Have you found yourself asking questions like these:

Ever since the merging of industrial networks with more traditional, IP-based networks, there has been a struggle to balance reliability and security. Security threats are increasing at an exponential rate, industrial process control systems and networks were not exactly designed to be "change friendly", and consistent communication issues linger between corporate IT and process control. As if this wasn’t difficult enough, control systems environments and organizations are not only challenged with becoming, or remaining, secure, they are now required to comply with a growing number of ambiguous security standards and guidelines available throughout the industry as well.

Unfortunately, there is little absolution on exactly which standards to follow or which ones will be enforced. Even in more regulated industries such as Electric Utility, it is still uncertain whether or not you will actually end up maintaining security when it is all said and done due to the lack of technical and agreed upon guidance. Furthermore, many of the current standards and guidelines available only seem to address cyber-security issues more than anything, leaving physical attack vectors (which can also lead to control system cyber access) as well as legal issues by the wayside. In many cases, current industry accepted processes actually create liability.

Having a Process in Place is the Key

Security and Compliance are moving targets. When it comes to passing an audit or surviving an incident, having a process in place is the key. Actual audits and litigation trials have shown that, even in such an ambiguous and highly interpretive industry such as industrial security and compliance, organizations that have performed the necessary due diligence and have a process towards security and compliance in place have prevailed.

What is CiSACS?

CiSACS is, in short, a process. It's a specific methodology designed to maximize security and achieve regulatory compliance within industrial markets such as Utility (Electric & Water), Energy (Petroleum, Natural Gas, Wind, Nuclear, etc), Manufacturing, and any other organization that relies on process control, automation, and SCADA technologies.


What makes CiSACS different?

Comprehensive Approach

CiSACS takes a comprehensive approach to Industrial risk managment and compliance. Meaning, it focuses on much more than just cyber security and its methods go far beyond just the typical SVA or gap analysis. (Most industry "SVA's" are usually geared more toward the cyber elements and typically leave gaps in both security and compliance.) CiSACS focuses on all areas of security including physical and operational, as well as cyber. Why? Because through Penetration Testing, we have shown that each of these other areas can provide additional attack vectors to process control systems and networks. Below, is a brief overview of the CiSACS Model:

The CiSACS Model was developed as a result of years of research and field work in the industry. It was developed for achieving security and regulatory compliance in the most effective manner possible, while at the same time, minimizing liability from legal action and broad auditor interpretation. This is achieved by using cross-standard, industry proven methodologies aimed specifically at critical infrastructure and Industrial environments. (NOTE: Cross-standard means that it can take into account any, and every, industrial standard available as well as your own internal standards when considering compliance.)

Each phase of CiSACS builds on the other as an integral part of a complete lifecycle, designed to create seamless due diligence. Proper due diligence is extremely important not only for compliance but in minimizing liability as well. CiSACS includes a process for proper standards/guidelines/best practices selection, security assessments (physical, facility, cyber, and operational), gap analyses (guage compliance with multiple standards at one time), risk analyses, organizational threat modeling, mitigation/remediation strategies and integration, legal support, and management/maintenance programs.

Vulnerability Focussed vs. Controls Focussed

Some organizations take a vulnerability focussed approached to risk assessment, while others take a controls focussed approach. The difference is that in a vulnerability focussed approach, the assessment is carried out by searching directly for vulnerabilities, whereas, in a controls focussed approach, the assessment is carried out by inpecting each of the the systems controls, or lack thereof. There are advantages and disadvantages to both approaches. In a vulnerability focussed approach, you get a very clear picture of all the possible vulnerabilities a system may have but you may lose sight of what controls are in place. This, in turn, could cause you to miss a vulnerability or two, as it is more indirect. On the other hand, with a controls focussed approach, you get a very clear picture of what controls are in place but you are likely to miss those vulnerabilities that are not necessarily a result of a missing control but, rather, from something such as a software flaw. CiSACS utilizes both a vulnerabillity focussed approach as well as a controls focussed approach to give you maximum coverage from our vulnerability assessments.

The most powerful and comprehensive industrial risk management and compliance tool

A comprehensive process and methodology is not the only thing that sets CiSACS apart. Now, CiSACS is supported by Modulo's award winning Risk Manager™. As the "Industrial Module" for Risk Manager™, CiSACS now provides the process as well as the framework and tools to provide you with the most powerful and comprehensive industrial risk management and compliance tool available.

Risk Manager™ CiSACS Module provides a platform and mechanisms with which to analyze and manage all of the data collected from industrial secuirty and compliance audits, tests, and assessments. It can then automate risk calculations, correlate the data to organizational functions and business objectives, help prepare and manage mitigation strategies, manage work flow with task assignment and tracking, consolidate policies and procedures into an organizational knowledgebase, and measure compliance against industry and your internal standards and requirements. The CiSACS Module also adds additional knowledge bases that include Industry and SCADA specific devices and applications.

One of the most notable features of Risk Manager™ is its update feature, which automatically keeps asset owners up to date on the latest changes to industry standards, guidelines, best practices, and requirements, which can then be immediately applied to your infrastructure.

Risk Manager™ allows for customized vulnerability severity ratings, asset prioritization, standards prioritization, and a full range of customizable reports generation. Finally, Risk Manager™ provides support for Business Continuity and Disaster Recovery Plans, and offers several communication tools including an internal forum.