OT Security Consulting

How do I establish effective Security Management in my OT environment?

We implement security processes to protect your operations and meet governance and audit requirements.

OT systems face an increasing number of more-sophisticated security incidents. Industrial facilities, supply chains and interconnected systems are all susceptible to comprise. Escalating threats for OT systems, as well as compliance-requirements reconcile the need for a holistic OT security strategy and a dedicated OT security program.

Limes Security offers support for every step in your cyber-security roadmap, including security-processes-definition, policies and requirements, security awareness, gap assessments, maturity ratings and security testing. We bring a fresh perspective from our many years of experience in different industries to improve your security management. Our comprehensive OT security management consulting practices include effective and lean policies, tailored to your organizations needs, compliance to standards such as ISO27001, ISO27019 and IEC62443 and regulations such as the NIS-directive.

Define specific OT policies and procedures

Implement an OT Security Risk Management Framework

Provide training and raise security awareness for OT staff

Build and train a cross-functional team

Why Limes Security?

Practical Experience

We are working with manufacturers, oil and gas, electric utilities, water and waste water, automotive and many other industries on various OT security projects.

Tailored services

Industrial systems are as diverse as the applications for which they were developed. We tailor our support to reflect your requirements – from single integration projects to developing large scale security architectures.

Vendor Independent

We are not selling licenses or boxes. Our approach to security projects is practical and solution-oriented to provide you the best possible support.

Enabling OT security

Our aim is not only to solve the current problems of our customers, but also to share our knowledge with them and empower them for future challenges. As an integral part of consulting projects or through dedicated training.

OT Security Strategy

Escalating threats for OT systems, as well as compliance-requirements like, e.g., NIS Directive, IEC62443 or ISO27001, reconcile the need for an OT security strategy and program. We offer support for each point in your cyber-security roadmap, including security-processes-definition, policies and requirements, security awareness, gap assessments, maturity ratings and security testing.

Together with our customers we create tailored security strategies – from broad to narrow view – from top to bottom – from high level to grass roots. Based on a custom strategy, gap assessment results and maturity targets, we plan further steps in a roadmap, for implementing new processes, controls and solutions, to reach your goal to security supremacy. Limes Security integrates long standing experience from many industries with customer needs and project success.

OT Security Management

Effectively integrating security into an OT environment requires defining and executing a comprehensive program that addresses all aspects of security, ranging from identifying objectives to day-to-day operation and ongoing auditing for compliance and improvement. Policies and procedures are at the root of every successful security program. Based on a risk assessment we set security priorities and goals for the organization so that the risks posed by the threats are mitigated sufficiently.

Organizations may try to use the pre-existing IT and business cyber security solutions to address OT security without understanding the consequences. While many of these solutions can be applied to OT, they need to be applied in the correct way to eliminate inadvertent consequences.

Backup and restore
Risk management
Security awareness
Malware protection

Supply chain security
Remote access
Incident handling
Account management

Secure OT Operations

The integration of security processes and security operations are the day-to-day activities intended to mitigate security risks at the operational level. The Limes Security team provides holistic support for your OT security activities. We help you developing security monitoring concepts, patch and vulnerability management, implementing technical security architectures, creating system hardening guidelines, as well as developing and exercising incident response and backup plans.

One of the most important OT security controls is a secure network architecture and a clear network segregation between the office and the production networks that greatly increases the availability and security of your OT systems. Further, the segregation of IT and OT networks is one of the best ways to reduce the risk of malware and other threats that move from one network to another. Limes Security assists organizations with securing their architectures through various activities, including:

Technical and conceptual architecture reviews
Development of secure architectures
Development and support of network segmentation projects

What will be my greatest challenge in OT security?

For many organizations the single most important challenge, that is underestimated most often, is the basic underlying cultural change, that goes along with integrated cyber security. Just using modern technologies can improve security efficiency, but it will strongly depend on the users acceptance.

The human factor is always the weakest link. Lacking management support is also among the leading reasons to not accomplish effective cyber security maturity levels.

How can I minimize risk on my supply chain?

It is important with all third parties to define liabilities in appropriate contracts, because cyber security must be addressed from the beginning of a supplier relationship. If not yet established, standing contracts must be revisited, or changes planned upon renewal.

Audits on upholding the contractual liabilities are of the utmost importance throughout the contract period. Do not let certifications fool you. Test the boundaries and processes yourself.

How big an issue represents data loss during an incident for my organization?

Protecting production systems is usually the concern of OT security experts, along with safety and environmental protection. The consequences of a production outage are often immensely expensive, not only in revenue, but also in trust, media exposure and upholding quotas. Therefore, loss of OT data should never be ignored.

Among the most important types of data are

process information,
company secrets and
customer data.

We can support you in building security capabilities to deal with incidents.

Which cyber threats affect my business?

With increasing technological progress many are adopting modern information technology to increase productivity of their business. This increased productivity can increase the attack surface of production systems, when implemented poorly. For a good while now, we recognize an increasing trend in targeted attacks on OT systems, like, e.g., the Maersk ransomware attack, or supply chain attacks, such as Solar Winds. These attacks can lead to substantial financial damage, production delays, business interruptions, or loss of trust and even loss of life.

Modern security regulations, such as IEC 62443, ISO 27001, or the NIS-directive, address cyber-security threats in overall OT security strategies. Limes Security can support you with integrated strategies, on both, the technical and governance side of information security.

How much will cyber security cost me?

Depending on your risk appetite, determined in assessments, your risk profile not only depends on your industry, but on your established security culture. Limes Security utilizes objective frameworks to provide overview of business risks and resulting vulnerabilities. These are addressed and prioritized, while your organization moves along increasing security maturity levels, through a cyber security program.

Security programs can take years to accomplish, therefore, it is necessary to run regular security and risk assessments, to accommodate the ever changing nature of cyber security threats. However, investments need to be proportional to the risk, thus, the maturity of an organizations cyber security profile is assessed and tracked, until the target maturity level is achieved.

When asked about „How many Euros“, we usually find that it highly depends on the customers industry, established security culture, current gaps and target maturity levels.

Which options do I have to define my organization’s risk appetite?

Many information risks cannot be objectively and accurately calculated or measured. We are mostly dealing with imperfect knowledge and improperly analyzed data. However, they can be estimated, but critically depend on how risks are framed. They are also not additive of multiplicative, but can potentiate one another.

Do not forget, unknown risks certainly linger unpredictably in your infrastructure, hence, you need incident handling capabilities.

This does not mean that risk assessment is pointless, rather that results should be treated with caution and respect. Where you draw the line between big and small risk is up to your own experience. Additionally, there is an individual perspective effect. An executive manager could view risks that involve them personally liable more critical than others. Compliance with laws and regulations tends to fall into this category.

Most targeted risk treatment helps reduce specific risks, and few, like, e.g., incident handling or an effective ISMS, reduce many unspecified risks.