Context and service scope

Cyber incidents can cause a real threat to businesses, it is, therefore, essential to have an accurate overview of any weakness in your business landscape with respect to industrial cybersecurity. Does the protection of your industrial control systems (ICS) comply with applicable regulations and standards? What is the potential impact of cyberattacks on the availability, reliability, and safety of assets? ENGIE Laborelec’s industrial cybersecurity experts assess your industrial landscape without impacting your operations, assist you to develop a targeted remediation plan and support you to maintain security in the long run.

Service 1: compliance check

Checking compliance with relevant standards

Does the cybersecurity protection of your assets comply with regulations, standards, policies and best practices? ENGIE Laborelec carries out an in-depth assessment of your assets against the cybersecurity regulations, standards, practices, policies, and guidance applicable to your site. The referential depends on your situation and could include IEC62443, ISO27000, NERC CIP, NIST SP 800-82, the EU NIS Directive and its national implementations, UAE NESA, the Singapore Security Bill, and Oman’s AER as well as international, and internal best practices, guidelines and policies.

Define referential
Acces security requirements and identify risk
Draw network topology
Interview key staff
Analyse interviews
Report results

The assessment covers both offsite and onsite activities and includes determining the applicable referential, carrying out a risk and criticality assessment and defining the assurance levels, drawing the network topology of connected ICS assets, conducting interviews with key staff, analyzing these interviews, and reporting the results.

The assessment covers both offsite and onsite activities and includes determining the applicable referential, carrying out a risk and criticality assessment and defining the assurance levels, drawing the network topology of connected ICS assets, conducting interviews with key staff, analyzing these interviews, and reporting the results.

The report clearly indicates the assets’ position relative to the selected referential targets. Subsequently, we assist you in developing a targeted remediation plan.

Service 2: impact analysis

Assessing the cybersecurity maturity level

ENGIE Laborelec also carries out vulnerability analysis, including an assessment of the cybersecurity maturity level. It includes both offsite and onsite activities, addressing practical concern over a targeted attack’s potential impact. First, we make a list of critical ICS assets (if needed following a criticality analysis), draw the network topology of connected assets, and map the related organizational framework of people and processes.

Define critical assets
Draw network topology and organizational framework
Identify possible cyberrelated events
VAPT
Identify gaps and analyze consequences
Report results

For each critical asset, we identify the possible cyber-related events. Vulnerabilities are evaluated through in-depth analysis as well as through offsite and onsite Vulnerability Assessment and Penetration Testing (VAPT). For VAPT, we deploy the most reputable tools available, including packet and data analyzers, security scanning tools, and exploit-code developers. We apply standard working methods such as those developed under OWASP. Penetration tests are always carried out without impacting operations: we ‘knock on the door’ to see if an entry is possible, but we never really intrude.

Based on this comprehensive analysis, we calculate and report a set of cybersecurity maturity scores or KPIs clearly indicating the strongest and weakest points in the organization’s cybersecurity posture. This includes an evaluation of the available redundancies as well as backup and restore procedures in place. For each gap identified, we analyze and report the potential business consequences. Then we help you develop a targeted remediation plan.

Do you want to secure your industrial control systems against cybersecurity threats or need advice related to industrial cybersecurity? Email us or use the contact form.