Applied Risk: An established leader in Industrial Control Systems security

Applied Risk is focussed on critical infrastructure security and combating security breaches that pose a significant threat. Operating on a global scale, we work with a wealth of large organisations that rely on our expertise to safeguard their critical assets. Our proven experience of identifying vulnerabilities and security risks is based on methodologies honed over years of conducting assessments in industrial environments.

Our engineering experience and cyber security knowledge proves invaluable in securing the critical infrastructures and industrial assets of companies across the globe. We understand the need to maintain secure and reliable control environments, working across a range of industries we deliver solutions tailored to asset owners’ and manufacturers’ security requirements.

Industrial Control Systems (ICS) security is an engineering-based problem that requires an engineering-focused solution. Our offerings includes a wealth of engineering and technical assurance services, combined with comprehensive security assessments that cover the full spectrum of our client’s critical asset requirements while meeting industry standards.

Solutions

Guarding mission-critical industrial systems from the threat of cyber attacks requires a specific and focused security skill set that only comes with deep industry knowledge and associated experience.

Applied Risk helps clients to address and maintain defences against the ever-increasing threats targeting Industrial Automation and Control Systems environments. We enable asset owners, operators, government agencies and suppliers to stay up-to-date and identify appropriate mitigating controls for protecting Process Control and Industrial Automation systems against the latest threats.

Select a product or service below:

  • Products

    ICS Cyber Security Awareness Training
  • Services

    Industrial Automation and Control Systems (IACS) Security
  • ICS/SCADA Security Assessment & Penetration Testing
  • Risk and Vulnerability Assessment (RVA)
  • Embedded Security Assessment
  • Medical Devices Security Assessment
  • IoT Security Assurance Services

Industries

  • Power
  • Pharmaceutical
  • Oil & gas
  • Water
  • Manufacturing
  • Chemicals

Heightened levels of interconnectivity, driven by business requirements, are now leaving Industrial environments increasingly exposed to costly and dangerous cyber attacks, including Denial of Control (DoC); Loss of Control (LoC); Loss of View (LoV); and Manipulation of View (MoV).

> Read more

Labs

Applied Risk maintains a significant leadership in the IACS community through its interactions with end users and manufacturers as well as its advanced research initiatives. It is through this work that we can provide unmatched service delivery to its customers and partners.

This section outlines our dedicated research, with a focus on advisories and white papers for ICS/SCADA environments.

  • Advisories

    Our security advisories are the results of research activities conducted by our in-house research team. These focus exclusively on ICS/SCADA devices and technologies.

    Read more

  • Vulnerability Disclosure Policy

    It is the policy of the company to exercise the responsible disclosure of security vulnerabilities in a manner that is of maximum value to all affected parties.

    Read more

About us

  • Safety
  • Integrity
  • Customer focused
  • Innovation

Applied Risk was founded with one core mission: to secure critical assets in the industrial domain against emergent cyber threats. As a major cyber security player within the Industrial Automation and Process Control field, our primary objective is to offer the most advanced Industrial Control Systems (ICS) security technology solutions.

> Read more

Careers

The Industrial Automation and Control Systems (IACS) security field is growing rapidly and Applied Risk continues to grow to meet current and future customers’ needs. As a global IACS leader, we maintain very high levels of cyber security skills, engineering experience, and business confidentiality. If you have a solid background in Control Systems security or industrial automation engineering and are looking for the next level of challenge and commitment, we would like to hear from you.

> Read more

Advisory board

Auke Huistra

Auke Huistra
International Cyber Security Expert

> Read more

Auke Huistra

Christian Martorella
CISSP, CISM, CISA, OPSA and OPST

> Read more

Blog

Ensuring Secure Deployment of Industrial Wireless Systems

Deploying wireless communications into an industrial environment can be a daunting task if not approached in a careful, methodical manner. While there are benefits of applying wireless technology in an industrial environment, there are many considerations to take into account including reliability, frequency management, safety, and security. The National Institute of Standards and Technology (NIST) recently released their Guide to Industrial Wireless Systems Deployments in order to help industrial organizations "design, assess, select, and deploy secure wireless systems that can perform dependably" in industrial environments.They act as best practice guidelines which are technology and vendor agnostic and provide a succinct guide which can be referenced throughout the entire wireless deployment lifecycle.

Security in Industrial Wireless Systems

An important topic of discussion presented by the NIST guidelines is the role of security in wireless industrial control systems. In these systems the emphasis of security is commonly to ensure system availability first and foremost, with integrity being the secondary focus. A loss of system availability due to a malicious signal jamming, for example, can impact plant operations and result in work stoppages or other unacceptable downtime. Similarly, if an attacker can manipulate values being communicated by a sensor, then the integrity of the data is compromised and could result in out-of-tolerance production flows. Confidentiality is still important, but the impact of an attacker intercepting industrial systems communications is typically not as severe as it would be in a traditional Information Technology (IT) environment.

Security From The Start

When deploying wireless industrial control systems, it is important that organizations define security as a key wireless system requirement and take the Availability, Integrity, and Confidentiality of the proposed system into consideration during the candidate selection process. For example, Applied Risk has performed intensive analysis and testing of the ISA100 and WirelessHART wireless ICS protocols, among others, which were designed from the ground up to provide secure communications. These protocols have several risk-mitigating controls built-in, including:

  • Availability: ISA100 and WirelessHART devices can be configured as mesh networks to provide alternate path routing in the event a primary path goes down; additionally, they can dynamically react to frequency interference to avoid using those channels until the interference has cleared up.
  • Integrity: Both protocols implement message sequencing and secure message integrity check algorithms to validate that a received packet has not been seen before and has not been tampered with.
  • Confidentiality: ISA100 and WirelessHART utilize strong encryption to protect the contents of communications.

However, even with these features, not every solution is the right solution for every organization. Rather, the right solution should be determined by partnering with a trusted technical advisor and adopting a thorough candidate evaluation and selection process as recommended by NIST.

CardVascularIllustration-01.png

Additional Security Considerations

Wireless security management extends beyond the initial candidate selection process, and accordingly NIST makes several other recommendations to take into consideration when deploying and maintaining wireless industrial control systems, including:

  • Network Segregation: Splitting industrial networks into zones and conduits and separating the industrial network from the enterprise office network as specified by the standard for ICS Security, IEC 62443. For example, appropriate network segregation can limit the amount of damage caused by a security incident by preventing the spread of malware to other zones.
  • Physical Security: Physical security should be implemented to protect wireless access points, gateways, and devices. Unsecured devices in insecure locations can be tampered with, impacting the availability and integrity of wireless resources.
  • Default Passwords and Keys: Default passwords and keys should not be used once the system is installed. It should always be assumed that a malicious actor will gain access to even properly segregated networks, and a wireless controller using a default login password will be an easy target. Similarly, network encryption keys and secrets should be changed to prevent an attacker from eavesdropping on wireless communications.
  • Network and Spectrum Monitoring: Wherever possible, logging and monitoring of wireless communications should be performed to detect anomalous activity patterns. For example, deploying a wireless spectrum analyser can provide alerting when there is excessive interference on the in-use channels which could indicate malicious signal jamming or other destructive interference. Additionally, configuring logging on wireless gateways can provide valuable information in the event of a security incident or other wireless service disruption.

In addition to the NIST recommendations, Applied Risk also recommends the following measures to improve security:

  • Limit Implementation to Non-Safety Devices: While industrial wireless protocols can provide reliable communications, they can still be susceptible to interference and as such Applied Risk recommends using only wired technology for safety systems. While extremely rare, even a minute risk of radio interference impacting a safety system is unacceptable to most organizations.
  • Device Testing: Prior to deploying a wireless solution, the devices to be installed should undergo Security Factory Acceptance Testing. This process provides an in-depth assessment of the device hardware and configurations to validate that security requirements have been met prior to deployment.

Wireless technology is a complex subject requiring extensive knowledge to fully understanding the technical challenges involved with system selection, deployment, and security. With the increased adoption of new wireless protocols such as LoRaWAN, Zigbee, ISA100, and WirelessHART, in-depth investigation is needed to understand the advantages and disadvantages of available solutions. The NIST Guide to Industrial Wireless Systems Deployments provides best practice guidelines that organisations can use when working with their technology suppliers to make confident decisions in selecting and deploying the right wireless technologies.

Applied Risk provides organisations with expert industrial wireless security consulting and assessments, including network architecture consulting, physical security assessments, and industrial wireless penetration testing to ensure secure operation of industrial wireless systems. Click here to learn more.