In spite of all the technical controls IT departments design to prevent security breaches, we all know that security incidents still do occur – and the root cause for many (if not most!) of these incidents are the actions of users. The “people factor” and not technology, are the weakest link in any attempt to secure information systems and networks. So if people are the weakest link then a robust and effective End User Security Awareness and Training is paramount to ensuring that people understand their Cyber Security responsibilities, organizational policies, and how to properly use and protect the resources entrusted to them. Changing user behavior represents the critical “last mile” of reducing risks on the prevention side of the security risk equation.

Our Security Education Platform is purpose-built to deliver comprehensive security awareness and training that can be effectively and easily managed by you and your administrators. This integrated platform gives you access to the key components of our Assess, Educate, Reinforce, Measure methodology. You can customize and send knowledge assessments and mock attacks, schedule interactive training assignments, run reports and measure results, communicate with your employees and much more.

This tight integration between knowledge assessments, mock attacks, training, and reporting puts you on the fast track to risk reduction. You could see significant results in just a few months, which you can continue to improve upon over the life of your security awareness and training program. Our customers have reduced successful phishing attacks and malware infections by up to 90% using our proven methodology.

We understand that not every organization’s requirements are the same. That’s why we allow you to choose the specific knowledge assessments, simulated attacks, interactive training modules, and Security Awareness Materials that will work for you. Implement all our products for a 360-degree approach to security awareness and training or choose just the items that suit your organization’s needs.

Each of our modules offers 10 to 15 minutes of interactive training about a specific security topic. Our development and design processes use key Learning Science Principles and employ methods that have been proven to be more effective than once-a-year training presentations and videos that do not allow for interaction.

Our modules engage users through hands-on decision-making, improving knowledge retention and facilitating longer-term behavior change. In addition to this purpose-written, research-based educational content, our Training Jackets allow you to add custom and personalized content to the beginning and end of each module. You can add notes about specific organization policies, attach a training completion certificate, include a policy acknowledgement screen, and more.

As your employees progress through our training, comprehensive reporting functions allow you to gather the intelligence you need to effectively manage and tailor your efforts. We provide a variety of reports that give you both high-level and granular looks at your employees’ results.

Our Security Education Platform is purpose-built for information security officers and enables seamless execution of your awareness and training initiatives. We listen to our customers, and our responsive platform design gives us the flexibility to add functionality and incorporate new features.

Our Continuous Training Methodology includes four key steps: Assess, Educate, Reinforce, and Measure. These components can be used independently, but they are most effective when they are combined, which delivers a 360-degree approach to security awareness and training. You can deliver these steps via our Security Education Platform, which is purpose-built for information security officers and enables seamless execution of your program.

Enterprise mobility is driving a new phase of business growth, flexibility and employee productivity. The low hanging mobile technology fruits can be realized in many areas of your business operations, right from sales through to top C-level. For example, field sales personnel can access product information and pricing data, obtain quote approvals, and advance a purchase process onsite with a customer from their mobile devices. In insurance industry, claims adjustors can process a claim at an accident site by simply using a mobile device to improve client satisfaction,…..the list is endless.

Given this mobile technology potential and benefits, employees are now demanding access to enterprise resources and collaboration tools on their chosen mobile devices. Their needs and demands go beyond just company email. They want access to their documents stored on file servers behind the corporate firewall, intranet portals, corporate instant messaging services as well as web applications from their devices. Managers are looking to transform their lines of business through the use of mobile technology, requiring that multiple applications share data to create processes that better serve their customers, partners and other employees. To meet the expectations for convenient enterprise mobility demands, IT departments face ever-increasing and evolving requirements for mobility enablement. But at the same time, they are confronted with a persistent challenge of securing the company data.

As this demand explodes, organizations must address security issues to reap the benefits of mobilizing the enterprise. Constant security breaches put companies’ valuable assets and information at risk and companies cannot compromise their intellectual property, proprietary business processes, business intelligence, and customer data just for the sake of mobilizing their workforce. As a result, IT departments must implement stringent security standards to ensure that mobile users are allowed access to key enterprise data only as authorized and that such data is safeguarded both during transmission and while at rest on the respective employee mobile devices. They also need to ensure that the core IT infrastructure is not jeopardized.

Our Mobile Security Solution

Through our partnership with leading enterprise mobility management provider, we offer our clients a comprehensive solution providing end-to-end, real-time mobile collaboration and enterprise application access supported by comprehensive device management and security. Our enterprise solution provides mobile professionals with up-to-date information when and where they need it and gives IT department the means to secure and manage a diverse fleet of smartphones and tablets. The data path through our solution is encrypted end-to-end, from behind-the-firewall enterprise servers all the way to the mobile devices.

Industrial Control Systems (ICS) generally encompass several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures. ICS are typically used in industries such as electrical distribution, water treatment plants, oil and natural gas pipelines, chemical, transportation, pharmaceutical, food and beverage processing, and discrete manufacturing such as automotive, aerospace, and durable goods. These control systems are critical to the operation of any country’s critical infrastructures that are often highly interconnected and mutually dependent systems.

Supervisory Control And Data Acquisition

SCADA systems are highly distributed systems used to control geographically dispersed assets, often scattered over thousands of square kilometers, where centralized data acquisition and control are critical to system operation. They are used in distribution systems such as water distribution and wastewater collection systems, oil and natural gas pipelines, electrical power grids, and railway transportation systems. A SCADA control center performs centralized monitoring and control for field sites over long-distance communications networks, including monitoring alarms and processing status data. Based on information received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices, which are often referred to as field devices. Field devices control local operations such as opening and closing valves and breakers, collecting data from sensor systems, and monitoring the local environment for alarm conditions.

Distributed Control Systems

DCS are used to control industrial processes such as electric power generation, oil refineries, water and wastewater treatment, and chemical, food, and automotive production. DCS are integrated as a control architecture containing a supervisory level of control overseeing multiple, integrated sub-systems that are responsible for controlling the details of a localized process. Product and process control are usually achieved by deploying feed back or feed forward control loops whereby key product and/or process conditions are automatically maintained around a desired set point. To accomplish the desired product and/or process tolerance around a specified set point, specific PLCs are employed in the field and proportional, integral, and/or derivative settings on the PLC are tuned to provide the desired tolerance as well as the rate of self-correction during process upsets. DCS are used extensively in process-based industries.

Programmable Logic Controllers

PLCs are computer-based solid-state devices that control industrial equipment and processes. While PLCs are control system components used throughout SCADA and DCS systems, they are often the primary components in smaller control system configurations used to provide operational control of discrete processes such as automobile assembly lines and power plant soot blower controls. PLCs are used extensively in almost all industrial processes.

Why Cyber Security Assessments of ICS is Important?

Industrial Control Systems (ICS) were originally built as stand-alone systems that were not interconnected and had little in the way of security protections. With the advent of the internet the design of many ICS have changed such that the control network is now often connected as an extension of the corporate IT network. This means that these ICSs are potentially reachable from the internet by malicious and skilled adversaries. In addition, new vulnerabilities often are discovered in the current operating systems and third-party software that make up today’s ICSs. The implications of these vulnerabilities to the ICS domain may not be obvious, but could be exposed by a cyber security assessment.

Threats to control systems can come from numerous sources, including adversarial sources such as hostile governments, terrorist groups, industrial spies, disgruntled employees, malicious intruders, and natural sources such as from system complexities, human errors and accidents, equipment failures and natural disasters.

OUR SERVICES

We provide ICS owners and operators with cyber security assessment services so they can  find out whether their system is vulnerable to a cyber attack. The assessment identifies and seeks to mitigate vulnerabilities that would allow an attacker to disrupt or take control of the system.

Our assessment methodologies include:

End-to-end penetration assessments

An end-to-end penetration assessment is one in which the goal of the effort is to gain an understanding of how far an attacker could reach.

Component testing

Component testing is testing pieces of an ICS separately from the rest of the system. These tests usually work with the target component isolated (disconnected) from the rest of the ICS. An example of a component test is a PLC, RTU, HMI application or database that plays a significant role in the ICS.

Technical documentation review

A technical documentation review examines an ICS by looking over documents such as system inventory, architecture diagrams, process diagrams, procedures and process documents. A technical document review can be an effective tool if the goals for the task are to prepare for a cyber security assessment or to improve the process.

Functionality and configuration review

This is examining the ICS by validating the functionality and checking the configuration of the system in an effort to understand the ICS’s unique requirements and characteristics. This activity could identify areas where the process could be optimised. This is the only way to assess and secure the production system components and network.

Staff interviews

The goal of these interviews would be to gain further understanding and insight into the processes and procedures of the ICS. Interviewing key staff should be part of a production assessment and the documentation and configuration review processes.

Risk assessment

Risk analysis is used to determine whether an asset is protected and to what level. A cyber security risk assessment is a mathematical way to estimate the likelihood that a system can be attacked using cyber means.