Concerned About The Cyber Risks Of Your Industrial Automation And Process Control Environments?

As cyber-security risks increase in frequency, severity and sophistication, the process of managing the security of SCADA and process control systems is becoming extremely difficult. Currently, security solutions for legacy industrial control systems are delivered through a small number of companies and disparate commercial products from different vendors lacking intelligence, integration and interoperability. The end result is a high degree of complexity, increased operational costs, limited visibility and reliance on inappropriate data to make critical security decisions. For a majority of industrial organizations, the outcome is a weak security risk profile – an insecure network infrastructure, incomplete regulatory compliance, security audit failures and increased security management costs that are not in line with business objectives.

Delphi™ is the world’s first cyber-security vulnerability database specifically designed to provide vendors, operators, system integrators, and service providers unparalleled visibility into the reliability, safety and security of the systems and networks essential to the operation of the world’s critical infrastructure. Delphi™ empowers operators to answer questions such as, How secure am I? Where should I focus my resources? and Am I doing everything I can to protect the safety, security and reliability of my industrial operations?.

Project Overview

Wurldtech Labs, a recognized leader in testing industrial automation devices for security vulnerabilities, is initiating a program to extend Delphi, its comprehensive database for next generation control and safety devices, to include those in active operation. Delphi 2.0 will provide unparalleled insight into the robustness of control systems used by industry including visibility of the actual vulnerabilities present in each. Proven, cost effective mitigation strategies for all classes of detected vulnerabilities will then be made available.

Delphi 2.0 will extend the current Delphi device vulnerability taxonomy and data model to further classify vulnerabilities according to the likelihood of occurrence on an operational network. This taxonomy will become the defacto standard for characterizing industrial security vulnerabilities according to their likelihood of occurrence and resulting impact on the reliable operation of the susceptible device. This characterization of severity will also give users the ability to quantify the risk related with each vulnerability, and the cost associated with its mitigation.

Delphi 2.0 will be populated using Wurldtech’s proven Achilles Satellite technology and associated test methodologies for comprehensively testing control system devices. Program participants will represent a variety of critical infrastructure sectors, including oil and gas, electrical power generation and distribution, nuclear, transportation, and water. Wurldtech test engineers will thoroughly examine the devices provided by the participants, and populate Delphi 2.0 with information on all security vulnerabilities discovered by the device tests.

Download PDF

Comprehensive Assessment of Cyber Security Vulnerabilities Present in Your Critical Assets

The Delphi program is the largest scale study to date, based on a broad cross section of devices, and will provide participants with an unprecedented level of insight into the robustness of their collective control systems.

Proven Cost-Effective Risk Mitigation Strategies
In addition, the program will provide specific methods for increasing security robustness by recommending and demonstrating risk mitigation strategies associated with all security vulnerabilities that have been discovered.

Quantitative Modeling of ROI
The program results will form the basis for modeling the ROI on security strategies, providing a quantitative measure on the costs associated with reducing the risk to a given level determined by the participant.

Comprehensive Analysis of Program Results
In addition to receiving detailed results of the security tests on their specific devices, participants receive access to the generalized results of the study, including the data model definition, vulnerability and risk classification schemes, and relative risk by industry.

Highest Levels of Confidentiality and Privacy
All information provided by the participants, and specific test results arising out of the testing efforts, will be kept confidential by Wurldtech. Any collective information deriving from the program will be sanitized of specific participant information before being shared with other participants or any other third party. This is consistent with Wurldtech Labs practice of the highest level of confidentiality and respect for the additional privacy needs of the automation industry.

Owners and operators of critical infrastructure operations who have a large number of networked control devices would benefit the most from participation in the Delphi program. Legacy devices are of particular interest as they are commonly the most vulnerable, having been developed before security became an important issue with device vendors. Legacy devices are also typically the most poorly characterized with respect to security vulnerabilities, and vendor support to fix weaknesses is frequently not available. Further, large numbers of such devices dramatically increase the risk of single point of failure thus threatening the reliability and availability of the control system.

In exchange for participation, participants will receive the following:

• An analyst report summarizing the vulnerabilities discovered in all devices tested in the program. The report includes:
  
  
  • An analysis of the tests including all patterns or trends relating to vulnerabilities identified;
  • A risk comparison across industries;
  • A vulnerability taxonomy and data model (containing attributes such as vulnerability type, probability of occurrence, severity, impact, industry) used to characterize device vulnerabilities;
  • Security ratings of the submitted devices and the underlying scoring system upon which it is based;
  • A risk mitigation taxonomy with proven, cost-effective strategies for mitigating the risk associated with each vulnerability;
  • Achilles test results for the specific devices provided by each participant. This is a significant discount from the cost of a standard single Achilles device test;
• Midterm and final briefings;
• Subscription at a favorable discount to ongoing information on any new security vulnerabilities discovered subsequent to the program termination.