable in securing the critical infrastructures and industrial assets of companies across the globe. We understand the need to maintain secure and reliable control environments, working across a range of industries we deliver solutions tailored to asset owners’ and manufacturers’ security requirements.

Industrial Control Systems (ICS) security is an engineering-based problem that requires an engineering-focused solution. Our offerings includes a wealth of engineering and technical assurance services, combined with comprehensive security assessments that cover the full spectrum of our client’s critical asset requirements while meeting industry standards.

SignupBannerGeneral.png

Solutions

Guarding mission-critical industrial systems from the threat of cyber attacks requires a specific and focused security skill set that only comes with deep industry knowledge and associated experience.

Applied Risk helps clients to address and maintain defences against the ever-increasing threats targeting Industrial Automation and Control Systems environments. We enable asset owners, operators, government agencies and suppliers to stay up-to-date and identify appropriate mitigating controls for protecting Process Control and Industrial Automation systems against the latest threats.

Select a product or service below:

  • Products

    ICS Cyber Security Awareness Training
  • Services

    Industrial Automation and Control Systems (IACS) Security
  • ICS/SCADA Security Assessment & Penetration Testing
  • Risk and Vulnerability Assessment (RVA)
  • Embedded Security Assessment
  • Medical Devices Security Assessment
  • IoT Security Assurance Services

Industries

  • Power
  • Pharmaceutical
  • Oil & gas
  • Water
  • Manufacturing
  • Chemicals

Heightened levels of interconnectivity, driven by business requirements, are now leaving Industrial environments increasingly exposed to costly and dangerous cyber attacks, including Denial of Control (DoC); Loss of Control (LoC); Loss of View (LoV); and Manipulation of View (MoV).

> Read more

Labs

Applied Risk maintains a significant leadership in the IACS community through its interactions with end users and manufacturers as well as its advanced research initiatives. It is through this work that we can provide unmatched service delivery to its customers and partners.

This section outlines our dedicated research, with a focus on advisories and white papers for ICS/SCADA environments.

  • Advisories

    Our security advisories are the results of research activities conducted by our in-house research team. These focus exclusively on ICS/SCADA devices and technologies.

    Read more

  • Vulnerability Disclosure Policy

    It is the policy of the company to exercise the responsible disclosure of security vulnerabilities in a manner that is of maximum value to all affected parties.

    Read more

About us

  • Safety
  • Integrity
  • Customer focused
  • Innovation

Applied Risk was founded with one core mission: to secure critical assets in the industrial domain against emergent cyber threats. As a major cyber security player within the Industrial Automation and Process Control field, our primary objective is to offer the most advanced Industrial Control Systems (ICS) security technology solutions.

> Read more

Careers

The Industrial Automation and Control Systems (IACS) security field is growing rapidly and Applied Risk continues to grow to meet current and future customers’ needs. As a global IACS leader, we maintain very high levels of cyber security skills, engineering experience, and business confidentiality. If you have a solid background in Control Systems security or industrial automation engineering and are looking for the next level of challenge and commitment, we would like to hear from you.

> Read more

Advisory board

Auke Huistra

Auke Huistra
International Cyber Security Expert

> Read more

Auke Huistra

Christian Martorella
CISSP, CISM, CISA, OPSA and OPST

> Read more

Blog

Don’t Let Poor Security Leave A Bad Taste: Securing Food & Beverage Manufacturing Facilities

Beyond identifying expiration dates, consumers are limited in their ability to assess the safety of readily packaged foods and beverages, placing a large amount of trust into brands and regulatory practices. Trust that packaged consumables are well preserved, chemical ratios are of a safe and consumable level and that quality assurance testing measures are in place to identify tainted outliers.

On a large scale, food and beverage manufacturers rely heavily on automated machinery to prepare, package and label goods before national or global dispatch. Much like equipment used on industrial scales for oil refineries or power grids, food and beverage facilities utilise Industrial Control Systems (ICS) as a means of automated operation and require essential cyber security practices to be put in place to avoid product tampering via malicious cyber manipulation. Ultimately, it is the responsibility of the manufacturer to ensure a quality and safely consumable product.

Picture2.png

From Factory to Family: What are the Risks?

Considering most consumable products are required to meet standards of cleanliness or specific temperature conditions – altering conditions within multiple stages of the supply chain from packaging to transportation of goods can negatively impact the safety of food and beverage consumption. A critical ICS suffering from manipulation as the result of a security breach; especially those which are controlling production or storage variables, can be a costly exercise. For temperature sensitive products such as milk, meats and other consumables that require refrigeration - slightly raising temperatures may cause growth of unwanted bacteria in fresh products before hitting shelves which is an unacceptable violation of health regulations. This has the potential to render entire batches of product not fit for consumption and is likely to account for large losses in revenue.

In the case of products less susceptible to these types of environmental changes, risks could include manipulation or alterations to recipes (Automated Batch processing) by increasing ratios of chemicals or introducing a lack of flavour additives or preservatives affecting the shelf life or unique product taste of branded food or drink. In the event of a product recall, the reputational damage associated with a public recall of unsafe consumables can be damaging to future sales. Identifying contaminated products before release is also a costly exercise. Shutting down production to inspect facilities and identify issues causes stoppages in operations and impacts revenue generated from the facility.

Food and beverage manufacturers utilise Hazard Analysis Critical Control Points (HACCP) to manage food safety and identify threats to production within the factory environment. Essentially, this process provides a level of protection in the entire process chain against potential physical, chemical and biological hazards, although it has a notable absence of consideration for cyber security practices. To avoid potential incidents that can cause financial, reputational or safety damages – It is important to ensure sufficient levels of security in your operations technology.

Picture1.png

Packing your products with a healthy level of security

In 2014, the US Food and Drug Administration (FDA) incorporated the IEC 62443 Industrial Automation and Control Systems (IACS) standards on the recognized consensus standards list in an effort to guide manufactures to meet enhanced security benchmarks. The IACS standards are designed to prevent and mitigate large scale cyber damage to industrial systems –with regulations which can prove beneficial in the context of industrial food and beverage manufacturing environments. Assessing operations systems against these standards is an important baseline to introduce security measures that ensure future low-risk industrial operations. Security measures which reduce the likelihood of a breach that we recommend being undertaken as part of what we call a risk-based approach, include:

  1. Network Segregation – Reducing the amount of connections from the ICS networks and ensuring the essential connections are strongly authenticated
  2. Access control – Ensuring only the required users have access to necessary devices and machinery to perform their job
  3. Patching – Implementing up-to-date software for your industrial equipment
  4. System Hardening – Reducing your vulnerability surface by minimising functions and connections of a system to essential only
  5. Asset Management – Maintaining an up-to-date and detailed inventory of all assets and their connections

Whilst utilising a combination of these methods create a more secure network, it is important to be prepared in the case of a security breach by implementing effective control measures to reduce the impact should an incident occur. Recommended measures include:

  1. Incident management – Implementing policies and procedures to know which actions to take immediately to reduce the time threats are active
  2. Network segmentation – As explained above, it useful for both reducing the chances of a breach and limiting the impact
  3. Logging and monitoring – Implement measures to rapidly identify, analyse and react to security events
  4. Back-up and restore – Ensuring industrial systems can be restored to previously operational states
  5. Endpoint protection – Making operating systems more resilient against cyber threats

An essential aspect of developing a secure ICS is ensuring that the systems are ‘secure by design.’ By implementing security measures in the design phase, operations can benefit from increased reliability, security assurance and time and financial savings compared to implementing these critical advancements later down the track.

As the responsibility for creating a safe and consumable product lies in the hands of food and beverage manufacturers, it is important for facilities to test their control systems to protect against emerging cyber threats. Applied Risk has extensive expertise in analysing ICS networks against the IEC 62443 regulations to ensure facilities are following cyber security best practices. Our experts can identify security risks in current operations and provide recommendations to ensure low-risk manufacturing processes.

For further information about initiating an Industrial Automation and Control System assessment, see https://applied-risk.com/solutions/services/industrial-automation-and-control-systems-iacs-security.