Industrial Control Systems | ICS Security

Do you have any questions or comments? Contact us!

+49 201 8999-411 Mail Contact form

Our vulnerability analysis in the OT/ICS environment

The increasing digitalization and networking of industrial plants also increases the IT security risks against which machines and systems within industrial environments must be protected.

With the help of Industrial Security Assessments, you get ahead of cybercriminals by proactively identifying and closing potential security vulnerabilities.

Identification of security vulnerabilities in your ICS infrastructure

Explicit recommendations for remedial action

Checking for the Top 10 Threats to Industrial Control Systems

OT-Security: Sicherheitsrisiken in industriellen Umgebungen reduzieren

Our service modules in the OT/ICS security environment

We offer various modules as part of the assessment, whereby each test includes attack techniques that a real hacker would use.

TÜViT services in the OT/ICS security environment

In addition to the modules listed, we will of course address your specific needs and will be happy to provide you with a customized offer.

Your benefits at a glance

Determination of your security maturity level on the basis of recognized standards & best practices
Objective analysis & evaluation of the established technical & organizational security measures in the production area
Explicit recommendations for action to remedy discovered or potential vulnerabilities
Protection against industrial espionage & potential cyber attacks

Prevention of financial & reputational damage due to (avoidable) security incidents
Continuous improvement of the IT security of your solutions and Industrial Control Systems (ICS) implemented in the industrial sector
Benefit from TÜV NORD's & TÜViT's combined industry & IT experience in Industrial Security & Production Security

A security assessment has various main objectives. These include, but are not limited to:

The identification of vulnerabilities and their risk exposure
The assessment of which platforms and systems are used and how the networking and interaction of the systems for manufacturing and process automation work together - as well as with conventional (Office) IT infrastructure - from a security perspective
Assessment of the security measures in place in terms of security and safety
Assessment of the technical security level of remote maintenance access, established standard IT components and availability requirements of communication networks and their monitoring
Assessment of potential threats based on human errors and intentional attacks at device, network and application level. As part of this, our security experts look at, among other things, the degree of networking and the protection of production networks, as well as the misconfiguration and inadequate backup of components.
Passive and active attacks on established ICS components such as SCADA systems, PLC, HMI, BFS and MES at system and network level
The derivation and evaluation of organizational vulnerabilities, such as insufficient levels of documentation and regulations for IT security in the form of guidelines and processes

We will provide you with a detailed report that identifies specific comprehensible risks and vulnerabilities and proposes appropriate measures for their elimination.

All results of an analysis are made available to the client in the form of a detailed final report.

The final report is always created individually and in an easily understandable form by our experts (no automatic generation) and contains at least the following information:

Introduction: A brief description of the test object and the aim of the pentest.
Management/Executive summary: A summary of the results.
Risk assessment: Assignment of a degree of risk to each vulnerability (Informative, Low, Medium, High or Critical Risk), with which the criticality of the respective vulnerability is described.
Clear representation: Clear representation of all identified vulnerabilities in a table.
Detailed description of vulnerabilities & Proof-of-Concept: For each vulnerability there is an individual description that reflects precisely how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
Evaluation of automated tests: The results of the automated tests are evaluated by the TÜViT experts, checked for false/positive results and then summarized in the report.
Recommend measures to remedy the vulnerability: For each vulnerability, there is a recommended measure to eliminate the vulnerability.
References: If available, we provide references to vulnerability databases (e.g., CVE).
Technical Appendices: If available, further information and files on the tests performed are provided as an Appendix, e.g. the raw results of the port and vulnerability scans.

OT Security: Procedure of the Industrial Security Assessment

The following steps are performed as part of an assessment:

Clarification of specific technical & organizational aspects, as well as the preconditions

OT-Security: Ablauf Industrial Security Assessment – Durchführung Assessment

Examination of the security measures implemented with respect to their effectiveness & completeness.

Compilation of the results in a final report. With a final presentation as an option.

OT-Security: Ablauf Industrial Security Assessment – Re-Test (optional)

Check of whether the implemented improvement & defensive measures are working (effectively).

Frequently asked questions (FAQ):

What vulnerabilities do hackers specifically target at industrial companies?

The top 10 threats to industrial control systems in 2019 included:

Infiltration of Malware via Removable Media and External Hardware
Malware Infection via Internet and Intranet
Human Error and Sabotage
Compromising of Extranet and Cloud Components
Social Engineering and Phishing
(D)Dos Attacks
Control Components Connected to the Internet
Intrusion via Remote Access
Technical Malfunctions and Force Majeure
Compromising of Smartphones in the Production Environment

(Source: German Federal Office for Information Security)

What methodology does TÜViT use?

In addition to the automated analysis and attack techniques, manually conducted investigations and verification are always performed. To achieve this, our IT security experts always use the latest attack techniques/tools from the hacker or security scene as well as tools and scripts they have developed themselves. In addition to technical (penetration) tests, interviews as well as inspections of the site, offices, IT rooms, etc. are also used.

What is the BSI ICS Security Compendium?

The Industrial Control Systems (ICS) Security Compendium, which TÜViT designed and wrote on behalf of the German Federal Office for Information Security (BSI), is a fundamental work for IT security in ICS. It covers the necessary basics of IT security, ICS operations, and relevant norms and standards, and highlights best practices related to ICS IT security and essential security measures.

The compendium is primarily aimed at operators of industrial control systems who can reduce risks in ICS by implementing appropriate IT security measures.

Expertise

With us you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS revision and penetration tests.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

International network of experts

Around the globe: We support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.

You have questions? We are pleased to help!

Contact Send mail

Gerald KrebsGlobal Account Manager

Tel.: +49 201 8999-411
Fax: +49 201 8999-666
g.krebs@tuvit.de

Contact Send mail

Alexander PadbergGlobal Account Manager Cyber Security

Tel.: +49 201 8999-614
Fax: +49 201 8999-666
a.padberg@tuvit.de

Information Security Management

TÜViT carries out audits of information security management systems (ISMS) according to international ISO standards as wells as on the basis of the German Federal Office for Information Security's (BSI) Basic IT Protection Standard, the so-called “IT-Grundschutz”. Furthermore, we provide you with advice and support for the development and implementation of your ISMS on the basis of a TÜViT-developed process model.

Data Centers / Colocation / Cloud Infrastructures Data Center Security

The impact of digitalization is unstoppable: Business-critical processes are operated digitally and conferences are held online. Industry 4.0 is also on the verge of a massive digital transformation. It quickly becomes clear: Data centers are more important than ever for companies and private individuals. They form the backbone of digitalization and are the exchange points of critical IT infrastructures.

Public Key Infrastructures for Industry and Energy Sector

A Public Key Infrastructure (PKI) is a secure solution for the generation and administration of the required certificates. TÜViT supports industrial and energy companies in the conceptual development and expansion of standard-compliant PKIs: from the planning and project implementation, through to testing and certification.

OT-Security: Reducing safety risks in industrial environments

Our vulnerability analysis in the OT/ICS environment

Our service modules in the OT/ICS security environment

Your benefits at a glance

OT Security: Procedure of the Industrial Security Assessment

Frequently asked questions (FAQ):

Why we are a strong partner for you

Further services