Serving the Midwest Region if the USA
Serving the Midwest Region if the USA
We serve our clients by discovering their vulnerabilities, recommending manageable defenses, assisting them in installing and maintaining their defenses, and teaching them to defend their control systems.
We control cost well by using an extended team of professional control system cybersecurity contractors as necessary depending on your situation and systems. These are professionals that have worked together in one form or another for many years and now as independent contractors.
We located in central Ohio near Columbus and focus primarily on improving control system cybersecurity (often referred to as Operation Technology or OT) in the region.
Our expertise covers networking and IT systems, however we specialize in control system cybersecurity. Typically our clients either want an independent vulnerability assessment or training. Our work will conform to your specific control systems, regulations, and standards like NIST, CISA, and the ISA/IEC 62443. We have performed projects on most control system platforms in manufacturing, oil and gas, chemical, food, water/waste water, and critical infrastructure. We have written a year of study for control system cybersecurity students and can make your training practical, role-specific, quick, and aligned with real-world scenarios for your circumstances.
We have a proven track record of developing and implementing defense-in-depth strategies using standards like the ISA/IEC 62443 Security for Industrial Automation and Control Systems. We work with your team to develop recommendations that are both appropriate and effective for your situation. We do not recommend devices or strategies that are to complicated or expensive for yur situation.
We strive to be affordable and local to Ohio and neighboring states. If we need to fly in specialist for a project, we will inform you from the beginning.
We work on control systems that are in the design phase, operational, and in some cases have been running for many years.. The image to the right was part of a project to identify all the control systems and networks at a major and old refinery that had been modified many times since 1965. I documented the systems and connections and evaluated the risk in each area and overall to the operation of the refinery and power generation system. Based on my assessment and recommendations, the facility was able to easily isolate key high risk areas and secure the process safety systems.
SubSafe Security is a control system focused cybersecurity business that offers a range of services to protect your physical assets from cyber threats.
Our name comes from the SUBSAFE (Submarine Safety) program. It is a rigorous quality assurance initiative established by the U.S. Navy to ensure the safety and integrity of submarine systems, focusing on preventing flooding and ensuring the ability to recover from an emergency. It was instituted in response to the loss of USS Thresher in 1963 and involves strict adherence to design, construction, and maintenance standards. As a submariner, this was one of the first programs that I knew of that was designed to prevent horrible accident and consequently, I thought of it often when working on refineries and chemical plants.
For more information...
Consider this article on cognitive bias and risk analysis challenges:
Operational technology (OT) encompasses the systems that monitor and control physical devices and processes in industries such as manufacturing, utilities, and transportation. It is crucial for ensuring that these systems, which are fundamental to daily operations and safety, remain safe from cyber threats that could disrupt operations and cause physical harm.
For more information...
Consider this article about what is operational technology:
Consider this article about the hidden risk in control systems:
Consider this article device refresh rate challenges in operational technology:
https://subsafesecurity.com/cybersecurity-news/f/replacing-outdated-it-systems-but-what-about-ot
Our cybersecurity assessments for operational technology differ from IT cybersecurity assessments primarily in their focus and expertise. While IT assessments concentrate on data protection, integrity, and confidentiality within corporate networks, OT assessments prioritize the availability, safety, and integrity of systems and processes that have direct effects on physical operations. This requires a specialized understanding of industrial control systems, their deterministic nature, and the unique challenges of devices that might be 30 years old versus modern computers in IT that get patched and upgraded often.
For more information...
Consider this article on key differences:
https://subsafesecurity.com/cybersecurity-news/f/key-it-and-ot-differences
Consider this article about a cybersecurity assessment at a very large refinery:
https://subsafesecurity.com/cybersecurity-news/f/large-facility-case-study
SubSafe Security offers two main areas of service.
Our vulnerability assessments are done using passive (non-intrusive) network assessment methods to gather information about a network. This means that it does not require any interaction with the hosts on the network, and it will not generate any alerts or notifications. In terms of impact on control system networks, passive network assessment is generally considered to be safe.
For more information...
Consider this article about operational technology vulnerability assessments:
https://subsafesecurity.com/cybersecurity-news/f/control-system-vulnerability-assessments
Our final report normally contains the following:
Safety functions are designed to put a system or process in a safe state if something goes wrong. There are safety functions associated with mechanical safety regions like the area around moving equipment like a robot and safety functions associated with process control. In the process area, specialized teams perform a Process Hazards Analysis (PHA) to identify the safety functions necessary to protect a process. Assessments for safety functions are essential because cyber threats can manipulate or disrupt these safety mechanisms, leading to potential safety hazards, environmental damage, or even catastrophic failures. We use several methods to assess safety functions for cybersecurity vulnerabilities including the Security PHA Review method which reviews PHA reports for attack vectors and makes recommendations.
For more information...
Consider this article about a Security PHA Review:
https://subsafesecurity.com/cybersecurity-news/f/security-pha-review
SubSafe Security uses defense-in-depth strategies discussed in the IEC 62443 standard to protect your physical assets from cyber threats. Defense-in-depth encompass strategies like segmentation, access control, whitelisting, patch management, physical security, system hardening, monitoring and detection, incident response, and recovery.
Our team of experts works closely with you to assess your security needs and develop a customized plan that fits your unique requirements that your team can manage.
The areas below represent that specific industries where we are well qualified control system and cybersecurity experience.
Have questions or need more information? Just email us about anything, seriously you can ask questions about cybersecurity, our services, OT Cybersecurity News articles, even the news. We are here to help.
Office Hours: M-F 8:00am - 5:00pm Eastern Time
We are located in central Ohio near Columbus and focus primarily on improving control system cybersecurity (often referred to as Operation Technology or OT) in the region.
Click on the Contact Us button below and your email will open.
We will not spam you, sell, or share your email address.
Your privacy is important to us and we take it seriously. This policy outlines how we collect, use, protect, and handle your personal information on https://subsafesecurity.com.
Information Collection and Use
We collect information from you when you fill out a form or sign up for our newsletter on our site. The collected information includes your email address only for the newsletter and your name, email address, and message details if you submit a contact form (there are some optional fields and we protect that information also).
Your information is ONLY used by us to respond to your requests. Your information will NEVER be shared or sold!
Information Protection
Your personal information is contained behind secured networks and is only accessible by a limited number of clearly identified people that are required to keep the information confidential.
Information Sharing
Subsafe Security does not sell, trade, or otherwise transfer to outside parties your personally information.
Cookies
Our website uses cookies to enhance your experience by remembering your preferences for future visits and compiling aggregate data about site traffic and interaction only. The cookies are shared with Google Analytics and GoDaddy.
Google Analytics uses cookies to track user behavior and aggregate data about website traffic. The information collected can include:
GoDaddy may collect data through cookies to manage and improve its hosting services and for security purposes. This can include:
Both Google Analytics and GoDaddy use this data for improving service delivery, enhancing user experiences, marketing, and optimizing their own services and technologies.
Consent
By using our site, you consent to our website's privacy policy.
Changes to our Privacy Policy
If we decide to change our privacy policy, we will post those changes on this page. This policy was last modified on 4/19/2024.
Copyright © 2024 SubSafe Security - All Rights Reserved
Dresden, Ohio USA