Performing vulnerability assessment in ICS environment should ensure safety assurance, complying with the technical framework as the baseline, to ensure “Nobody Gets Hurt” and no other risk exposure triggered during the execution.
Safety is the ultimate perimeter, therefore we need to ensure in preliminary activities the strategy to perform the VA against ICS environment (in life system mode). Later, if we found the safety issue will be triggered during VA (based on the preliminary assessment) then it is our right to decide that VA against the online system is not acceptable – the other option will be proposed as the alternative of online VA against ICS environment.
Safety first, as the ultimate goal of all activities that we offer to the client