Vulnerability Assessment

Analysis of the Weakest Parts of an Industrial Control System
We conduct assessments targeting the existing vulnerability on industrial control devices and industrial infrastructure according to the IEC 62443 standard.

Support in assessing the critical parts of an industrial system

The main purpose of a Vulnerability Assessment is to identify the critical issues in an industrial system and the corresponding desirability in terms of potential cyber attacks.

Vulnerability assessments are part of a broader Cyber Security Risk Assessment process on an industrial control system. This is why our assessment service is based on the pillars of the IEC 62443 standard, from which we adopt the systematic method to manage cyber risk on industrial devices.

Our offer is structured on a complete range of consulting services according to the security lifecycle approach in conformity with the IEC 62443 standard requirements, which is structured into three macro-phases of work:

  • Assessment
  • Implementation
  • Maintenance

The vulnerability assessment is performed in the assessment stage, which is based on the premise that before proceeding with the definition of any countermeasures, the system needs to be analyzed in detail.
The purpose of our vulnerability assessment service is precisely to establish the system’s size and composition in detail and, as a result, identify all the existing vulnerabilities, including their potential exposure to cyber attacks.

The complete assessment includes investigating human factors, often the main vehicle for vulnerability, passive and active scanning, and protocol or package parsing.

In addition to defining which parts of the infrastructure are the most critical, the vulnerability assessment prioritizes the actions to be taken, based on feasibility and the consequences for the business in the event of an attack, thereby paving the way for the implementation of corrective actions to protect industrial devices.


The assessment phase is the starting point to establish the actual entity of the threats associated with a system or a plant. The Cyber Security Risk Assessment process is formulated on two different levels, as defined by the IEC 62443 standard:

  • High-Level Risk Assessment, the purpose of which is to establish the consequences of a cyber attack at a macroscopic level
  • Low-Level Risk Assessment, which aims to examine in depth which threats affect the system and also includes the Vulnerability Assessment.

Among the most common vulnerabilities in industrial systems, we can find, for example, lack of access control, even remotely, bugs inside the source code, obsolete devices or network, and human factors.

The cost for a Vulnerability Assessment project varies based on the complexity of the network infrastructure, the company processes, and the OT devices in use, on which the vulnerability assessment is conducted according to the IEC 62443 standards. We invite you to contact us for a customized estimate.

Recommended Posts

IEC 62443 industrial cyber security
cyber security industria 4.0
Cyber Security Risk Assessment High Level

Follow us on

Why Choose us

  • Experience in the OT Cyber Security field since 2014
  • In-house OT Cyber Security laboratory
  • In-house IEC 62443/ISA 99-certified personnel (Fundamentals Specialist and Cyber Security Risk Assessment Specialist)
  • Pool of automation and OT network specialists
  • Wide network of collaborations with the main international OT solution suppliers

For more information about this service or to request a quote