Digital Solutions – Cybersecurity

On January 1st, 2018 DNV officially created a new division called Digital Solutions. One of the departments within this new division is Cybersecurity. Cybersecurity is nothing new to DNV, what is new is a dedicated team assigned to advancing cybersecurity on a global basis. We will be focusing on cybersecurity in the Energy, Oil and Gas and Maritime industries to start, then as opportunities present themselves we will move into additional industries.

Below is the list of services that we currently offer, with a short explanation of what those services include:

Cyber Vulnerability Assessments and Penetration Tests
Penetration testing looks for weaknesses on a company’s network perimeter. Our cybersecurity team incorporates social engineering, phishing and WiFi audits as part of the penetration test.

Using social media and open source information, we gather information about your company and employees to penetrate network security through social engineering and phishing campaigns customized to your business and industry. We also survey company buildings, facilities and plants looking for insecure, misconfigured and rogue wireless access points.

Vulnerability assessments go beyond penetration tests by looking at the cybersecurity posture of the domains, networks and servers. This is best accomplished from inside the network. These cybersecurity vulnerability assessments scan the networks and servers for weaknesses, examine network

architecture and configurations, and map the networks looking for rogue assets.

Our team also reviews the cybersecurity, IT, and physical security policies and guidelines. At the end of the assessment, we deliver a report on identified vulnerabilities, mitigation recommendations and implementation guidelines.

Vulnerability Mitigation Plan Development
From time to time vulnerabilities will be located that there is no patch available for. In these cases, mitigation plans, must be put in place. DNV will assist your organization in developing policies and procedures for the development of mitigation plans.

Cyber Security Due Diligence Investigation
When companies are acquired, questions about the cybersecurity practices of the acquired company come into play. DNV will review the cybersecurity practices of the company and then make recommendations for the best way to merge the systems together.

Cyber Security Policies and Procedures Development
In many situations companies have either no Cyber Security policies and procedures or they are out of date. In either situation DNV will come in and perform a gap analysis and then create or update the needed policies and procedures and then train employees how to abide by them.

Cyber Security and Network Resilience Testing
Hardware-in-the-loop (HIL) testing of control system software has been shown to improve the safety of operations and to reduce downtime. This successful approach can be complemented with the verification of cybersecurity to treat safety and security together and to secure the integrity of control systems. The overall scope of cybersecurity and network resilience testing from DNV covers:

Stress and robustness testing
Penetration testing and testing of network segregation
Screening running services, patches and firmware
Authentication weaknesses
Portable media security
Known and unknown vulnerabilities
Traffic anomalies
Degradation of networked equipment

Simulated Phishing Attacks
Cyber security awareness training starts with knowing what to click on and not click on. DNV has developed a Simulated Phishing Attack system that can be used to raise the awareness level of employees. If an employee receives one of these phishing e-mails and clicks on the link in it, they are taken to a page that educates them on what they should have noticed and done to be more cyber secure.

Incident Response Planning
Even in the best of organizations cyber security incident occur. These incidents can range from ransomware attacks, DDoS attacks, or physical access to a secured area by an unauthorized person. Without an Incident Response plan in place, your organization could be unclear on what steps to take to deal with the problem.

Cyber Security End to End Testing for SCADA, Smart Grid and AMI systems
With our end-to-end test methodology, we can provide independent security assessments of your SCADA, smart grid and smart meter (AMI) systems. This also gives you technical insight in the latest cyber security standards and will provide an overview of your operational infrastructure with its current vulnerability to cyber-attacks.

Business Continuity/Disaster Recovery Planning
Every business needs to plan for the natural and man-made disasters that could occur. DNV begins this process with a Risk Assessment and then develops Business Continuity/Disaster Recovery policies, procedures and plans to suit your organizations.

Systems Integration Planning
Systems integration projects in secure locations require a high level of knowledge of cybersecurity practices. Our cybersecurity team has integrated systems in locations where NIST 800 Risk Management Framework and Nuclear Energy Institute cyber guidelines must be followed. We provide secure network design and architecture based on your specific industry requirements. Our specialists can also work with your local teams to secure the systems and provide required documentation.

Cybersecurity Planning
Companies increasingly are addressing cyber-attacks via ransomware, social engineering and next generation tools by developing formal cybersecurity master plans. DNV’s cybersecurity specialists can help your organization perform a gap analysis of your cybersecurity policies and guidelines. We start by identifying your risks and missing policies, then coordinate with your stakeholders to fill in the gaps.

We help your stakeholders create a cybersecurity master plan that references the policies, guidelines and points of contact, then outlines a continuing cybersecurity plan for your organization.

A cybersecurity strategy must be simple and effective while providing methodologies to measure success. Our team has delivered executable and enforceable master plans for operations ranging from military agencies to airports.

Systems Integration Planning
Systems integration projects within organizations require a high level of knowledge of cybersecurity practices. DNV’s cybersecurity team has integrated systems in locations where NIST 800 Risk Management Framework, ISO 27001, NERC and Nuclear Energy Institute cyber guidelines must be followed. We provide secure network design and architecture based on your specific industry requirements. Our specialists can also work with your local teams to secure the systems and provide required documentation.

Cyber Risk Assessment
Cyber Risk Assessments are a part of many of the services that DNV provides. These risk assessments involve looking at all the natural and man-made risks that exist for your organizations and then determining the risk value either on a qualitative or quantitative basis.

Development of Recommended Best Practices
DNV can provide your organization with recommended best practices based on your industry and company size. This service can assist your organization with assessing, improving and verifying the cyber security resilience of your assets.

Cyber Security Assessment
Our interdisciplinary teams engage with your personnel to identify and address your cyber security risks via various levels of assessment, starting with a high-level self-assessment via an app on My DNV, to more detailed assessments tailored to your specific business risks. We identify gaps in your defenses and countermeasures, both preventive and reactive, for IT as well as OT systems. Our aim is to help you create and maintain an effective and cost-effective cyber security system.

Cyber Security Enhancement
Based on a systematic assessment, we help you efficiently close cyber security gaps by supporting the development of improvement plans, looking at systems, the human factor and management procedures.

Cybersecurity Awareness Training
Our classroom and on-line training covers management, technical and hacking lessons. Our e-learning solution can be performed on in your office, so your employees can address pivotal aspects of any cyber security system including the human factor.

ISO/IEC 27001 Preparedness
DNV assess an organization’s existing documentation to help them prepare for certification.

Certification
DNV’s Business Assurance Team will certify against ISO/IEC 27001 and ISO 22301 (note that certification will limit the possibility for provision of consulting services).

Safety Integrity Level Functional Safety
Standards such as IEC 61508, IEC 61511 and the Norwegian Oil and Gas guideline 070 provide recommended frameworks for best practice implementation of functional safety. DNV supports customers and their suppliers to implement functional safety throughout the entire asset lifecycle:

Advisory or verification support
Safety integrity level (SIL) determination
SIL verification or functional safety assessment.

A proven cyber security partner
DNV combines traditional IT best practices with a deep understanding of the Energy, Oil and Gas, and Maritime industries and the employed operational technologies. Our team of local and international experts draw on extensive knowledge and experience in several relevant areas, including risk management, operations and human factors. This helps ensure all testing and the suggested mitigation measures are tailored to the specific needs of your industry as well as your own needs.

If you want to improve your cyber security resilience with solutions tailored to your industry, contact me:
Craig Reeds
E-Mail: craig.reeds@dnvgl.com
Phone: 480-980-8631

1/9/2018 9:00:00 AM

SHARE: