At SolutionsPT our Cyber Security Gap Assessment (CSGA) is an essential step to ensuring your company implements an effective CSMS. By identifying areas that result in increased risk exposure, or non-compliance to regulatory and legislative requirements so these problematic areas can be identified and can be quickly addressed. We understand that no two businesses are the same, as such we offer a highly customisable service. Our CSGA can be tailored to your exact needs by considering the legislative requirements and any other standards your business requires to comply with.
Once run the results from the Cyber Security Gap Assessment (CSGA) and Risk Assessment Service will allow you identify and record where your organisations current critical business systems are, where their vulnerabilities lie, the level of cyber risk you face, and whether your staff’s behaviours are contributing to the overall threat level.
• Define a means of measuring organisational Cyber Maturity which can be monitored year on year to measure Return on Investment (ROI)
• Improve the organisations understanding of business-critical systems and associated vulnerabilities both in the control systems and associated policies and procedures
• Provide a prioritised action plan allowing you to concentrate on what’s important
Once the organisational maturity has been defined our consultants will work with you to develop a strategic approach with the aim of improving your cyber resilience driven by your current business needs. Once the Cyber Maturity and Risk Levels have been defined our consultants will help you to define:
• Acceptable cyber resilience methodologies
• Define resilient and secure system architecture designs
• Identify security solutions that best help protect and monitor the organisations critical systems
• Artificial Intelligence, machine learning and human experience
• Significantly improve your organisations cyber investment decisions
• Strengthen customer trust through measurable maturity scoring
• Using the ROI metric can help achieve and maintain the desired cyber resilience level
Defining a cyber security scope and asset inventories helps define business critical systems and quantify how individual scenarios are handled, often these are expected to retrofit onto existing control systems networks. Knowing if the existing system is free from malware or ransomware can be a daunting task, our experienced Cyber Security consultants can help with:
• Analysis of data provided from existing security deployments
• Implement and monitoring threat detection solutions
• Network traffic analysis to detect existing malware patterns
• Endpoint anomaly detection
• Known good starting point with asset inventory and baseline
• Network malware and ransomware detection
• Network architecture walkthrough and validation
• Comprehensive list of missing patches and weak configurations
Being able to effectively respond to threats relies not only on the policies and procedures defined as part of the corporate OT policy but also being able to effectively understand the information that is flowing in from a range of detection and protection appliances and endpoints.
• Logical and critical process protection/isolation
• Endpoint Detection and Response (ERD) along with device isolation
• SOC/SIEM message standardisation
• Business critical systems and processes can be isolated whilst threats are neutralised
• Interfacing with the wider enterprise security architecture
• Review of policies and procedures to ensure they reflect best practice and are appropriate
Testing the procedures and mitigations that are in place is key to validating the integrity of the running systems, regular testing defines the need to review the current cyber maturity stance allowing an organisation to fix or fine tune individual elements of the procedures should change be necessary. The same is also true of an organisation’s backup schema, our Cyber Consultants can help you identify backup issues before they become recovery problems.
• Secure backup architecture design and scheduled automatic testing to ensure data can be recovered
• Scalable backup data replication fits organisational needs
• Fast and efficient recovery
• Ensure backups are validated and restorable
• Ensure backup integrity and ensure free from Ransomware attack
• Critical assets and applications can be recovered in minutes in a Disaster Recovery scenario
One of the best ways to enhance knowledge and skills is through training. Getting employees exposed to relevant and consistent training can help companies improve performance and increase results in the workplace.
As industrial networks move from proprietary networks to IP-based networks, those responsible for developing and maintaining these networks are faced with the considerable challenge of managing the underlying complexity and scope of technologies that were developed for the IT world.
Focusing on common OT security frameworks and unpack how you apply security practically. By addressing foundational requirements, it is possible to deliver a robust deployment that will not only stand the test of time but deliver security that is embedded into the design.
You will understand security requirements and how to translate these into scalable reference designs. With a focus on technical applications of security, you will learn what it takes to implement a defence in depth approach.
It's time to think about security differently.
Full suite of training courses for everything that you'll ever need to design, deliver and support the world of Aveva.
• Increased productivity and performance
• Prepares employees for higher responsibilities
• Reduce business risks by empowering employees to have the skills and knowledge they need to make informed decisions
The Network and Information Systems (NIS) directive. The NIS directive is an EU wide legislation to raise the overall resilience of the EU to cyber security threats on critical infrastructure. The deadline for adoption was May 2018, so the NIS directive is now a legal requirement. The NIS directive applies to all network and information systems that are deemed to be Operators of Essentials Services (OES), for example Utilities or Transportation.
Non-compliance with the NIS directive leads not only to unacceptable business and safety risks but could also lead to financial penalties with a maximum fine of £17M. The applicability of the NIS directive is not limited to OES, this is comprehensive framework that can scale to other non-regulated sectors.
IEC 62443 is a series of requirements and best practices related to cyber security of Industrial Automation and Control System (IACS). IEC 62443 provides a comprehensive framework for all aspects of an Operational Technology network relating an IACS. Multiple countries, such as the UK with OG86, have implemented legislation based upon IEC 62443. A gap assessment against IEC 62443 is therefore an excellent choice for companies who wish to assess their assets against an internationally recognised standard for cyber security.
The UK’s National Cyber Security Centre (NCSC) developed the Cyber Assessment Framework (CAF) as a tool for Competent Authorities (CA) to assess Operators of Essential Services against the requirements of the NIS directive. If you are an OES then compliance with the CAF is mandatory and non-compliance can result in a fine. A gap assessment against the CAF framework can also be beneficial for those who wish to adhere to the same strict standard to mitigate business and safety risks posed by a cyber incident.
If your site is exposed to major hazard risk, for example Control of Major Accident Hazards Regulations (COMAH) sites, you are required to demonstrate that you are effectively managing your cyber security risk. The HSE have published OG86 based upon industry standards such as ISO27001, IEC 62443 and the UK’s National Cyber Security Centre’s CAF to guide operators on how to implement a CSMS to manage risk.
For those operating a COMAH site, compliance with OG86 is a mandatory requirement and the HSE are routinely inspecting sites for compliance. SolutionsPT has significant experience and expertise in this field and offers a comprehensive gap analysis program to aid your company in becoming compliant with OG86.
The NIST framework sets out a series of standards, guidelines and best practices relating to cyber security. Like IEC 62443, this framework sets out industry best practices for cyber security of industrial control systems. By having SolutionsPT carry out a gap assessment against this framework an organisation will have excellent awareness of how their cyber security management compares to that of industry best practice. Recommendations will be drawn up that allows you to identify areas where you need to make improvements to reduce your cyber security risk to an acceptable level.
Sponsored by the Department for Environment, Food & Rural Affairs (Defra) and the Food Standards Agency (FSA). Its development was facilitated by BSI Standards and came into effect on 16 November 2017
The focus of PAS 96 is on protecting the integrity and wholesomeness of food and food supply. Any intending attacker, whether from within a food business or its supply chain or external to both, is likely to attempt to elude or avoid routine management processes. It should help food businesses mitigate each of these threats, but the approach may also be used for other business threats.
Most OT deployments require the skills of 3rd parties and system integrators. Is your OT network as per the original design blueprint or has this errored over time with maintenance controls not being fully removed or simply forgotten about? Perhaps you are new in post and just require independent appraisal of what you've just inherited
Understand where your business and safety risks are allows for a focused approach on resource and effort.
Risk based mitigation that identifies priority of work to ensure that time is used effectively and not unnecessarily.
Avoid significant financial penalties. Don't just be compliant, also be secure.
When was the last time you reviewed your security suite? Times move on and like insurance you can probably get a better deal elsewhere with a better level of cover.
All our solutions are tried and tested in OT and work seamlessly with the Aveva products. Does any other of your other suppliers offer this promise?