Security Engineering
Risk Assessment, Security Concepts, Security for Safety, Recovery Concepts
We believe security engineering is the pathway from a security problem to a solution.
The first step is collaboration with you, our client. Together we learn about your systems and use cases. Then we design and develop a model that represents an overview of your most important functions. For many of our clients this model has become an invaluable tool that they can continually update long after the initial project is finished.
The next step is a risk analysis of your functions. We have developed a methodology that is flexible and can be adapted to all regulatory requirements – whether they stem from your organization or external bodies. We carry out a risk analysis independently, or preferably in collaboration with our clients – the systems experts! An added benefit of collaboration is the awareness training that comes during our risk identification workshops.
The result will depend entirely on your individual problem. Perhaps you need a comprehensive security concept for your network? Alternatively do you want to integrate security into the specifications of a new system, or even have an existing concept reviewed? Perhaps you have set requirements for your suppliers according to a particular standard. Maybe you would simply like to carry out a risk analysis of your internal safety systems. Whatever your needs, we’ll find a solution.
Read more about our security engineering methodologies in our info center.
Security Management
ISMS, Incident Management, Risk Management, Business Continuity Management, Data Protection
A security management system (Information Security Management system, ISMS) is more than a stack of paper. We go step by step and define your goals with you. Does your management system have to pass an external audit (see regulations)? During a gap analysis we see what you already have – which is often more than you think. We see a security management system as part of your business, and as such needs to be integrated into your way of working, not set up separately.
We strive to have your management system operating as quickly as possible – this is usually within a few weeks of starting our support - and then we continue to develop it from there. As your confidence grows you take over your system as we move more into a support role.
We adopt the same concept for the operational effectiveness and management of your security. Only security management integrated into your organizational structure and processes is worthy of the name. Working together we incorporate security management seamlessly into your hierarchies and processes, formally as well as informally. This is the only way to establish a thriving, dynamic security management system and not simply a paper tiger.
In our opinion management of security which is not technically effective is not an option. This is why security management is so closely linked with security engineering. We will train you in methodologies and processes including risk management, incident management, business continuity management and change management - tools to truly become more secure.
Additionally as part of a Privacy Information Management System (PIMS) we can also integrate data protection into your security management. International Standard reference ISO/IEC 27701:2020.
Read more about our security management methodologies in our info center.
Security Testing
Penetration Testing, Systems, Networks, Web Applications, OT, MITRE ATT&CK®
Are your security measures effective? A security test can bring insight and assurance. During testing we identify the security characteristics of your target systems, creating a model revealing both currently effective measures and security gaps. Proceeding systematically, our approach is based on open source standards and methods such as OSSTMM and OWASP.
Our security testing can target your network as a whole, focus on individual systems only or target solely web based or individual applications themselves. We can also provide the opportunity to safely test the security of your operational technology (OT) proceeding cautiously and with appreciation of how important your automation systems are to you. You can trust in our know-how that we will at no time compromise their operation and availability. If you feel uncertain of the scope needed for a meaningful security test, working together we can determine your needs applying the concept of network modelling and attack modelling ( using MITRE ATT&CK®)
We recognize that in order to make the best use of your security test results, you may need them presented in a particular way. At a minimum, each security test result includes a classification of their significance within your context and circumstances. In addition to immediate measures to close security gaps in the short term, our recommendations always include suggested improvements with an eye to similar gaps in the longer term. And if it helps, we can further transform your test results into a suitable format allowing you to directly use them in your information security management.
Read more about our security testing methodologies in our info center.
Incident Response
Incident, Playbook, First Response, Incident Response Team, PSIRT
What do you do if a security incident happens? To make sure no time goes to waste and no unnecessary mistakes occur in the event of an incident, we help you to “think ahead” as much as possible.
We have a team that has dealt with incidents over and over. Our Incident Response Team (IRT) is at your side, helping you hands-on with incident management, keeping a cool head and everything together. Along the way, we take care of reports and formalities that must be observed in the event of an incidents. Our IRT only sees its work as done when you can work normally again and know what to do so that a similar security incident is not likely to happen again.
Also, we are happy to pass on our knowledge as a first responder to you. In collaboration with you and based on our experience, we do the “thinking ahead” individually for your organization and prepare your employees for incident response. Together we develop concepts for security incidents, emergencies and business continuity, write recovery plans and playbooks and use table-top exercises to practice using all of these concepts in the event of an incident.
If you are a manufacturer of automation solutions, we will work with you to set up a modified form of an IRT, a Product Security Incident Response Team (PSIRT): What do you do if vulnerabilities are found in your products? What do your customers need from you now?
Read more about our incident response methodologies in our info center.
Security Engineering Tool (SET)
Security Engineering, Model-based Engineering, Visualisation, Database
How often do you end up with long security engineering and risk analyses in Excel spreadsheets and Visio graphics that nobody maintains? Does your head frequently spin trying to work out how your complicated risk analysis table works? Are your security documents regularly outdated before you've even finished them?
The frustrations of both consultants and clients alike were the very reason our Security Engineering Tool (SET) was created. Like your security needs SET is constantly evolving, being devotedly fine-tuned on a daily basis by the same group of people who called for it's development in the first place.
The basis of SET is the use of a model-based approach to security engineering. Our concept is your network on one page. With our tool it is very easy to generate, analyse and sift through your information using different approaches – as well as putting it into familiar MS Office formatting at any time if you prefer.
After you have finished modelling, SET guides you into our Lighthouse where you will be able to identify and model your most critical functions, using your network modelling results as the basis. This can all be done with the help of our libraries, avoiding the necessity for you to “reinvent the wheel” at this stage. Our Lighthouse also guides and inspires you to determine your most important risks with the assistance of relevant questions and standards, and in the next step the requirements to help mitigate those risks. You can even choose to base these mitigations on the standard you prefer most.
With it's clear structure, SET also helps you plan and track your changes during the implementation process. This might prove especially important when needing to explain your updates to an inspector or auditor - or even your boss.
As our customers like to tell us, security engineering and risk analyses suddenly seem so much easier when SET is part of the process. Moreover, your role remains the same as it did using Excel and Visio apart from now on, SET takes over all the hard work for you and ensures that your security-relevant information is in one place, enabling access to all aspects of this data at any time.
Security engineering needs people who really know their systems. These are the people in SET's target group. All they have to do is think - SET does the rest.
Features:
- Modelling of your systems from a security perspective
- Intuitive implementation of model-based risk analyses
- Generation of a variety of diagram types including network and data flow overviews, available clearly and with just one click
- Mapping of all commonly used security standards
- Flexible parameter settings enabling the use of any risk analysis method
- Requirements and implementation steps clearly separated
- Allocation of tasks and progress tracking
- Auditing view for solutions to use during auditing and certifying processes
- Export of all models, data and reports to editable MS Office formats
- Connection to existing asset or configuration databases as required
- Completely web-based - no software installation necessary
- Software as a service or on-site only storage? You decide where your data is located
Read more about SET in our info center.
Conformity Assessment
ProZert, Product Certifications, BSZ , 62443, Readiness, Common Criteria
Everything that is important to us when certifying your product security is contained in the name of our subsidiary adfidetia. “Fides” is Latin for trust - and product certification creates value only if it increases your customers' trust in your product.
We understand that only certification which provides technically sound and reproducible analysis of the parameters to be certified will provide this level of trust and as an accredited test laboratory of TÜV NORD this is exactly what adfidetia delivers.
Before starting with the certification process, we determine your current status on the road to readiness. Is your objective just to be ready, or are you already looking to obtain and complete certification of your product security? Which standard and which certification scheme are right for you? Our support and assistance will help you find your way through the jungle of Common Criteria, Accelerated Security Certification (BSZ), ISA / IEC 62443 and legal requirements.
If all of this currently just seems like a pipe dream for you, together we will instead put the initial focus on improving the security of your product development process itself – because, as you may have learned by now, admeritia knows a thing or two about security engineering…
