IT / OT / IoT Security Assessment - B-SEC better secure KG

IT systems are increasingly exposed to attacks – whether through the network, via social engineering or through direct physical access, the list of attack possibilities is getting longer and longer. A similar development is also evident in Operational Technology (OT) or ICS/IACS (Industrial Automation and Control Systems), which are the systems that control technical and physical processes (like PLCs, DCS or SCADA systems). In order to know the risks for your own infrastructure and to be able to evaluate them objectively, a security assessment identifies and assesses existing vulnerabilities and security problems.

An important prerequisite for carrying out an assessment is the definition of the objective, the scope and the focus. Based on many years of experience, we work together with you to determine these aspects in advance in order to achieve the best result with the optimal use of resources.

Depending on the goals and the desired depth of the assessment we can offer different procedures for checking technical and organizational security aspects.

Technical security assessments of systems and applications

Together with organizational measures, the technical security of IT systems is the essential foundation of any security architecture. Unfortunately, today many systems are not secure “by default”, but offer rich functionality and flexible configuration options – and often it is exactly this configuration that makes the difference between a secure IT system and one where attackers can easily achieve their goals. In a technical security assessment, the relevant security settings of a system are examined and evaluated, and weaknesses and opportunities for improvement are identified.

Based on many years of expertise and continuous training, we can support you with security assessments in the following areas, among others:

Windows systems – testing of security mechanisms and hardening measures, for example, on servers, office clients, engineering workstations, visualization systems/HMIs, kiosk systems, etc.
Linux systems – testing of security mechanisms and hardening measures for e.g. servers, clients, embedded systems, kiosk systems, etc.
Mobile devices – testing of security mechanisms and hardening measures for e.g. smartphones, tables, laptops, special purpose devices, etc.
OT / IoT devices – testing of attack surface and security mechanisms for e.g. PLC’s, network devices, IoT embedded devices, etc
Active Directory security assessment – review of the security settings and configuration of Microsoft Active Directory environments, including review of permissions, authentication mechanisms, configuration settings, etc.
Applications – assessment and evaluation of security aspects of an application, e.g. regarding privacy requirements, confidentiality/know-how protection, usage control/licensing, resilience against attacks, etc.

Security Audits

A security audit is focused on testing compliance with certain requirements from norms or standards. Depending on the customer’s requirements, we can provide support during preparation or conduct GAP analyses or audits. For certification audits we cooperate with accredited certification bodies where required. Among others, we can provide support for the following common standards:

ISO/IEC 27001 – Information security management systems
ISO/IEC 27018 – Protection of personally identifiable information (PII) in public clouds
ISO/IEC 27701 – Extension to ISO 27001 for privacy information management
IEC 62443-2-1 – Security program requirements for IACS asset owners
IEC 62443-2-4 – Security program requirements for IACS service providers
IEC 62443-3-2 – Security risk assessment for system design
IEC 62443-3-3 – System security requirements and security levels
IEC 62443-4-1 – Secure product development lifecycle requirements
IEC 62443-4-2 – Technical security requirements for IACS components
ETSI 303 645 – Cyber Security for Consumer Internet of Things – Baseline Requirements
ÖNORM A7700 – Security of web applications

Security assessment according to NIS act

B-SEC better secure KG was appointed as a “qualified body” according to the Austrian implementation of the European NIS directive. We can therefore carry out security audits for operators of essential services to provide the required evidence for the implementation of security measures mandated by the Austrian NIS act.

Report on expert opinion

In this case the focus is to answer a specific question by an independent, qualified expert. We are happy to support you on any questions in the areas of IT, OT and IoT security. Thomas Bleier is a sworn and court-certified expert in this field.

Penetration testing

The goal of a penetration test is to find weaknesses and vulnerabilities in systems or organizations. Depending on the requirements, we can perform penetration testing in the following areas:

Network Penetration Testing – IT/OT systems and networks
Web Application Pentesting – web applications and web interfaces
Security analysis of IoT systems – analysis of vulnerabilities and threats for IoT architectures / devices / systems
Social Engineering – testing the effectiveness of awareness measures
Physical Penetration Testing – testing of physical security measures such as access control systems, etc.
Red Team Assessment – holistic testing of organizations for vulnerabilities
Vulnerability Assessment – Simple check of systems for known technical vulnerabilities