Vulnerability Assessment

Insight of Vulnerability Assessment

A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Vulnerability assessment is performed in at least two main systems, but are not limited to, information technology system and industrial control system. Vulnerability assessment is performed in wide range of different organizations, from small businesses up to big organizations

Vulnerabilities Identification

The first step of the three main steps of vulnerability assessment, identify the vulnerabilities, as the critical step to explore all system weaknesses possibilities that reside in the assessed system. Range of result will be exposed and furthermore it needs to be quantified and ranked in order to propose the proper follow up action (such patch installation, system re-engineering, configuration changes, etc.)

The Quantification

The second step of the assessment, the quantification, which is based on some agreed baseline such as CVSS (Common Vulnerability Scoring System), it was developed by a group of corporations, such as CERT/CC, Cisco, DHS/MITRE, eBay, IBM, and Microsoft, to create a standardized, open vulnerability scoring framework. The quantification is important in order to map the identified list of vulnerabilities into some classification baseline to be able to frame it in proper shape prior to prioritizing the ranking, to make efficient and effective counter measure action items

Prioritization (Rank the Vulnerabilities)

Last step of vulnerability assessment, the prioritization, the proper ranking scheme of the whole identified and quantified vulnerabilities, in order to put those vulnerabilities into some format that can reflect the degree of criticality and urgency. The vulnerabilities ranking will determine the next counter measure to fix the holes into secure state, or it may require further activity, the penetration testing, to validate some vulnerabilities (critical or high) and confirm the recommended gap closure

Small to Giant - Coverage for All

Vulnerability Assessment is required to be performed in varies size of organization shape, from small businesses to giant corporation, covering all type of industry especially the critical industry such as energy, banking, telecommunication and public infrastructure to ensure the information technology system and/or industrial control system is securely organized in all phases of business life cycle (design -> commissioning -> operations -> dismantle/recycle)

Vulnerability Assessment in IT and ICS Environment

VA and Its Execution

Vulnerability Assessment (VA), as one of the method to explore the possibilities of certain vulnerabilities against audited system, commonly using such automated tools such as Nessus, OpenVAS, Nexpose, etc.

We offer VA to assess the system vulnerabilities both in Information Technology (IT) and Industrial Control System (ICS) environment. Specific precaution for performing VA in ICS environment will be based on case per case and initial assessment regarding system architecture, complexity, criticality, safety exposure, emergency preparedness, system capability and some other consideration prior to execute the VA under the life ICS environment.

Partial assessment with some contingency planning may be required if VA planned to be performed under life ICS environment, otherwise the mimic system that reflects the actual ICS environment can be utilized as one of the preferred alternative (safety concern, technical consideration, operations limitation).

Safety - Technical - Assurance

Performing vulnerability assessment in Industrial Control System (ICS) environment should ensure the safety assurance, complying with technical framework as the baseline to ensure the cyber security assurance as the life cycle concept to be pursued.

Safety as the ultimate perimeter, therefore we need to ensure in preliminary activities the strategy to perform the VA against ICS environment (in life system mode), if based on our preliminary assessment we found the safety issue that will be triggered during VA then it is our right to decide that the Va against online system is not acceptable – the other option will be proposed as the alternative of online VA against ICS environment.

Safety first, as the ultimate goal of all activities that we offer to the client

Explore the Vulnerabilities - Get Secure Now!

Contact us at fedco[at] for any further inquiry regarding the Vulnerability Assessment (VA) in IT and ICS environment – Be Our Next Client