Control System Security

Cyber Security incidents affecting business operations are a daily occurrence. A recent survey estimated that 81% of large corporations and 61% of small businesses have suffered a cyber breach. The Russian Ministry of Communications reported that 40% of stolen funds are invested into the improvement of malware technology. Furthermore, criminals are also investing the stolen funds into improving phishing techniques and fraudulent on-line schemes. With this in mind it is best to be prepared and have an effective incident management plan in case an incident does occur.

Our Control System Security Services

Security Assessments

Design of assessment process

Design review of system

A Cyber Security Audit of your Industrial Control Systems (ICS) conducted by one of our Cyber Security Consultants, whether conducted to comply with legislation such as from the HSE, NIS Directive, Industry specific legislation or as a best practice initiative, will provide a clear picture of where any weaknesses may be within your ICS Cyber Security measures and recommendations and advice on how to rectify the weakness.

Our approach to conducting a Cyber Security Audit is to initially identify the threats to the system(s) both of a physical and logical nature. We then conduct a vulnerability assessment using controls from industry recognised standards such as ISO27001:2013, ISA/IEC 62443 and HMG IA Standard Numbers 1 and 2 to assess the ICS Cyber Security in place. From this the Cyber Security Consultant can produce a report defining the vulnerabilities, the impact if the vulnerability was exploited and the priority for remediation.

Our Cyber Security Consultants have conducted over 100 reviews of Industrial Control Systems across the UK, both at design phase and during operation, and hold many industry recognised qualifications. Having worked in highly regulated industries they are aware of the complexities of ensuring security of control systems whilst not preventing operations and can provide practical advice and guidance.

To get a free quote for implementing a Security Assessments please provide the following information:

  • Overview of business operations conducted
  • Area of focus for the Business Continuity Plan eg. Whole business, one operations office
  • Details of offices/premises
  • Number of personnel

With changes in legislation and more inter-connectivity of control systems the importance of assessing the risk of an ICS cyber security attack occurring and the impact of the attack is becoming increasingly important. Designing an effective Industrial control system (ICS) cyber security risk assessment process will mean that a completed vulnerability assessment will define the level of risk present in relation to your company’s risk appetite.

Our cyber security consultant will work with you to determine a risk appetite for your company. Following on from this we will use best practice standards such as IEC62443 and ISO27001 to build a risk assessment tool that will ensure you assess all areas of ICS cyber security as part of a vulnerability assessment and are able to rank the risks identified in order of the impact to your company in alignment with the risk appetite.

Our cyber security consultants have carried out over a hundred cyber security assessments of ICS cyber security and have enabled companies across multiple sectors to establish a Cyber Security assessment methodology. With many recognise industry experience and years of practical experience in Cyber Security assessments we would be able to help you establish a ICS cyber security assessment process.

To get a free quote for implementing a Design of Assessment Process please provide the following information:

  • Overview of business operations conducted
  • Area of focus for the Business Continuity Plan eg. Whole business, one operations office
  • Details of offices/premises
  • Number of personnel

Performing a vulnerability assessment of a new control system implementation at the design phase can save time and money. If a vulnerability assessment is performed by one of our cyber security consultants at the design phase the ICS cyber security vulnerabilities can be identified and resolved prior to system implementation making changes to the system easier and more cost effective.

To undertake a vulnerability assessment of a system during the design phase our cyber security consultants would want to understand the function of the control system along with the other systems it interacts with. We will then establish the threats that are present that may have an adverse effect on the system. Following on from this we will identify an appropriate ICS cyber security control set using industry standards such as IEC62443 and ISO27001. Using the control set we will perform a cyber security audit to identify where controls are not effective. The outcome of this work will be to produce a report identifying the issues and providing recommendations as to how to deal with the issue.

Our cyber security consultants have performed vulnerability assessments of control systems at the design phase within the Nuclear and Electricity Generation industry since 2010 and having performed over 100 assessments have good knowledge and experience in solving issues identified. Our Cyber Security Consultants hold many industry recognised certifications. With quality delivery being one of our core values we have adapted and work to ISO9001.

To get a free quote for Design Review of System please provide the following information:

  • Overview of business operations conducted
  • Area of focus for the Business Continuity Plan eg. Whole business, one operations office
  • Details of offices/premises
  • Number of personnel

Secure operation procedures

Technical guidance notes

Technology studies

A Secure Operating Procedure is a specific set of instructions of how to interact with a system or appropriate ways to work in a certain area. Implementing these kinds of procedures can help a company where they want a standard level of security across an organisation but for particular systems or areas they need an enhanced level of security.

Our Cyber Security Consultants will work with you to understand the standard security practices in place and the function of the area or system requiring the enhanced security. We will then suggest appropriate security controls to implement to achieve the required level of security. Once this is agreed we will then document the Security Operating Procedures for you.

Within our ICS Cyber Security work, we have been assessing and drafting Secure Operating Procedures for many years. We have undertaken many cyber security audits and understand the types of controls that can be implemented and the practical restraints in place that require bespoke measures being implemented to provide the required level of confidence in the security arrangements.

To get a free quote for implementing a Secure Operation Procedures please provide the following information:

  • Overview of business operations conducted
  • Area of focus for the Business Continuity Plan eg. Whole business, one operations office
  • Details of offices/premises
  • Number of personnel

Technical guidance notes provide information on best practices approaches to implementing procedures within a company. For example, if you have multiple operating departments or separate operating offices that all require a certain procedure to be practiced such as cyber security incident management you may implement a technical guidance note defining the best practice for the process.

Our approach to writing a technical guidance note would be to be for our cyber security consultant to understand the current procedure that you have in place within your company along with the best practice procedures that exist. From this we will then be able to draft a procedure that fits with your company and aligns with best practice.

Our cyber security consultants come from a background of working in large corporate environments and hold multiple industry qualifications. During the years we have drafted many technical guidance notes on behalf of clients for various procedures that required implementing within a company.

To get a free quote for implementing a Business Continuity Plan please provide the following information:

  • Overview of business operations conducted
  • Area of focus for the Business Continuity Plan eg. Whole business, one operations office
  • Details of offices/premises
  • Number of personnel

If you are considering different technology options for your ICS cyber security implementation our cyber security consultants can help by undertaking a study to identify all the options available, and by reviewing the possible implementation, provide recommendations as to the most appropriate technology to use. These technology studies can help during new system implementation or as part of strategic technology direction decisions.

Our cyber security consultants approach to conducting a technology study is to understand the technology function or specific technologies you are looking at and produce a report detailing how the technology can be used along with the costs associated with the technology. Most importantly we will be able recommend the most appropriate technology for the implementation you are considering.

Having produced technological studies in the past for use within critical national infrastructure and having a thorough understanding of ICS cyber security our cyber security consultants are well placed to conduct technology studies on your behalf. Please find here link a previous study undertaken comparing firewalls and data diodes.

To get a free quote for implementing a Business Continuity Plan please provide the following information:

  • Overview of business operations conducted
  • Area of focus for the Business Continuity Plan eg. Whole business, one operations office
  • Details of offices/premises
  • Number of personnel

Architecture reviews

To ensure that there are no potential attack paths within a system architecture we can provide a vulnerability assessment of the system and network architecture to look for vulnerabilities. This can be done as part of an ICS cyber security best practice initiative or as part of a specific cyber security audit.

To perform an architecture review of a system or network we will need to initially have a meeting to understand the system or network and the functionality provided as part of this we will request documentation or if implemented ask to see the system or key networking components. We will then assess the information provided looking for attack paths and understanding the security barriers present to prevent attack. We will finalise our findings in a report which shows the risks associated along with the priority of the risks.

Our cyber security consultants come from a background of working in large corporate environments and hold multiple industry qualifications. They have come from a background in security audit and are well versed in performing architecture assessments. Our cyber security consultants have performed architecture assessments for the utilities, telecommunications, finance and insurance industries.

To get a free quote for implementing a Architecture Reviews please provide the following information:

  • Overview of business operations conducted
  • Area of focus for the Business Continuity Plan eg. Whole business, one operations office
  • Details of offices/premises
  • Number of personnel