ICS Cyber Security Vulnerability Assessment

Insight of Vulnerability Assessment

A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Vulnerability assessment is performed in at least two main systems, but are not limited to, information technology system and industrial control system. Vulnerability assessment is performed in wide range of different organizations, from small businesses up to big organizations

Vulnerabilities Identification

The first step of the three main steps of vulnerability assessment, identify the vulnerabilities, as the critical step to explore all system weaknesses possibilities that reside in the assessed system. The range of results will be exposed and furthermore, it needs to be quantified and ranked in order to propose the proper follow-up action (such as patch installation, system re-engineering, configuration changes, etc.)

The Quantification

The second step of the assessment, the quantification, which is based on some agreed baseline such as CVSS (Common Vulnerability Scoring System). It is developed by a group of corporations, such as CERT/CC, Cisco, DHS/MITRE, eBay, IBM, and Microsoft, to create a standardized, open vulnerability scoring framework. The quantification is important in order to map the identified list of vulnerabilities into some classification baseline to be able to frame it in proper shape prior to prioritizing the ranking, to make efficient and effective countermeasure action items

Prioritization (Rank the Vulnerabilities)

The last step of vulnerability assessment, the prioritization. It is the proper ranking scheme of the whole identified and quantified vulnerabilities, in order to put those vulnerabilities into some format that can reflect the degree of criticality and urgency. The vulnerabilities ranking will determine the next countermeasure to fix the holes into the secure state, or it may require further activity, the penetration testing, to validate some vulnerabilities (critical or high) and confirm the recommended gap closure

Small to Giant - Coverage for All

Vulnerability Assessment is required to be performed in various size of organization shape, from small businesses to giant corporations, covering all types of industry, especially the critical infrastructure industry such as oil and gas, petrochemical, nuclear, power generation and distribution, manufacturing,  and public infrastructure to ensure the IT and OT (ICS) are securely organized in all phases of the business life cycle (design -> commissioning -> operations -> dismantle/recycle)

Vulnerability Assessment in ICS Environment

VA and Its Execution

Vulnerability Assessment (VA), is one of the methods to explore the possibilities of certain vulnerabilities against the audited systems, commonly using automated tools such as Nessus, OpenVAS, Nexpose, etc.

We offer VA to assess the system vulnerabilities both in Industrial Control System (ICS) environment. Specific precautions for performing VA in ICS environment will be based on a case per case and initial assessment. The determination and approach recommendation of performing VA will consider some aspects such as system architecture, complexity, criticality, safety exposure, emergency preparedness, system capability, and some other consideration. Those considerations will drive how we execute VA in the ICS environment.

Partial assessment with some contingency planning may be required if VA planned to be performed under running ICS environment. Otherwise, the mimic system that reflects the actual ICS environment can be utilized as one of the preferred alternatives to incorporate the safety concern, technical consideration, and operational limitation.

Safety - Technical - Assurance

Performing vulnerability assessment in ICS environment should ensure safety assurance, complying with the technical framework as the baseline, to ensure “Nobody Gets Hurt” and no other risk exposure triggered during the execution.

Safety is the ultimate perimeter, therefore we need to ensure in preliminary activities the strategy to perform the VA against ICS environment (in life system mode). Later, if we found the safety issue will be triggered during VA (based on the preliminary assessment)  then it is our right to decide that VA against the online system is not acceptable – the other option will be proposed as the alternative of online VA against ICS environment.

Safety first, as the ultimate goal of all activities that we offer to the client

Explore the Vulnerabilities - Get Secure Now!

Contact us for any further inquiry regarding the Vulnerability Assessment (VA) in ICS environment