Icon Telefon Icon Hard hats

Services and Solutions

admeritia stands for systematic and doable security.

"Systematic" means: No matter what we do, we follow a comprehensible methodology that all our consultants internalize, which has proven itself in a large number of projects and is constantly adapted to current international and national standards and the state of science and technology. Our methods are distilled security experience - and in cooperation, our knowledge becomes yours.

"Doable" means: Doable for you. We meet you where you are, take you by the hand and show you that you are your own most important security expert. We want to enable you to take responsibility for the security of your systems, rather than making you dependent on us. That said, when you need us, we are there - for most customers we have become the "telephone joker" for many years.

From our solution elements from security engineering, security management, security testing, conformity assessments and incident response, we put together an individual approach tailored to your security problems.

divider 1 divider 2
Security Engineering
Security Management
Security Test
Incident Response
Security Engineering Tool (SET)
Conformity Assessment
Research and funding projects
#

Security Engineering

Risk assessment, Security concepts, Security for safety, Recovery concepts

For us, security engineering is the way from a security problem to a solution (i.e. a security concept).

The first step is always the same: Together with you, we understand and model your systems and what you do with them. This creates a model representing a common understanding of your most important functions. For many of our clients, this model becomes so important that they keep pulling it out and updating it for years, even long after the project is complete.

For your functions, we consider what can go wrong in a risk analysis. Our risk analysis methodology is flexible and can be adapted to all regulatory requirements - whether they stem from your organization or external bodies. We can prepare the risk analysis or do it together with you, but we prefer to have you, the system experts, with us. A pleasant side effect: workshops on risk identification are wonderful awareness trainings!

What the result looks like depends entirely on your individual problem. Perhaps you need a comprehensive security concept for your network, or you want to integrate security into the specifications of a new system, or have an existing concept reviewed, or set requirements for your suppliers according to a standard – or maybe want to carry out a risk analysis only for your safety systems - whatever it is, we’ll figure it out.

Read more about our security engineering methodologies in our info center.

Security Management

ISMS, Incident management, Risk management, Business Continuity management, Data protection

A security management system (information security management system, ISMS) is more than a pile of paper. We start small and define goals with you: Does your management system have to pass an audit (see regulations)? In a gap analysis, we go through you what you already have - because that is often more than you think. A security management system should not be set up as a completely new organizational island, but should be integrated into your current way of working.

Our goal is for your management system to start being operative as early as possible - and then continue to grow from there. This works after just a few weeks with our support - and the more confident you become, the more we retreat to the background.

The same applies to the operational effectiveness of your security management: A security management that is not integrated into your organizational structure and processes does not deserve the name. Together with you, we weave your security management seamlessly into your hierarchies and processes; informally as well as formally. This is the only way to establish a living security management and not a paper tiger.

For us, security management that is not technically effective is not an option. That is why security management is closely linked with security engineering. You will get to know methodologies, processes, and tools that help you to truly become more secure, not just on paper: risk management, incident management, business continuity management, change management, training.

And if you like, we can also integrate data protection into your security management as part of a Privacy Information Management System (PIMS), as it is called in the international standard ISO/IEC 27701:2020.

Read more about our security management methodologies in our info center.

#
#

Security Test

Penetration test, Systems, Network, Web applications, OT, MITRE ATT&CK®

Are your security measures effective? A security test can bring clarity. During a test, we create model-based security characteristics of your target systems, which contain both effective measures and security gaps. We proceed systematically, based on open source standards and methods such as OSSTMM and OWASP.

We look at your network as a whole, individual systems or even individual applications, including web applications. If you like, we can also include your OT in the security tests - but carefully. We know how important your automation systems are to you and how we have to deal with them in order not to risk their availability. If you are not sure what a meaningful scope for your security test is, we will find out together on the basis of network modeling and attack modeling (e.g. on the basis of MITRE ATT&CK®).

In order for you to make the best use of your security test results, , we prepare them as you like. At a minimum, each test result includes a classification of what it could mean for you in your context. In addition to immediate measures to close security gaps in the short term, we always make recommendations for improvements in order to avoid similar gaps in the long term. And if it helps, we will transform your test results in a way that you directly use them in your information security management.

Read more about our security test methodologies in our info center.

Incident Response

Incident, Playbook, First Response, Incident Response Team, PSIRT

What do you do if a security incident happens? To make sure no time goes to waste and no unnecessary mistakes occur in the event of an incident, we help you to “think ahead” as much as possible.

We have a team that has dealt with incidents over and over. Our Incident Response Team (IRT) is at your side, helping you hands-on with incident management, keeping a cool head and everything together. Along the way, we take care of reports and formalities that must be observed in the event of an incidents. Our IRT only sees its work as done when you can work normally again and know what to do so that a similar security incident is not likely to happen again.

Also, we are happy to pass on our knowledge as a first responder to you. In collaboration with you and based on our experience, we do the “thinking ahead” individually for your organization and prepare your employees for incident response. Together we develop concepts for security incidents, emergencies and business continuity, write recovery plans and playbooks and use table-top exercises to practice using all of these concepts in the event of an incident.

If you are a manufacturer of automation solutions, we will work with you to set up a modified form of an IRT, a Product Security Incident Response Team (PSIRT): What do you do if vulnerabilities are found in your products? What do your customers need from you now?

Read more about our incident response methodologies in our info center.

#
#

Security Engineering Tool (SET)

Security Engineering, Model-based Engineering, Visualisation, Database

Do you end up with security engineering and risk analyses in long Excel spreadsheets and Visio drawings that no one maintains? You have to rethink every time how your complicated risk analysis table works again? Your security documents become outdated the moment you create them?
We know that. Our security engineering tool came into being because our consultants and clients alike wanted it - and they are also the ones who lovingly fine-tune every detail on a daily basis, because SET is constantly evolving.
The basis of the tool is the model-based approach of our security engineering: you start with "your network on a sheet". With SET, it is very easy to create and analyse different views of this information - and to bring it into a familiar MS Office format at any time, should that be necessary.
When you are done modelling, SET takes you by the hand and you climb our "lighthouse" guided: Based on your network model, you identified and modelled your most critical functions (so you don't have to reinvent the wheel, libraries help). Then, using clear questions and standards as inspiration, you identify your most important risks, and in the next step, requirements that help against the risks - based on your favourite standard, if you like.
SET also helps you plan and track implementation with its clear structure; and especially when you have to explain all this to an inspector or auditor - or even your boss.

Security engineering and risk analysis, our customers say, suddenly seem much easier when SET is involved. You still do exactly the same as with Excel and Visio. SET just does the hard work for you and ensures that your security-relevant information is all in one place and that you can generate all important views of this data at any time.

Security engineering needs people who know their systems. These people are SET's target group. All they have to do is think - SET does all the rest.

Features:
  • Modelling your systems from a security perspective
  • Intuitive execution of model-based risk analyses
  • Generation of different, clear diagram types such as network diagrams and data flow diagrams with one click
  • Mapping of all common security standards
  • Method-neutral: Flexible parameterisation enables the use of any risk analysis method
  • Clear separation of requirements and implementation
  • Assigning tasks and tracking progress
  • Audit view for informed answers in audits and proofs
  • Export of all models, data and reports in editable MS Office formats
  • Connection to existing asset or configuration databases possible
  • Web-based - no software installation necessary
  • Software as a service or on-premise at your premises? You decide where your data is located

Read more about SET in our info center.

Conformity Assessment

ProZert, Product Certifications, BSZ , 62443, Readiness, Common Criteria

The name of our subsidiary adfidetia represents what is important to us when certifying your product security. “Fides” is Latin for trust - and product certification creates value only if it increases your customers' trust in your product.

In order for a certificate to actually create trust, there must be a reproducible and technically sound test of the certified properties. This is exactly what adfidetia does as an accredited test laboratory of TÜV NORD.

Before each certification, we determine your position on the road to certification readiness, and whether you are only concerned with the "readiness" for certification or whether you want to go to the full way through to the certificate, and if so, which standard and which certification scheme make sense for you. We help you on your way through the jungle of Common Criteria, Accelerated Security Certification (BSZ), ISA / IEC 62443 and legal requirements.

And if all of this is still a pipe dream for you, we will first work with you to improve the security in your product development process – because, as you may have learned by now, admeritia knows a thing or two about security engineering…

#

Research and funding projects

We regularly assume consortium leadership in research projects that focus on OT security. Through research projects funded by federal ministries, we shape future developments and are in constant exchange with institutions from education and research.

And of course, all results flow back into our consulting solutions.

IDEAS – Integrated Data Models for the Engineering of Automation Security

2021-2023
Motivation

Due to the increasing interconnectedness of their components, automated industrial plants have become attractive targets of IT security attacks and malicious code. Ideally, they should be capable of adjusting to changing threat scenarios during operation. Also, it would make sense to integrate IT security measures already during plant design as opposed to adding security after the design is finished, as it is done nowadays.

To make this possible, engineers need tools that enable them to include security aspects efficiently during their existing automation engineering process.

Goals and procedure

In the project, an information model will be developed that - serving as a digital twin - can model all security-relevant aspects of a given component. Thus, security-relevant information can be handled more systematically. Also, an integrated technical procedure model to integrate security as early as possible into the existing industrial automation engineering process. Lastly, a software tool will be developed that enables engineers to integrate working with the information model seamlessly within their existing engineering procedures. To ensure practicality of the workflow and the tool, an automation product supplier as well as an asset owner are application partners within the project.

Innovations and perspectives

With the new information model, automation product suppliers can deliver security configurations along with their components and potentially even deploy them automatically. Asset owners can reproduce security configurations and trace them back to treated risks. Thus, knowledge about vulnerabilities, risks, and countermeasures can better be shared.

Complementary to many available methods and tools which follow the strategy to detect security incidents in industrial plants, IDEAS focuses on a sound security architecture achieved through security engineering done by engineers who know their systems. Ideally, large (economonic) losses through IT security incidents can be avoided. This is key for all organisations who want to work towards proactive security but whose engineers don't have the time to develop extensive security know-how and methodology.

Combined engineering methodology for security and safety in embedded systems (KEM3S)

2013-2016
forschung KEM3S


Hardware sensors for IT network security

2012-2015
forschung BMWi

Secureclouds

2011-2014
forschung BMWi

Security Controlling Framework

2010-2012
forschung BMWi
kontaktperson-foto
Your contact person

Andreas Eichmann
Senior Account Manager

Tel.: +49 2173 20363-0
Email: info-at-admeritia.de

Turn your security problem into a security solution!