When it comes to an estimation of security consultancy in most systems, there are several questions which cannot be answered in detail upfront. In order to ensure an approach which is appropriate for a specific customer, Hensoldt Cyber offers consultancy as a two stage process. This significantly reduces the financial risk of the customer that the IT consultancy extends the targeted goal for a specific product or system. Reason for that risk is that IT-Security is a vast field in which different solutions are appropriate for different customers, those solutions addressing different attack vectors which may be regarded or not. The protection means for said vectors significantly influences the necessary level of consultancy in the technical area

Stage 1 – System Introduction / Identification of IT-Security need

In stage 1, Hensoldt Cyber creates an overview of the system, listing relevant applied technologies and specifying how these are interconnected.
Those technologies typically are:

    • Hardware platform(s)
    • Operating systems(s)
    • Software component(s)
    • Cryptographic algorithm(s) / implementation(s)
    • Communication protocol(s)
    • Internal system communication
    • External interface(s)
    • External interface(s) to world wide web
    • Already applied IT-security mechanisms (e.g. TPMs, Firewalls, etc…)

Possible attack vectors throughout the supply chain (see figure below) are identified by Hensoldt Cyber and discussed with the customer, creating a list of attacks and associated risks from the customer’s point of view.

The result of this stage is a list of attack vectors including a recommendation which of them shall be addressed in the further system/product development.

Stage 2 – Extending System Design with IT-Security Aspect

Based on a well understood system design and attack vectors which shall be addressed, recommendations for means to protect against those attacks shall be identified. Those recommendations shall be, in discussion with the customer, added to the system design. Possible impacts on the design shall be identified in
regards to

    • System performance
    • Processes covering the whole product lifecycle
    • Organizational aspects
    • Financial aspects (based on recommended solutions)
    • Safety aspects (if appropriate)
    • Certification aspects (if appropriate)

This stage typically involves different experts on customer side leading to a detailed update of the system design covering all necessary aspects.
At the end of this stage, a detailed updated system design for the customer is available, upon which explicit decisions can be taken. Those decisions typically are done under consideration of the benefit of addressed attack vectors and the impacts on functional system design in addition to financial aspects. The updated system design does not mandatory include solutions from Hensoldt cyber but alternative suppliers as well.