Compliance Assessments / CDCAT

Establish world-class cyber risk management

Based on comprehensive and contemporary evidence

Every organisation is at a different stage in their Internet of Things (IoT) and Industrial Control System (ICS) cyber security maturity life-cyle. Just as adversaries are becoming increasingly sophisticated, organisation’s are also continually challenged to up their defensive game.

Faced with evolving threats and escalating risks, understanding and managing your organisation’s cyber defences has become essential to protecting your business.

Doing so with pace and agility is critical.

Board level responsibility

Ultimate responsibility for cyber security rests at the Board level. It is critical that businesses have a clear, objective picture of their potential vulnerabilities so that they can reinforce any weak points.

Armed with this knowledge it is possible to implement an evidence-based strategy that will mitigate risks to critical information assets and reduce the impact of security related events as they arise.

2019 saw a 2,000% increase in incidents targeting operational technology (OT)

Source: IBM security

ICS Cyber Security is for life not just a project

There is no such thing as a fully secure Industrial Control System (ICS). Hidden vulnerabilities are still possible, even after a clean bill of health from a cyber security assessment.

Cyber security should therefore be perceived as a process rather than a project.

A cyber security assessment of an ICS is viewed as a snapshot in time, however an ICS needs to be iteratively tested to take into consideration the impact of triggers such as changes to the system or an elapsed period of time.

One reason for repeated testing is that most ICS’s are built using commercial off-the-shelf hardware and software. New vulnerabilities are often discovered in the current operating systems and third-party software which make up today’s ICS’s.

50%

Have experienced at least one attack against OT infrastructure that resulted in downtime in past 24 months

60%

Are worried about an attack against OT infrastructure that results in downtime to plant and/or operational equipment

90%

Of OT organisations have experienced at least one damaging cyber-attack over the past two years*

It's all about cyber preparedness

Forward thinking businesses are looking to move from a passive to a more proactive strategy for ensuring they maintain cyber preparedness. Adopting a more intelligent and agile approach helps ensure that data is systematically collected; that this data then supports more effective evidence based investment decisions; and more importantly that these are prioritised at both pace and scale.

*Source, Ponemon Institute, March 2019 – Cybersecurity in Operational Technology: 7 Insights You Need to Know

The CDCAT® tool

The Cyber Defence Capability Assessment Tool (CDCAT®)* provides a rapid yet comprehensive assessment of existing cyber defences to give users the ability to evaluate cyber security risks and to identify and prioritise risk treatment activities. Originally developed by the Ministry of Defence (MOD) Defence Science and Technology Laboratory (Dstl), CDCAT® delivers advances in cyber assessment by harnessing the strengths of multiple cyber security controls.

Inputs from commercial, military, and intelligence sources around the world including NATO, ISO 27000 together with leading independent bodies are included within CDCAT®. It combines these to generate a comprehensive set of standards which address multiple aspects of cyber risk management.

How does the CDCAT® solution work?

Assessments can cover a single system or an enterprise, making this a flexible toolset that achieves targeted and focused improvements based on evidence.

Identifies corporate positioning and management of weaknesses
Identifies technical weaknesses in an existing digital system
Identifies what is needed to improve Cyber Defence & Security Posture
Offers practical business solutions, e.g. change and investment appraisal information, advice on actions to take
Cyber security Audits
Cyber security Risk Management and Risk Assessment
Financial Cost associated with cyber risk
Scoring Cyber Defence Effectiveness (absolute scale based on real-world evidence)
Vulnerability assessment
Remediation plans and mitigations
Benchmarking

CDCAT® benefits

Agility

Perform rapid assessments of your organisation’s systems and controls to take fast remedial action

Tailored expertise

Receive tailored advice on your organisation’s defences and cyber security spending

Complete scalability

Develop an assured strategy regardless of your organisation’s size, systems or market

Keep ahead of the threats

Cyber threats are continuously evolving – CDCAT®’s mitigations are continuously updated to evolve with the current threat

Assured cyber security investment

Ensure your cyber security spend is based on real and comprehensive evidence

Continuous enhancements

Monitor the progress of your cyber defences and make repeated assessments to ensure optimal transformation of your organisation’s cyber security

Evidence based reporting

Supports compliance programmes and generates evidence to support the General Data Protection Regulation (GDPR) due diligence

Delivering an independent view

As an approved Cyber Defence Capability Assessment Tool (CDCAT®) assessor, we can provide an independent viewpoint that draws on over 50 years of experience working in, and delivering solutions to industrial environments. We can ensure greater uptime, efficiency and availability of your OT environments – mitigating risk, reducing the impact of vulnerabilities and establishing a framework for continual operational improvements.

Why Capula?

As threats targeting critical infrastructure increase, choosing the right advisor and technology partner to secure your systems has never been more important. Our comprehensive portfolio of services & solutions are delivered by OT and industrial security experts with a demonstrable track record and over five decades of experience in the development and support of Industrial Control Systems (ICS) for customers in security-critical sectors.