Information security is a process of protection, not a product itself. Information Security has been broadly defined as “the preservation of confidentiality, integrity, and availability of information resources”. As it is a broad definition, the organization must consider various factors while choosing the best service provider for its needs. Getting a good ICS testing service provider is important for many reasons. ICS, or Industrial Control Systems (ICS), is the computer software control system used to coordinate and monitor industrial processes such as manufacturing, transportation, and power generation.
Here are some points for consideration while selecting the best service provider.
Service Provider’s Risk Analysis Approach
The ICS testing service provider should have an extensive process in place to identify risks to your organization. This includes identifying potential threats, vulnerabilities, and risks that are present within your organization’s systems. The security risk analysis should address the current environment as well as future requirements. The testing service provider should take into account the impact of any threat to your organization’s business, operations, and reputation. The security risk analysis should also identify potential threats that have been addressed by ICS security standards such as NERC CIP and ISA-62443. Utilizing a known set of potential vulnerabilities and threats allows the service provider to prioritize available remediation techniques.
The Service Provider’s Method of Approach
The testing service provider will provide an analysis of security risks and suggest solutions that best suit your organization’s needs. The type of approach used should consider at least one of the following: Black box, White Box, and Gray Box. A method known as “Sneak and Peek” is also used which is a combination of Black box and White box. This technique allows the service provider to stay with traditional black-box techniques while permitting it to perform internal testing that will help identify previously unknown problems, such as open ports, vulnerable services, misconfiguration, and software flaws.
The Service Provider’s Tools
The testing service provider should use tools that are recognized in the industry. Using an “off-the-shelf” tool may be efficient, but it does not guarantee that vulnerabilities will be found with the same detail as a customized solution. Utilizing NIST 800-53 or ISO 27001 is another way to ensure that the testing service provider will utilize tools and techniques that match your organization’s requirements.
The Service Provider’s Experience Level
There are many ICS compliance laws or standards that are not simple to implement or follow, especially if you lack internal expertise. Compliance laws such as NERC CIP, ISA-62443, and other standards such as those from NIST or ISO can be difficult to follow and require a high level of expertise. These compliance laws and standards must be followed to ensure that your organization’s ICS infrastructure is secure. This brings us back to the experience your ICS testing service provider has in this area. The best way to determine if the ICS testing service provider has this expertise is to request references. Ensure that the references are similar to your organization in size, industry, and control systems type. The best source of information on the experience level is from other clients who have used the services of the service provider.
ICS testing service providers are available at different levels. Please take into account the above-mentioned points while getting ICS services. It is important to choose an experienced ICS testing service provider that will help you provide a secure environment for your organization’s infrastructure.