excellence in Dependable Automation

ISA/IEC-62443/ISA-99 Based

ICS Cybersecurity Services

Control System Cybersecurity Vulnerability Assessment

The move by most, if not all, DCS vendors towards “open systems” and the resulting incorporation of off-the-
shelf technologies represented a significant shift in control system design. System integration became easier,
product development by manufacturers was accelerated, and training was simplified as it leveraged common
tools and concepts. While the benefits have been tremendous, at the same time, open technology has now
allowed control systems to be exposed by frequent and significant security vulnerabilities, putting production,
assets, and human safety at risk. Gone are the days of proprietary operating systems and communication
busses, isolated systems, and inherently secure processing environments.

Identifying and mitigating these threats requires organizations to develop a better understanding of their
overall process control system security, their vulnerabilities and risks, and how they are positioned to address
them.

A Control System Cybersecurity Vulnerability Assessment (CVA)

• Evaluates the current control system by examining such areas as; Documentation and architecture, 3rd party and
remote connections, ICS policies and procedures, evaluates Process Control Network (PCN) traffic, system and device
configurations, device susceptibility to threats, physical security, administrative security, and more
• Compares results to industry standards and best practices such as ANSI/ISA 99.02.01-2009, DHS CFATS RBPS-8, NERC CIP,
IEC/ISA-62443, etc.
• Provides the organization with a detailed confidential report of what they have done right, where they can improve, and
recommendations on how to achieve standards based “best practice” solutions .
• Provides documentation required by regulators, insurance companies and any other stakeholders

http://www.exida.com/ICS-Cybersecurity/ (Continued)
The Process
The process can be broken down into three phases:

PHASE 1 PHASE 2 PHASE 3

ON-SITE DATA ANALYSIS &

PRE-ASSESSMENT
COLLECTION REPORTING

In Phase 1, or the pre-assessment phase, existing information is collected from those responsible for
the system. Items such as network diagrams, lists of cyber assets, existing policies and procedures
etc. are reviewed in order to provide the assessment team with a basic understanding of the system
before they arrive on site.

Phase 2 is performed onsite and is primarily focused on data-gathering. Among other data gathering
steps, the assessment team will assess physical and administrative security, verify the network
architecture and traffic flows. They will examine networked devices to collect basic information
such as make, model and analyze the configuration and susceptibility to threats (access control
measures, open ports, applications and services, status of patches, anti-virus tools, etc.) of each
device. They will evaluate and assess remote and 3rd party connections to the Process Control
Network. The assessment team will also interview key staff to better understand actual procedures
that are being followed and their cybersecurity awareness. Before leaving your site the assessment
team will meet with management to provide a briefing on key and initial recommendations.

Phase 3 is for the assessment team to fully analyze the data and formally document the results
in an assessment report. Vulnerabilities identified in devices or applications will be documented,
architecture deficiencies, physical security lapses, identified gaps between current practices and
standards/best practices are documented and recommendations are identified and prioritized.

Benefits
• Provides management with solid understanding of current situation both successes and gaps
• Helps identify and prioritize security resources and investments
• Provides a foundation and direction towards developing a broader security program
• Short Duration – most systems can be assessed in less than a week - and minimally invasive to personnel, and non invasive to
the PCN itself

http://www.exida.com/ICS-Cybersecurity/