Independent Internal Risk Assessments (OT)

Overview

Asset RangeEst. DurationPrice
Less than 1005 days$12,000
101 – 5007 days$16,800
501 – 100011 days$26,400
More than 1000Ask for quote

Internal Risk Assessments for combined IT and OT environments are crucial for ensuring comprehensive security across interconnected systems. This specialized service is designed to address the unique vulnerabilities present in both Information Technology (IT) and Operational Technology (OT) components, essential for protecting the critical infrastructure that supports both daily operations and strategic objectives. Our service scales to accommodate everything from smaller setups to extensive networks, offering tailored solutions for environments with more than 1,000 assets.

Our approach includes a Comprehensive Vulnerability Assessment that combines both active and passive techniques. Passive assessments are particularly geared towards IT and OT assets, including assistance in setting up and capturing packets from SPAN/TAPs at up to four locations within the same geographic area. Active assessments focus on OT assets, conducting controlled polling of Industrial Control System (ICS) components such as PLCs, DCS, IEDs, RTUs, BMS controllers, robots, communication modules, I/O modules, CNCs, smart power supplies, and backplane modules.

A critical component of our service is determining the asset inventory, which is essential for a thorough risk assessment in OT environments. Understanding what assets exist and how they interact within your network allows for more precise vulnerability detection and mitigation. Safely assessing these risks without disrupting operational integrity is paramount, especially in environments where IT and OT converge. This convergence often increases the complexity and potential vulnerabilities due to the interdependencies of these systems in modern ICS environments.

We also perform credentialed vulnerability scanning using Windows Credentials, WMI, SSH, Sudo, and specific controller authentications to uncover vulnerabilities that could be exploited by cyber threats.

Each assessment culminates in a detailed report that converts complex data into actionable insights. This report is crafted to facilitate strategic decision-making by highlighting critical vulnerabilities and recommending the top ten mitigation strategies. By providing this clear, comprehensive, and actionable information, we empower organizations to enhance their security posture, protect critical operations, and comply with industry standards.

This service is indispensable for organizations that rely heavily on both IT and OT environments and are committed to maintaining robust security across all operational domains. Understanding and managing the risks associated with the convergence of IT and OT is vital for securing modern industrial control systems effectively.

Scope of Service

Asset Coverage

The assessment will cover up to the specified number of assets based on the chosen pricing tier:

  • Less than 100 assets
  • 101 – 500 assets
  • 501 – 1000 assets
  • More than 1000 assets (requires a custom quote)

Assessment Duration:

The duration of the assessment is determined based on the asset range:

  • 5 days for less than 100 assets
  • 7 days for 101 to 500 assets
  • 11 days for 501 to 1000 assets

Extensions or additional days are subject to separate negotiation and billing.

Services Included:

  • Comprehensive Vulnerability Assessment: Thorough evaluation of both IT and OT environments to identify security vulnerabilities.
  • Active and Passive Assessment:
  • Passive Assessment: Involves monitoring IT and OT assets without interaction, including setting up and capturing packets from SPAN/TAPs at up to four locations within the same geographic area.
  • Active Assessment: Specifically for OT assets, includes controlled polling of ICS components such as PLCs, DCS, IEDs, RTUs, BMS controllers, robots, communication modules, I/O modules, CNCs, smart power supplies, and backplane modules.
  • Credentialed Vulnerability Scanning: Uses methods like Windows Credentials, WMI, SSH, Sudo, and specific controller authentications to perform deep vulnerability scans.
  • Detailed Packet Capture and Analysis: Setup and assistance with packet capture to analyze network traffic and identify potential security issues.

Reporting

  • Detailed Vulnerability Report: A comprehensive report detailing all identified vulnerabilities along with their potential impacts and the context within the IT/OT environment.
  • Top Ten Suggested Mitigation Activities: Strategies prioritized to address the most critical vulnerabilities identified during the assessment.
  • Executive Summary: A high-level overview suitable for senior executives, summarizing key findings and urgent priorities.
  • Risk Scoring and Prioritization: Each vulnerability is scored based on severity, impact, and exploitation complexity to aid in prioritization.
  • Actionable Recommendations: Specific suggestions for immediate fixes and strategic enhancements to security policies and systems.
  • Graphical Representations and Analytics: Charts, graphs, and visual aids to depict the severity and distribution of vulnerabilities.
  • Raw Evidence and Methodology: Transparency in methodologies used and raw evidence provided to validate the assessment results.

This comprehensive description ensures that clients fully understand what the Internal Risk Assessment for combined IT/OT environments includes, detailing the scope, coverage, and actionable outcomes they can expect from the service.

Exclusions:

Does not include remediation of vulnerabilities.

Does not cover physical security assessments or social engineering attempts.

On-site visits beyond the scope provided are not included but can be arranged for an additional fee.

Additional Costs:

Work outside the predefined scope will be quoted and approved separately.

Travel and accommodation expenses for any required on-site work will be billed additionally, with prior approval from the client.