Applied Risk: An established leader in Industrial Control Systems security

Applied Risk is focussed on critical infrastructure security and combating security breaches that pose a significant threat. Operating on a global scale, we work with a wealth of large organisations that rely on our expertise to safeguard their critical assets. Our proven experience of identifying vulnerabilities and security risks is based on methodologies honed over years of conducting assessments in industrial environments.

Our engineering experience and cyber security knowledge proves invaluable in securing the critical infrastructures and industrial assets of companies across the globe. We understand the need to maintain secure and reliable control environments, working across a range of industries we deliver solutions tailored to asset owners’ and manufacturers’ security requirements.

Industrial Control Systems (ICS) security is an engineering-based problem that requires an engineering-focused solution. Our offerings includes a wealth of engineering and technical assurance services, combined with comprehensive security assessments that cover the full spectrum of our client’s critical asset requirements while meeting industry standards.

Solutions

Guarding mission-critical industrial systems from the threat of cyber attacks requires a specific and focused security skill set that only comes with deep industry knowledge and associated experience.

Applied Risk helps clients to address and maintain defences against the ever-increasing threats targeting Industrial Automation and Control Systems environments. We enable asset owners, operators, government agencies and suppliers to stay up-to-date and identify appropriate mitigating controls for protecting Process Control and Industrial Automation systems against the latest threats.

Select a product or service below:

  • Products

    ICS Cyber Security Awareness Training
  • Services

    Industrial Automation and Control Systems (IACS) Security
  • ICS/SCADA Security Assessment & Penetration Testing
  • Risk and Vulnerability Assessment (RVA)
  • Embedded Security Assessment
  • Medical Devices Security Assessment
  • IoT Security Assurance Services

Industries

  • Power
  • Pharmaceutical
  • Oil & gas
  • Water
  • Manufacturing
  • Chemicals

Heightened levels of interconnectivity, driven by business requirements, are now leaving Industrial environments increasingly exposed to costly and dangerous cyber attacks, including Denial of Control (DoC); Loss of Control (LoC); Loss of View (LoV); and Manipulation of View (MoV).

> Read more

Labs

Applied Risk maintains a significant leadership in the IACS community through its interactions with end users and manufacturers as well as its advanced research initiatives. It is through this work that we can provide unmatched service delivery to its customers and partners.

This section outlines our dedicated research, with a focus on advisories and white papers for ICS/SCADA environments.

  • Advisories

    Our security advisories are the results of research activities conducted by our in-house research team. These focus exclusively on ICS/SCADA devices and technologies.

    Read more

  • Vulnerability Disclosure Policy

    It is the policy of the company to exercise the responsible disclosure of security vulnerabilities in a manner that is of maximum value to all affected parties.

    Read more

About us

  • Safety
  • Integrity
  • Customer focused
  • Innovation

Applied Risk was founded with one core mission: to secure critical assets in the industrial domain against emergent cyber threats. As a major cyber security player within the Industrial Automation and Process Control field, our primary objective is to offer the most advanced Industrial Control Systems (ICS) security technology solutions.

> Read more

Careers

The Industrial Automation and Control Systems (IACS) security field is growing rapidly and Applied Risk continues to grow to meet current and future customers’ needs. As a global IACS leader, we maintain very high levels of cyber security skills, engineering experience, and business confidentiality. If you have a solid background in Control Systems security or industrial automation engineering and are looking for the next level of challenge and commitment, we would like to hear from you.

> Read more

Advisory board

Auke Huistra

Auke Huistra
International Cyber Security Expert

> Read more

Auke Huistra

Christian Martorella
CISSP, CISM, CISA, OPSA and OPST

> Read more

Auke Huistra

Joe Weiss
PE, CISM, CRISC & ISA fellow

> Read more

Blog

How will Meltdown and Spectre impact industrial environments?

Despite being only weeks into 2018, already you’ve read reports about two serious security flaws, Meltdown and Spectre, impacting computer systems worldwide. The flaws have been discovered in computer processors and could allow hackers to steal sensitive data without users’ knowledge.

The Meltdown security flaw has already been described as ‘one of the worst CPU bugs ever found’ by one of the researchers that found the vulnerability. It enables hackers to bypass the hardware barrier between applications run by users and the computer’s operating system. This means that they can steal the secrets of other programs and the operating system.

Spectre is similar but different. The bug breaks the isolation between different applications, allowing attackers to trick error-free programs into leaking confidential data, despite best practices being followed. It has been suggested that Spectre is more difficult for hackers to take advantage of but is also harder to fix, meaning it could potentially be a greater threat in the long term. To put the scale of the issue into context, only 4% of business mobile devices have been patched against both chip vulnerabilities[1] thus far.

Afbeelding1.png

How could Meltdown and Spectre affect ICS/SCADA systems?

The problem these vulnerabilities have created, especially in the case of Spectre, is that almost every computing device is affected, including desktop PCs, laptops, tablets, smartphones and cloud computing systems. With Meltdown, virtually all Intel x86-64 processors built since 1995 are affected. Due to the nature and criticality of both vulnerabilities, vendors work hard and develop and release patches fast. That said, in the case of Spectre there are currently no patches available and as it represents a whole new class of attacks, one patch alone will not fix all affected devices.

As for Meltdown, there are patches available from official vendors but there are some caveats to consider before applying them, especially for those working within the ICS/SCADA or IIoT domain. While the patches already released are simple to deploy, they can cause a 5% to 30% drop in performance. A normal computer user may not even notice this difference, but in the industrial domain this reduction in performance could be extremely dangerous. Also vendors have reported other issues like instability and accessibility of certain systems[2].

Best practice security

To overcome the potential service reduction within ICS/SCADA and IIoT systems, Applied Risk advises organisations to follow security best practices to ensure that their environment has a Defense-in-Depth principle in place, critical systems are properly segregated, and patches are tested before deployment.

Following the proliferation of IIoT technology use in industrial environments, there are now nearly 1 trillion devices attached to the Internet. This means vendors have a lot of work to do in 2018 to ensure Meltdown and Spectre don’t turn into industry defining security issues. Simply upgrading the CPU on all devices is not feasible, due to the sheer scale problem. End users must be aware of the potential dangers the flaws pose and be cautious implementing devices. A thorough risk assessment and taking measures accordingly is recommended.

Stay tuned for future updates, recommendations, and ICS/IIoT best practices related to Meltdown and Spectre, and for information about how Applied Risk can help. Contact us to learn more.



[1]http://www.itpro.co.uk/exploits/30299/just-4-of-bu...

[2] https://www.theregister.co.uk/2018/01/15/meltdown_ics/