Professional Documents
Culture Documents
Exida CVA Service
Exida CVA Service
ISA/IEC-62443/ISA-99 Based
Identifying and mitigating these threats requires organizations to develop a better understanding of their
overall process control system security, their vulnerabilities and risks, and how they are positioned to address
them.
http://www.exida.com/ICS-Cybersecurity/ (Continued)
The Process
The process can be broken down into three phases:
In Phase 1, or the pre-assessment phase, existing information is collected from those responsible for
the system. Items such as network diagrams, lists of cyber assets, existing policies and procedures
etc. are reviewed in order to provide the assessment team with a basic understanding of the system
before they arrive on site.
Phase 2 is performed onsite and is primarily focused on data-gathering. Among other data gathering
steps, the assessment team will assess physical and administrative security, verify the network
architecture and traffic flows. They will examine networked devices to collect basic information
such as make, model and analyze the configuration and susceptibility to threats (access control
measures, open ports, applications and services, status of patches, anti-virus tools, etc.) of each
device. They will evaluate and assess remote and 3rd party connections to the Process Control
Network. The assessment team will also interview key staff to better understand actual procedures
that are being followed and their cybersecurity awareness. Before leaving your site the assessment
team will meet with management to provide a briefing on key and initial recommendations.
Phase 3 is for the assessment team to fully analyze the data and formally document the results
in an assessment report. Vulnerabilities identified in devices or applications will be documented,
architecture deficiencies, physical security lapses, identified gaps between current practices and
standards/best practices are documented and recommendations are identified and prioritized.
Benefits
• Provides management with solid understanding of current situation both successes and gaps
• Helps identify and prioritize security resources and investments
• Provides a foundation and direction towards developing a broader security program
• Short Duration – most systems can be assessed in less than a week - and minimally invasive to personnel, and non invasive to
the PCN itself
http://www.exida.com/ICS-Cybersecurity/