Risk assessment, Security concepts, Security for safety, Recovery concepts
For us, security engineering is the way from a security problem to a solution (i.e. a security concept).
The first step is always the same: Together with you, we understand and model your systems and what you do with them. This creates a model representing a common understanding of your most important functions. For many of our clients, this model becomes so important that they keep pulling it out and updating it for years, even long after the project is complete.
For your functions, we consider what can go wrong in a risk analysis. Our risk analysis methodology is flexible and can be adapted to all regulatory requirements - whether they stem from your organization or external bodies. We can prepare the risk analysis or do it together with you, but we prefer to have you, the system experts, with us. A pleasant side effect: workshops on risk identification are wonderful awareness trainings!
What the result looks like depends entirely on your individual problem. Perhaps you need a comprehensive security concept for your network, or you want to integrate security into the specifications of a new system, or have an existing concept reviewed, or set requirements for your suppliers according to a standard – or maybe want to carry out a risk analysis only for your safety systems - whatever it is, we’ll figure it out.
Read more about our security engineering methodologies in our info center.
ISMS, Incident management, Risk management, Business Continuity management, Data protection
A security management system (information security management system, ISMS) is more than a pile of paper. We start small and define goals with you: Does your management system have to pass an audit (see regulations)? In a gap analysis, we go through you what you already have - because that is often more than you think. A security management system should not be set up as a completely new organizational island, but should be integrated into your current way of working.
Our goal is for your management system to start being operative as early as possible - and then continue to grow from there. This works after just a few weeks with our support - and the more confident you become, the more we retreat to the background.
The same applies to the operational effectiveness of your security management: A security management that is not integrated into your organizational structure and processes does not deserve the name. Together with you, we weave your security management seamlessly into your hierarchies and processes; informally as well as formally. This is the only way to establish a living security management and not a paper tiger.
For us, security management that is not technically effective is not an option. That is why security management is closely linked with security engineering. You will get to know methodologies, processes, and tools that help you to truly become more secure, not just on paper: risk management, incident management, business continuity management, change management, training.
And if you like, we can also integrate data protection into your security management as part of a Privacy Information Management System (PIMS), as it is called in the international standard ISO/IEC 27701:2020.
Read more about our security management methodologies in our info center.
Penetration test, Systems, Network, Web applications, OT, MITRE ATT&CK®
Are your security measures effective? A security test can bring clarity. During a test, we create model-based security characteristics of your target systems, which contain both effective measures and security gaps. We proceed systematically, based on open source standards and methods such as OSSTMM and OWASP.
We look at your network as a whole, individual systems or even individual applications, including web applications. If you like, we can also include your OT in the security tests - but carefully. We know how important your automation systems are to you and how we have to deal with them in order not to risk their availability. If you are not sure what a meaningful scope for your security test is, we will find out together on the basis of network modeling and attack modeling (e.g. on the basis of MITRE ATT&CK®).
In order for you to make the best use of your security test results, , we prepare them as you like. At a minimum, each test result includes a classification of what it could mean for you in your context. In addition to immediate measures to close security gaps in the short term, we always make recommendations for improvements in order to avoid similar gaps in the long term. And if it helps, we will transform your test results in a way that you directly use them in your information security management.
Read more about our security test methodologies in our info center.
Incident, Playbook, First Response, Incident Response Team, PSIRT
What do you do if a security incident happens? To make sure no time goes to waste and no unnecessary mistakes occur in the event of an incident, we help you to “think ahead” as much as possible.
We have a team that has dealt with incidents over and over. Our Incident Response Team (IRT) is at your side, helping you hands-on with incident management, keeping a cool head and everything together. Along the way, we take care of reports and formalities that must be observed in the event of an incidents. Our IRT only sees its work as done when you can work normally again and know what to do so that a similar security incident is not likely to happen again.
Also, we are happy to pass on our knowledge as a first responder to you. In collaboration with you and based on our experience, we do the “thinking ahead” individually for your organization and prepare your employees for incident response. Together we develop concepts for security incidents, emergencies and business continuity, write recovery plans and playbooks and use table-top exercises to practice using all of these concepts in the event of an incident.
If you are a manufacturer of automation solutions, we will work with you to set up a modified form of an IRT, a Product Security Incident Response Team (PSIRT): What do you do if vulnerabilities are found in your products? What do your customers need from you now?
Read more about our incident response methodologies in our info center.
Security Engineering Tool (SET)
Security Engineering, Model-based Engineering, Visualisation, Database
Do you end up with security engineering and risk analyses in long Excel spreadsheets and Visio drawings that no one maintains? You have to rethink every time how your complicated risk analysis table works again? Your security documents become outdated the moment you create them?
We know that. Our security engineering tool came into being because our consultants and clients alike wanted it - and they are also the ones who lovingly fine-tune every detail on a daily basis, because SET is constantly evolving.
The basis of the tool is the model-based approach of our security engineering: you start with "your network on a sheet". With SET, it is very easy to create and analyse different views of this information - and to bring it into a familiar MS Office format at any time, should that be necessary.
When you are done modelling, SET takes you by the hand and you climb our "lighthouse" guided: Based on your network model, you identified and modelled your most critical functions (so you don't have to reinvent the wheel, libraries help). Then, using clear questions and standards as inspiration, you identify your most important risks, and in the next step, requirements that help against the risks - based on your favourite standard, if you like.
SET also helps you plan and track implementation with its clear structure; and especially when you have to explain all this to an inspector or auditor - or even your boss.
Security engineering and risk analysis, our customers say, suddenly seem much easier when SET is involved. You still do exactly the same as with Excel and Visio. SET just does the hard work for you and ensures that your security-relevant information is all in one place and that you can generate all important views of this data at any time.
Security engineering needs people who know their systems. These people are SET's target group. All they have to do is think - SET does all the rest.
- Modelling your systems from a security perspective
- Intuitive execution of model-based risk analyses
- Generation of different, clear diagram types such as network diagrams and data flow diagrams with one click
- Mapping of all common security standards
- Method-neutral: Flexible parameterisation enables the use of any risk analysis method
- Clear separation of requirements and implementation
- Assigning tasks and tracking progress
- Audit view for informed answers in audits and proofs
- Export of all models, data and reports in editable MS Office formats
- Connection to existing asset or configuration databases possible
- Web-based - no software installation necessary
- Software as a service or on-premise at your premises? You decide where your data is located
Read more about SET in our info center.
ProZert, Product Certifications, BSZ , 62443, Readiness, Common Criteria
The name of our subsidiary adfidetia represents what is important to us when certifying your product security. “Fides” is Latin for trust - and product certification creates value only if it increases your customers' trust in your product.
In order for a certificate to actually create trust, there must be a reproducible and technically sound test of the certified properties. This is exactly what adfidetia does as an accredited test laboratory of TÜV NORD.
Before each certification, we determine your position on the road to certification readiness, and whether you are only concerned with the "readiness" for certification or whether you want to go to the full way through to the certificate, and if so, which standard and which certification scheme make sense for you. We help you on your way through the jungle of Common Criteria, Accelerated Security Certification (BSZ), ISA / IEC 62443 and legal requirements.
And if all of this is still a pipe dream for you, we will first work with you to improve the security in your product development process – because, as you may have learned by now, admeritia knows a thing or two about security engineering…