Services and Solutions

admeritia stands for systematic and implementable security.

Systematic means we always follow a comprehensive plan that all of our consultants incorporate into their work. This methodology has been proven time and again with a large number of projects, and yet is structured in such a way that it can be tailored to constantly changing national and international standards as well as new advances in science and technology. Our methods epitomize security experience – and by collaborating with us, our knowledge becomes yours.

Implementable means it works for you. We guide you towards becoming your own security expert, rather than being dependent on us – meaning you can independently decide what is best for you and your company. But you still have the peace of mind of our safety net because we are always here if you need us

. Our solution principles from security engineering, security management and security testing to conformity assessments and incident responses help us create an individual approach custom-made for your security issues.

divider 1 divider 2
#

Security Engineering

Risk Assessment, Security Concepts, Security for Safety, Recovery Concepts

We believe security engineering is the pathway from a security problem to a solution.

The first step is collaboration with you, our client. Together we learn about your systems and use cases. Then we design and develop a model that represents an overview of your most important functions. For many of our clients this model has become an invaluable tool that they can continually update long after the initial project is finished.

The next step is a risk analysis of your functions. We have developed a methodology that is flexible and can be adapted to all regulatory requirements – whether they stem from your organization or external bodies. We carry out a risk analysis independently, or preferably in collaboration with our clients – the systems experts! An added benefit of collaboration is the awareness training that comes during our risk identification workshops.

The result will depend entirely on your individual problem. Perhaps you need a comprehensive security concept for your network? Alternatively do you want to integrate security into the specifications of a new system, or even have an existing concept reviewed? Perhaps you have set requirements for your suppliers according to a particular standard. Maybe you would simply like to carry out a risk analysis of your internal safety systems. Whatever your needs, we’ll find a solution.

Read more about our security engineering methodologies in our info center.

Security Management

ISMS, Incident Management, Risk Management, Business Continuity Management, Data Protection

A security management system (Information Security Management system, ISMS) is more than a stack of paper. We go step by step and define your goals with you. Does your management system have to pass an external audit (see regulations)? During a gap analysis we see what you already have – which is often more than you think. We see a security management system as part of your business, and as such needs to be integrated into your way of working, not set up separately.

We strive to have your management system operating as quickly as possible – this is usually within a few weeks of starting our support - and then we continue to develop it from there. As your confidence grows you take over your system as we move more into a support role.

We adopt the same concept for the operational effectiveness and management of your security. Only security management integrated into your organizational structure and processes is worthy of the name. Working together we incorporate security management seamlessly into your hierarchies and processes, formally as well as informally. This is the only way to establish a thriving, dynamic security management system and not simply a paper tiger.

In our opinion management of security which is not technically effective is not an option. This is why security management is so closely linked with security engineering. We will train you in methodologies and processes including risk management, incident management, business continuity management and change management - tools to truly become more secure.

Additionally as part of a Privacy Information Management System (PIMS) we can also integrate data protection into your security management. International Standard reference ISO/IEC 27701:2020.

Read more about our security management methodologies in our info center.

#
#

Security Testing

Penetration Testing, Systems, Networks, Web Applications, OT, MITRE ATT&CK®

Are your security measures effective? A security test can bring insight and assurance. During testing we identify the security characteristics of your target systems, creating a model revealing both currently effective measures and security gaps. Proceeding systematically, our approach is based on open source standards and methods such as OSSTMM and OWASP.

Our security testing can target your network as a whole, focus on individual systems only or target solely web based or individual applications themselves. We can also provide the opportunity to safely test the security of your operational technology (OT) proceeding cautiously and with appreciation of how important your automation systems are to you. You can trust in our know-how that we will at no time compromise their operation and availability. If you feel uncertain of the scope needed for a meaningful security test, working together we can determine your needs applying the concept of network modelling and attack modelling ( using MITRE ATT&CK®)

We recognize that in order to make the best use of your security test results, you may need them presented in a particular way. At a minimum, each security test result includes a classification of their significance within your context and circumstances. In addition to immediate measures to close security gaps in the short term, our recommendations always include suggested improvements with an eye to similar gaps in the longer term. And if it helps, we can further transform your test results into a suitable format allowing you to directly use them in your information security management.

Read more about our security testing methodologies in our info center.

Incident Response

Incident, Playbook, First Response, Incident Response Team, PSIRT

What do you do if a security incident happens? To make sure no time goes to waste and no unnecessary mistakes occur in the event of an incident, we help you to “think ahead” as much as possible.

We have a team that has dealt with incidents over and over. Our Incident Response Team (IRT) is at your side, helping you hands-on with incident management, keeping a cool head and everything together. Along the way, we take care of reports and formalities that must be observed in the event of an incidents. Our IRT only sees its work as done when you can work normally again and know what to do so that a similar security incident is not likely to happen again.

Also, we are happy to pass on our knowledge as a first responder to you. In collaboration with you and based on our experience, we do the “thinking ahead” individually for your organization and prepare your employees for incident response. Together we develop concepts for security incidents, emergencies and business continuity, write recovery plans and playbooks and use table-top exercises to practice using all of these concepts in the event of an incident.

If you are a manufacturer of automation solutions, we will work with you to set up a modified form of an IRT, a Product Security Incident Response Team (PSIRT): What do you do if vulnerabilities are found in your products? What do your customers need from you now?

Read more about our incident response methodologies in our info center.

#
#

Security Engineering Tool (SET)

Security Engineering, Model-based Engineering, Visualisation, Database

How often do you end up with long security engineering and risk analyses in Excel spreadsheets and Visio graphics that nobody maintains? Does your head frequently spin trying to work out how your complicated risk analysis table works? Are your security documents regularly outdated before you've even finished them? The frustrations of both consultants and clients alike were the very reason our Security Engineering Tool (SET) was created. Like your security needs SET is constantly evolving, being devotedly fine-tuned on a daily basis by the same group of people who called for it's development in the first place.
The basis of SET is the use of a model-based approach to security engineering. Our concept is your network on one page. With our tool it is very easy to generate, analyse and sift through your information using different approaches – as well as putting it into familiar MS Office formatting at any time if you prefer.

After you have finished modelling, SET guides you into our Lighthouse where you will be able to identify and model your most critical functions, using your network modelling results as the basis. This can all be done with the help of our libraries, avoiding the necessity for you to “reinvent the wheel” at this stage. Our Lighthouse also guides and inspires you to determine your most important risks with the assistance of relevant questions and standards, and in the next step the requirements to help mitigate those risks. You can even choose to base these mitigations on the standard you prefer most.

With it's clear structure, SET also helps you plan and track your changes during the implementation process. This might prove especially important when needing to explain your updates to an inspector or auditor - or even your boss.

As our customers like to tell us, security engineering and risk analyses suddenly seem so much easier when SET is part of the process. Moreover, your role remains the same as it did using Excel and Visio apart from now on, SET takes over all the hard work for you and ensures that your security-relevant information is in one place, enabling access to all aspects of this data at any time.

Security engineering needs people who really know their systems. These are the people in SET's target group. All they have to do is think - SET does the rest.

Features:
  • Modelling of your systems from a security perspective
  • Intuitive implementation of model-based risk analyses
  • Generation of a variety of diagram types including network and data flow overviews, available clearly and with just one click
  • Mapping of all commonly used security standards
  • Flexible parameter settings enabling the use of any risk analysis method
  • Requirements and implementation steps clearly separated
  • Allocation of tasks and progress tracking
  • Auditing view for solutions to use during auditing and certifying processes
  • Export of all models, data and reports to editable MS Office formats
  • Connection to existing asset or configuration databases as required
  • Completely web-based - no software installation necessary
  • Software as a service or on-site only storage? You decide where your data is located

In order to use SET on your device, you need a valid license and an up-to-date browser.
Supported browsers: Chrome, Firefox, Opera & Edge.

Read more about SET in our info center.

Conformity Assessment

ProZert, Product Certifications, BSZ , 62443, Readiness, Common Criteria

Everything that is important to us when certifying your product security is contained in the name of our subsidiary adfidetia. “Fides” is Latin for trust - and product certification creates value only if it increases your customers' trust in your product.

We understand that only certification which provides technically sound and reproducible analysis of the parameters to be certified will provide this level of trust and as an accredited test laboratory of TÜV NORD this is exactly what adfidetia delivers.

Before starting with the certification process, we determine your current status on the road to readiness. Is your objective just to be ready, or are you already looking to obtain and complete certification of your product security? Which standard and which certification scheme are right for you? Our support and assistance will help you find your way through the jungle of Common Criteria, Accelerated Security Certification (BSZ), ISA / IEC 62443 and legal requirements.

If all of this currently just seems like a pipe dream for you, together we will instead put the initial focus on improving the security of your product development process itself – because, as you may have learned by now, admeritia knows a thing or two about security engineering…

#
kontaktperson-foto
Your contact person

Andreas Eichmann
Senior Account Manager

Tel.: +49 2173 20363-0
Email: info-at-admeritia.de

Find the right solution to your security problem!

Research and Funding Projects

We are frequently involved in research projects that focus on OT security which are funded by federal ministries. Regularly taking up a consortium leadership role, we are on the front line in shaping future developments and are in constant communication with institutions of education and research.

This experience, expertise and knowledge benefits you directly in our consulting solutions.

IDEAS – Integrated Data Models for the Engineering of Automation Security

2021-2023

Motivation

Automated industrial plants have become attractive targets for IT security attacks and malicious code, largely due to the increasing interconnectedness of their components. A desirable scenario would make them capable of adjusting to changing threat scenarios during operation. Even better again would be to integrate IT security measures directly during the plant design process as opposed to adding security as an afterthought once designing is finished, as is often the approach currently.

To realize this vision, engineers need tools that enable them to directly integrate security measures into their existing automation engineering process.

Goals and Procedure

An integral part of the project is the development of an information model serving as a digital twin which allows both modelling of as well as more systematic handling in all security-relevant aspects of a given component. Additionally, an integrated technical procedure plan facilitates the incorporation of security protection as early as possible into the existing development and engineering process. Finally, the development of a software tool enables engineers to seamlessly integrate the information modelling into their existing work processes. To ensure the practicability of project results, both manufacturers and operators of automation solutions support the project as application partners.

Innovations and Perspectives

Using the new information model, manufacturers can store security configurations for their components and roll them out automatically. Operators can select security configurations and trace them back to their associated risks. As a result knowledge of vulnerabilities, risks, and countermeasures can be shared more effectively.

The IDEAS project focuses on prevention, achieving a sound security architecture via security engineering created by engineers who know their systems. This is in contrast to the more commonly and widely used methods and tools which primarily aim to detect security incidents in industrial plants at an early stage. A preventative approach ideally means large economic loses due to IT security incidents can be mostly avoided. This is key for all organizations wanting proactive, preventative security but lacking the engineers with time to develop extensive security know- how and methodologies.

IDEAS-Publications

(blue = peer-reviewed)

Date Publication
2021-04 atp: Projektvorstellung IDEAS Icon
2021-04 HSPF Konturen: Projektvorstellung IDEAS Icon
2021-04 Pforzheimer Zeitung: Projektvorstellung IDEAS Icon
2021-05 Blog: Ein Security-Engineering-Werkzeug für Automatisierer Icon
2021-05 Blog: A security enginering tool for automation engineers Icon
2021-08 HSPF News: IDEAS: Integrated Data Models for the Engineering of Automation Security Icon
2022-03 AALE: Warum wir ein Security-Engineering Informationsmodell brauchen

E. Taştan, S. Fluchs, and R. Drath, ‘Warum wir ein Security-Engineering-Informationsmodell brauchen’, in Wissenstransfer im Spannungsfeld von Autonomisierung und Fachkräftemangel, Jan. 2022, DOI: 10.33968/2022.25

Icon
2022-04 Blog: Generationen von Security-by-Design-Methoden Icon
2022-04 Blog: Generations of security by design methods Icon
2022-06 AUTOMATION: Security-Entscheidungen „by Design“ in das Engineering prozesstechnischer Anlagen integrieren. Konzept der „Automation Security by Design Decisions“

S. Fluchs et al., ‘Security-Entscheidungen „by Design“ in das Engineering prozesstechnischer Anlagen integrieren. Konzept der “Automation Security by Design Decisions”’, presented at the AUTOMATION 2022 (23. Leitkongress der Mess- und Automatisierungstechnik), Baden-Baden, Germany, Jun. 2022.

Icon
2022-06 AUTOMATION: AutomationML-basierte Modellierungsansätze für ein Security-Engineering-Informationsmodell

E. Taştan, S. Fluchs, and R. Drath, ‘AutomationML-basierte Modellierungsansätze für ein Security-Engineering-Informationsmodell’, presented at the AUTOMATION 2022 (23. Leitkongress der Mess- und Automatisierungstechnik), Baden-Baden, Germany, Jun. 2022.

Icon
2022-06 EKA: A Security Decision Base: How to Prepare Security by Design Decisions for Industrial Control Systems

S. Fluchs, R. Drath, and A. Fay, ‘A Security Decision Base: How to Prepare Security by Design Decisions for Industrial Control Systems’, presented at the EKA (17. Fachtagung ‘Entwurf Komplexer Automatisierungssysteme’), Magdeburg, Germany, Jun. 2022.

Icon
2022-06 Blog: Security by Design Decisions Icon
2022-06 Blog: Security by Design Decisions Icon
2022-08 Blog: Die vier Pfade zu einer Security-Entscheidung Icon
2022-08 Blog: The four paths to a security decision Icon
2022-09 atp: Security by Design für Automatisierungssysteme. Teil 1: Begriffsklärung und Analyse existierender Ansätze

S. Fluchs et al., ‘Security by Design für Automatisierungssysteme. Teil 1: Begriffsklärung und Analyse existierender Ansätze’, atp magazin, vol. 63, no. 9/2022, Sep. 2022, DOI: https://doi.org/10.17560/atp.v63i9.2620

Icon
2022-09 atp: AutomationML: Ansätze für ein Security-Engineering-Informationsmodell Icon
2022-10 IECON: Security by Design Integration Mechanisms for Industrial Control Systems

S. Fluchs, E. Taştan, M. Mertens, A. Horch, R. Drath, and A. Fay, ‘Security by Design Integration Mechanisms for Industrial Control Systems’, in Proceedings of the 48th Annual Conference of the IEEE Industrial Electronics Society (IECON 2022), Brussels, Belgium, Oct. 2022, DOI: https://doi.org/10.1109/IECON49645.2022.9968406

Icon
2022-11 NAMUR Hauptsitzung: Ein Informationsmodell für Security Engineering und warum wir das brauchen Icon
2022-12 IAT-Winterkolloquium: Security im PLT-Engineering verankern: Konzept der Security-Parameter Icon
2022-12 atp: Security by Design Decisions für Automatisierungssysteme. Teil 2: Konzept für die Integration von Security-Entscheidungen

S. Fluchs et al., ‘Security by Design Decisions für Automatisierungssysteme. Teil 2: Konzept für die Integration von Security-Entscheidungen in das Engineering’, atp magazin, vol. 63, no. 11-12/2022, Dec. 2022, DOI: https://doi.org/10.17560/atp.v63i11-12.2643

Icon
2023-01 IEEE Access: Evaluation of visual notations as a basis for ICS security design decisions

S. Fluchs, R. Drath and A. Fay, ‘Evaluation of visual notations as a basis for ICS security design decisions’, IEEE Access, Jan. 2023, DOI: https://doi.org/10.1109/ACCESS.2023.3238326

Icon
2023-02 S4x23: Security by Design Decisions Icon
2023-02 Blog: Four security engineering simplifiers Icon
2023-06 Sensors: Traceable Security-by-Design Decisions for Cyber-Physical Systems (CPSs) by Means of Function-Based Diagrams and Security Libraries

S. Fluchs, E. Taştan, T. Trumpf, A. Horch, R. Drath, and A. Fay, ‘Traceable Security-by-Design Decisions for Cyber-Physical Systems (CPSs) by Means of Function-Based Diagrams and Security Libraries’, Sensors, Jun. 2023, DOI: https://doi.org/10.3390/s23125547

Icon
2023-07 Automation 2023: Security-Engineering mit AutomationML - Methodik zur Modellierung von Security-Entscheidungen, -Zielen, -Risiken und -Anforderungen

Taştan, E., R. Drath, und S. Fluchs. ‘Security-Engineering mit AutomationML - Methodik zur Modellierung von Security-Entscheidungen, -Zielen, -Risiken und -Anforderungen’, In proceedings of AUTOMATION 2023, 413-28. VDI Verlag, 2023. https://doi.org/10.51202/9783181024195-413

Icon
2023-08 OTCEP Forum 2023: How to Turn Security by Design from Myth to Reality Icon
2023-09 at - Automatisierungstechnik: Nachvollziehbare Security by Design-Entscheidungen für Automatisierungssysteme mittels funktionsbasierter Diagramme und Security-Bibliotheken

S. Fluchs, E. Taştan, T. Trumpf, A. Horch, R. Drath, and A. Fay ‘Nachvollziehbare Security by Design-Entscheidungen für Automatisierungssysteme mittels funktionsbasierter Diagramme und Security-Bibliotheken’, at - Automatisierungstechnik, vol. 71, no. 9, pp. 759–778, Sep. 2023, DOI: https://doi.org/10.1515/auto-2023-0084

Icon
2024-07 NANMUR NE 193: An Information Model for Automation Security Engineering Icon
2024-09 „Cybersecurity Decision Diagrams: A Visual, Model-Based Concept for Making, Documenting, and Communicating Cybersecurity Decisions during and after the (Re-)Design of Industrial Cyber-Physical Systems“.

Helmut Schmidt Universität / Universität der Bundeswehr Hamburg, 2024. https://doi.org/10.24405/16760.

Icon
kontaktperson-foto
Your contact person

Sarah Fluchs
Chief Technology Officer

Tel.: +49 2173 20363-0
Email: info-at-admeritia.de

Combined Engineering Methodology for Security and Safety in Embedded Systems (KEM3S)

2013-2016

forschung KEM3S


Hardware Sensors for IT Network Security

2012-2015

forschung BMWi

Secureclouds

2011-2014

forschung BMWi

Security Controlling Framework

2010-2012

forschung BMWi