Perform paper-based and scenario based penetration test to identify immediate gaps, vulnerabilities, and attack path.
Operational Technology (OT) and Industrial Control Systems (ICS) are components that support industrial processes found in many critical infrastructures such as energy, oil and gas, chemical, and water.
State-sponsored attackers are increasingly interested in these targets due to the lack of security by design and significant impact that they can cause if successfully breached. Critical infrastructures always give the highest priority to high availability and are very reluctant to change and patch. Moreover, the inherently vulnerable ICS devices and protocols cannot withstand even a simple attack that would otherwise be blocked or prevented in the IT environment. All these factors make critical infrastructures become very attractive targets for the adversaries.
Based on the extensive experiences in offensive security assessment and consultation of process networks, ECQ designs its own framework AIDICS that supports and helps customers in the OT/ICS sector to achieve better security to withstand external, internal, and accidental attacks.
Identify critical assets, risks, and missing controls based on ISO 27001, NIST CSF, and NIST SP-800-82-R2.
Provide risk treatment and design improvement plan together with technical configuration guidelines.
Inspect and validate the newly implemented controls through security review and assume breach assessment.
Provide security awareness training and technical security training to ensure all people in the plant can follow and maintain security posture.
Build a simulated process network to allow OT/ICS customer to safely use XACT attack simulation engine to continuously simulate attacks.