Around 80% of OT managers in German companies have experienced a breach of their infrastructure in the past two years. At the same time, a global study by IBM reveals an average value of such data leaks of 3.4 million euros. Only 10% of the companies surveyed reported never having experienced a breach. Among these 10% were predominantly companies whose systems were subject to regular audits and penetration tests.
For a leading global provider of automation technology, whose systems had not yet been subjected to external audits or tests, it was important to introduce regular penetration tests and vulnerability management. The aim of the measure was to create more transparency about potential security gaps. The company's heterogeneous system landscape, consisting of IT, OT and IoT, required suitable and flexible service providers. We started with an inventory of the systems to be tested and clarification of the scope of the test. We then defined criteria for vendor selection. We considered, among other things, the experience of the respective vendor, certifications of the penetration testers, the price-performance ratio and customer references from past projects. After an anonymous RFQ among potentially suitable service providers, we organized four provider presentations and supported the customer in the bid selection process.
Blackbox and Greybox penetration tests identified several mission-critical security vulnerabilities. The company saved money because we found a provider with a better price-performance ratio compared to the customer's own RFP.