Protect your people, assets and information with comprehensive Operational Technology security testing including ICS and SCADA
What is Operational Technology?
Operational technology is software and hardware that monitors, detects and controls devices, processes, assets and infrastructure. Operational technology systems are located across multiple sectors within an organization from controlling automated robots and systems to monitoring critical infrastructure processes. A variety of industries benefit from operational technology including industrial equipment, logistics and manufacturing organizations, transportation and more.
Components of Operational Technology
Industrial Control Systems (ICS)
The integration of several types of hardware and software systems with network connectivity used to support industrial infrastructure and process control
Supervisory Control and Data Acquisition
SCADA is a system of hardware and software components that allow organizations to: control industrial processes while monitoring, gathering and processing data in real time
Why Operational Technology is Important
Industrial operations, from oil refineries and mines, to logistics and manufacturing organizations, are embracing the advantages that connectivity can bring. Integrating business and physical processes can significantly increase production efficiency, whilst improving the safety and effectiveness of predictive maintenance and monitoring.
But as manufacturers, powers stations and public transportation become more dependent on technology, with connected computers giving access to robotic productions lines and safety-critical sensors, the need to protect and secure this infrastructure has never been greater.
Operational systems often integrate formerly unconnected “air-gapped” ICS systems. These can be highly vulnerable as they were never designed to be internet connected, and their security configurations reflect computing power that existed when they designed, sometimes many decades ago. Software libraries may be many years beyond their support life, or indeed the software developer who created it may no longer be in business.
This creates a relatively accessible, and financial lucrative target for hackers, whether simply focused on criminal extortion, or ‘hacktivists’ looking to cripple an organization that does not fit their moral worldview. Ransomware attacks can cripple production, and the effects of a hack on safety critical systems in a process plant such as an oil refinery could be horrendous.
Operational testing is also typically required for organizations defined as Critical National Infrastructure under regulations such as the EU NIS Directive.
Operational Systems – robust, yet sensitive, testing for the entire ecosystem
Testing operational systems is vital, but has unique challenges. Connected operational systems often include legacy systems, frequently dating back into the 20th Century. These require specialist skills and experience. Newer system components (for example asset integrity monitoring IoT sensors) may be communicating to variety of vendor Clouds, whilst warehouse monitoring systems are often integrated into a number of suppliers’ own IT platforms. To truly give a robust level of security, it is important to test, in risk appropriate manager, all components and integrations.
Overlaying all of these challenges is the nature of test subject itself: poorly constructed or executed test plan could itself production disruption.
Intertek’s Operational Technology Advantage
- Threat Risk Assessment and Threat Intelligence: Key to designing an effective test plan is understanding the likely threats, and impact. Intertek brings OT clients the benefits of its long experience in Threat Risk Assessment, a specialist team constantly tracing threat actors globally, and also through its Industry Services division, practical understanding of the operations of industrial sites.
- Deep infrastructure pen test experience: Intertek has over 150 cybersecurity experts based in 6 offices across North America, Europe and Asia. Staff are qualified in CREST, including CCT, CRT and CPSA, and PCI ASV, as well other standards including OSCP, COMPTIA Security +, CISSP, GPEN and GWAPT.
- Extensive Web Application experience: Intertek tests 100s of web applications each year, from all client sectors, types (from websites and client portals, to internal control / monitoring apps, to supply chain integrations) and across very wide range of software. This experience means Intertek can provide a robust level of testing, in a cost and time efficient manner.
- Connected product/component understanding: Intertek has been a leading participant in certification groups for connected products since 1990’s, in particular Common Criteria and FIPS 140-2/3. Intertek is also deeply involved the key Industrial IoT standards IEC 62443 and UL 2900. Understanding the strengths, and limitations of components and systems certified to these standards means Intertek can focus on OT testing on areas of highest risk.
Bringing all this experience together, Intertek is uniquely well positioned to create a comprehensive, effective and cost efficient test program to give you assurance over the cybersecurity of your industrial assets.
Knowledge Center
- Cybersecurity Awareness Training Fact Sheet
- Common Criteria Certification Process Fact Sheet
- FIPS 140-3 Process and Service Offerings Fact Sheet
- 5G Technology Assurance Solution Fact Sheet
- Cyber Security Risk in a Mass Remote Working Environment Webinar
- Intertek Cyber Assured Fact Sheet
- Consumer Product Focused Cyber Security Test and Certification Program
- PCI PIN Transaction Security (PTS) Cyber Security Fact Sheet
- Cyber Security Assurance Overview
- ANSI/UL 2900 Cyber Security Assessments Fact Sheet
- Software Assurance Overview
- Network Certification Guides
- Guide to PTCRB Certification
- Guide to Verizon ODI Process