In the context of Industry 4.0 and the Internet of Things (IoT), the networking of systems for process control, production and automation is increasing dramatically. As a result, challenges are also increasing in relation to security. Gateways frequently used by hackers include maintenance access points via the internet, unsecured interfaces to the traditional IT infrastructure, or lack of employee awareness for IT security.
TÜViT offers security checks and penetration tests in order to reduce security vulnerabilities in your production infrastructure.
Know-how from a single source
Combining the 150 years´ experience in the industrial sector of TÜV NORD with the 20 years of TÜViT IT security expertise makes us a premium partner to protect your production infrastructure and ICS components against hacker attacks.
TÜViT designed and formulated the ICS Security Compendium upon request from the German Federal Office for Information Security (BSI). For TÜViT and its customers, security isn’t an option — it’s embedded in virtually everything we do.
Our services at a glance
- survey of the IT risks of production systems and analysis of the technical data; here our IT security experts consider e.g. which platforms and systems the respective manufacturers use, how the networking and interaction of the systems for production and process automation operate with one another as well as with office network, and what safety measures are in place
- identification of vulnerabilities and the extent of security risk; ongoing business operations are not disrupted here, because the security check is performed without active interference in the IT system
- documentation of vulnerabilities and preparation of a prioritized action plan, with recommendations for elimination of vulnerabilities
- test of conformity with the authoritative standards, e.g. IEC 62443; this standard focuses on the IT security of industrial control systems
- evaluation of the technical security level of remote maintenance access, established standard IT components, availability requirements for communication networks, and their monitoring
- evaluation of the threat potential based on human misconduct and intentional attacks on device, network and application levels; here our security experts consider amongst other things the degree of networking and the security of production networks, as well as misconfiguration and inadequate backups of components
- passive and active attacks on established ICS components such as SCADA systems, PLC, HMI, BFS and MES at system and network levels
- derivation and assessment of organizational vulnerabilities such as inadequate documentation and IT security regulations in the form of directives and processes
Your benefits at a glance
- leverage the breadth of TÜV NORD and TÜViT expertise in industrial IT security
- with TÜViT, you have as your partner one of the leading experts in the field of cyber security, which is certified by the German Federal Office for Information Security (BSI) as an IT security service provider for IS audits, IS consulting, and penetrationtesting
- efficient performance of security checks and penetration tests using an independently developed test platform, the “Distributed Penetration Platform” (DPP)
- definition of your security maturity level on the basis of recognized standards and best practices (e.g. ICS Security Compendium of the Federal Office for Information Security (BSI), standard IEC 62443)
- objective analysis and assessment of the established technical and organizational security measures in the field of industrial security
- increasing the efficiency and overall security level through individually derived recommendations for action
- fulfilling duties of care in test performance and security and compliance requirements
What vulnerabilities do hackers target for exploitation in industrial companies?
The top 10 threats for industrial control systems in 2016 include the following
- Social engineering and phishing
- Infiltration of malware using removable media and external hardware
- Infection with malware via internet and intranet
- Penetration via remote maintenance ports
- Human misconduct and sabotage
- Control components connected to the internet
- Technical misconduct and force majeure
- Compromised extranet and cloud components
- (D)DoS attacks
- Compromised smartphones in the production environment
(Source: German Federal Office for Information Security)