Close

Content Author


Jalal Bouhdada

Founder & CEO

Having led Applied Risk since he founded the company in 2012, Jalal is responsible for Applied Risk’s industrial security services and product development. Jalal has led many complex ICS cyber security projects for major global clients, including some of the world’s largest industrial companies and utilities. As a global thought-leader on industrial control systems security and critical infrastructure protection, Jalal is an active member of several professional security societies and has co-authored ICS security best practice guidelines for ENISA and the ISA 99. He also frequently lectures to private and public audiences around the world.

I Stock 664875328

Applied Risk, CREST, and the Implications for OT Environments

Jalal Bouhdada

Founder & CEO

Having led Applied Risk since he founded the company in 2012, Jalal is responsible for Applied Risk’s industrial security services and product development. Jalal has led many complex ICS cyber security projects for major global clients, including some of the world’s largest industrial companies and utilities. As a global thought-leader on industrial control systems security and critical infrastructure protection, Jalal is an active member of several professional security societies and has co-authored ICS security best practice guidelines for ENISA and the ISA 99. He also frequently lectures to private and public audiences around the world.

Anyone with a computer and an Internet connection nowadays can set themselves up as a penetration testing or cyber incident response service provider. This could include organisations that do not have in place strong policies, processes and procedures to ensure quality of service and protection of client based information. The individuals employed by these organisations may have no demonstrable skill, knowledge or competence, but hold an impressive CV.

Nevertheless, penetration testing is an important activity – from the perspective of your organization’s security as well as compliance with existing laws and regulations. To ensure that a penetration test simulates a real-life attack in IT/OT, many organizations prefer availing services of an independent, 3rd party service provider. To choose a particular penetration testing service provider with proven records in operational technology (OT) is indeed a difficult task taken in consideration price, quality and scalability.

After months of preparation and hard work, I am pleased to announce that Applied Risk has received CREST accreditation and membership in EMEA (Europe, the Middle East and Africa). This recognition not only ensures assurance of quality across all testing activities, but sets the standard to the highest level.

What is a CREST accreditation?

CREST is a not-for-profit organisation that represents the technical information security industry, particularly penetration testing, cyber security incident response and security architecture services. CREST offers public and private sector organisations a level of assurance that the technical security advisors they appoint are competent, qualified and professional with current knowledge. It also ensures that the companies they engage with have the appropriate processes and controls in place to protect sensitive client-based information. CREST provides internationally recognised accreditations for organisations and professional level certifications for individuals providing penetration testing, cyber incident response, threat intelligence and Security Operations Centre (SOC) services.

Applied Risk’s accreditation for its penetration testing services has incredible benefits for customers and significant implications for Applied Risk in the Industrial cybersecurity services market at large.

What are the implications for Applied Risk’s customers and prospects?

  • Demonstratable level of assurance of processes and procedures of member organization
  • Validate knowledge, skill and competence, of information security professionals
  • Promotion of the importance of technical security testing with OT environment for asset owners, vendors and practitioners.

As OT environments are more sensitive than traditional IT environments, technical security testing that could potentially be damaging should be planned and undertaken with a high degree of caution. The ‘mission-critical’ nature of the devices in OT environments requires a different approach, but not one that is so impoverished that it provides little value or assurance about the strength of measures to mitigate potential attacks.

If you need assistance securing your OT infrastructure, speak to one of our industrial cyber security professionals or read more about our OT Penetration Testing services.

Or to develop your own knowledge and skills in the latest growing OT penetration testing techniques, experience specialised educational courses, such as the Advanced ICS/SCADA Hacking Training presented by our offensive security team.

Thank you for your submission!