2026-01-28

https://www.compliance-labs.com

CIARA

by Radiflow

tested for MITRE ATT&CK ICS, NERC CIP, NIST CSF

What is CIARA?

Produit : CIARA (Radiflow)

Analyse de Cohérence : CIARA est une solution de visibilité et de gestion du risque pour les environnements industriels OT/ICS. Elle ne répare pas les systèmes, mais elle détecte, mesure et priorise les vulnérabilités et les risques.

Catégorie logicielle : OT / ICS Security & Resilience

Frameworks supportés : NERC CIP, NIST CSF, MITRE ATT&CK ICS

Actions prioritaires identifiées :
– Mapping des actifs (Asset Inventory)
– Simulation de brèches (Breach & Attack Simulation via OT-BAS)
– Priorisation des patchs (Vulnerability Management)
– Gestion du risque ROI-driven

Cybersecurity Regulations, Standards and Frameworks Supported

MITRE ATT&CK®
NIST CSF
NIST SP 800-53
NIST SP 800-218 (SSDF)
HIPAA
ISO/IEC 27001
NERC CIP
PCI DSS
DORA
NIST SP 800-207 (ZTA)
CISA Secure for OT products
EU AI Act
GDPR
NIST SP 800-37 (RMF)
NIS 2
MAS & ABS
CCPA/CPRA
PSD2
CMMC
NCA OTCC
MITRE ATT&CK ICS
PCI CP & PLS
PCI 3DS
PCI SSF & SSS
NIST IR 8596 (Cyber AI Profil)
OWASP AI Agentic SG

Deployment

SaaS
Windows
Linux
OS/Virtual/Proprietary
On-Premise

Environment

Information Technology (IT)
Operational Technology (OT)
Extended Internet of Things (XIoT)

Region

America
Asia Pacific
Europe
International

Industry

Critical Infrastructures
Energy & Utilities
Financial Services
Government
Healthcare
Technology & Communications

Capabilities

OT / ICS Security & ResilienceTesting, Simulation & Validation

Discover and inventory OT and ICS assets including SCADA, DCS, PLCs, SIS, IIoT devices, and industrial endpoints
Classify OT assets based on criticality, safety impact, function, and operational role
Maintain visibility into OT network architectures including zones, conduits, and industrial communication paths
Support secure segmentation between IT, OT, and safety environments
Support fine-grained segmentation across SCADA, DCS, PLC, SIS, and IIoT networks
Monitor OT network traffic and industrial communications protocols
Detect anomalous and malicious activities across OT control systems and industrial devices
Protect OT systems against unauthorized logical and physical access
Support identity and access controls for operators, engineers, vendors, and service accounts in OT environments
Support privileged access management for OT systems, engineering workstations, and control consoles
Protect OT systems against malware, exploits, and unauthorized code execution
Support vulnerability assessment for OT and ICS assets including legacy and safety-critical systems
Support risk-based prioritization of OT vulnerabilities considering safety, availability, and process impact
Support secure configuration baselines for OT systems, controllers, and industrial workstations
Detect configuration drift in OT environments including PLC logic, device firmware, and control parameters
Support change management for OT systems including logic changes and firmware updates
Support incident detection and response for OT environments with minimal operational disruption
Support forensic analysis of OT security incidents across controllers, HMIs, historians, and edge devices
Maintain audit-ready OT security evidence including access, changes, and operational events
Support compliance monitoring for OT and ICS security requirements across regulated industries
Support resilience and high availability of OT systems and industrial processes
Support backup and recovery for OT configurations, logic, recipes, and operational data
Support disaster recovery and business continuity for OT operations and industrial processes
Support secure remote access for operators, engineers, and third-party vendors in OT environments
Integrate OT security telemetry with SOC, SIEM, and security operations platforms
Support SaaS, on-premises, and hybrid OT security deployments
Scale to support large and complex OT environments with thousands of industrial assets
Support regional and industry-specific OT security regulations and safety standards
Support multi-site and multi-region OT environments including distributed industrial operations
Support continuous monitoring of OT security posture and operational integrity
Align OT / ICS security and resilience capabilities with evolving cybersecurity, safety, and regulatory frameworks

Design and execute security testing scenarios
Support penetration testing and vulnerability validation
Support red team and blue team exercises
Support breach and attack simulation
Support tabletop exercises for security and crisis scenarios
Validate effectiveness of security controls
Support adversary emulation and attack simulation
Support testing of detection and response capabilities
Support validation of incident response playbooks
Support testing of business continuity and disaster recovery plans
Support testing of backup and recovery procedures
Support simulation of ransomware and malware incidents
Support simulation of insider threat scenarios
Support simulation of supply chain compromise scenarios
Support testing of cloud and hybrid security controls
Support testing of identity, endpoint, network, and application security
Support continuous testing and validation workflows
Support automated security testing and validation
Maintain audit-ready testing and validation evidence
Support compliance reporting for testing and validation activities
Provide dashboards for testing and validation results
Support gap analysis and improvement planning
Support testing across SaaS, on-premises, and hybrid environments
Scale to support large and complex organizations
Support regional regulatory testing requirements
Support industry-specific testing and simulation requirements
Support multi-site and multi-region testing scenarios
Support continuous improvement of security posture
Integrate testing and validation results with security tools
Align testing, simulation, and validation capabilities with evolving cybersecurity regulations and frameworks

DORA Requirements supported by the software

NERC CIP Requirements supported by the software

NIS 2 Requirements supported by the software

Risk Management Strategy (GV.RM)

GV.RM-01: Stakeholders agree on established risk management objectives
GV.RM-02: Establish, communicate, and maintain risk appetite statements
GV.RM-03: Integrate cybersecurity activities into enterprise risk processes
GV.RM-04: Strategic direction describes appropriate risk response options
GV.RM-05: Establish organizational communication lines for cyber risks
GV.RM-06: Standardize methods for prioritizing organizational cyber risks
GV.RM-07: Include strategic opportunities in cybersecurity risk discussions

Oversight (GV.OV)

GV.OC-01: Organizational mission is understood and informs risk
GV.OC-02: Stakeholder needs and expectations are clearly understood
GV.OC-03: Manage legal regulatory and contractual cybersecurity requirements

Asset Management (ID.AM)

ID.AM-01: Maintain inventories of hardware managed by organization
ID.AM-02: Maintain inventories of software services and systems
ID.AM-03: Map authorized network communication and data flows
ID.AM-04: Maintain inventories of services provided by suppliers
ID.AM-05: Prioritize assets based on classification and criticality
ID.AM-07: Maintain inventories of data and corresponding metadata
ID.AM-08: Manage systems and data throughout their lifecycles

Risk Assessment (ID.RA)

ID.RA-01: Identify validate and record vulnerabilities in assets
ID.RA-02: Receive cyber threat intelligence from sharing sources
ID.RA-03: Identify and record internal and external threats
ID.RA-04: Identify potential impacts and likelihoods of threats
ID.RA-05: Understand inherent risk using threats and vulnerabilities
ID.RA-06: Choose prioritize plan track and communicate responses
ID.RA-07: Manage assess record and track risk exceptions
ID.RA-08: Establish processes for responding to vulnerability disclosures
ID.RA-09: Assess hardware and software integrity prior acquisition

Identity Management, Authentication, and Access Control (PR.AA)

PR.AA-01: Manage identities and credentials for authorized users
PR.AA-02: Proof and bind identities based on context
PR.AA-03: Authenticate users services and managed hardware assets
PR.AA-04: Protect convey and verify organizational identity assertions
PR.AA-05: Enforce access permissions incorporating principle least privilege

Awareness and Training (PR.AT)

PR.AT-01: Provide personnel awareness and training for tasks
PR.AT-02: Provide specialized roles with relevant cybersecurity training

Data Security (PR.DS)

PR.DS-01: Protect confidentiality integrity and availability data at-rest
PR.DS-02: Protect confidentiality integrity and availability data in-transit
PR.DS-10: Protect confidentiality integrity and availability data in-use
PR.DS-11: Create protect maintain and test data backups

Platform Security (PR.PS)

PR.PS-01: Establish and apply configuration management security practices
PR.PS-02: Maintain replace and remove software commensurate risk
PR.PS-03: Maintain replace and remove hardware commensurate risk
PR.PS-04: Generate log records for continuous organizational monitoring
PR.PS-05: Prevent installation and execution of unauthorized software
PR.PS-06: Integrate secure software development practices into lifecycle

Technology Infrastructure Resilience (PR.IR)

PR.IR-01: Protect networks from unauthorized logical access usage
PR.IR-02: Protect technology assets from potential environmental threats
PR.IR-04: Maintain adequate resource capacity to ensure availability

Continuous Monitoring (DE.CM)

DE.CM-01: Monitor networks and services for adverse events
DE.CM-02: Monitor physical environment to find adverse events
DE.CM-03: Monitor personnel activity and technology usage patterns
DE.CM-06: Monitor external service provider activities for events
DE.CM-09: Monitor computing environments and data for events

Adverse Event Analysis (DE.AE)

DE.AE-02: Analyze potentially adverse events to understand activities
DE.AE-03: Correlate security information from multiple organizational sources
DE.AE-04: Understand estimated impact and scope adverse events
DE.AE-06: Provide information on adverse events to staff
DE.AE-07: Integrate threat intelligence into adverse event analysis
DE.AE-08: Declare incidents when events meet defined criteria

Incident Management (RS.MA)

RS.MA-01: Execute incident response plan with third parties
RS.MA-02: Triage and validate incident reports for response
RS.MA-03: Categorize and prioritize incidents for effective management
RS.MA-04: Escalate or elevate incidents as organizational needs
RS.MA-05: Apply criteria for initiating organizational incident recovery

Incident Analysis (RS.AN)

RS.AN-03: Establish root cause through incident analysis investigation
RS.AN-06: Record investigation actions and preserve record integrity
RS.AN-07: Collect incident data and preserve its integrity
RS.AN-08: Estimate and validate magnitude of cybersecurity incidents

Incident Response Reporting and Communication (RS.CO)

RS.CO-03: Share information with designated internal external stakeholders

Incident Mitigation (RS.MI)

RS.MI-01: Contain incidents to prevent expansion of events
RS.MI-02: Eradicate incidents from systems and organizational networks

Incident Recovery Plan Execution (RC.RP)

RC.RP-03: Verify integrity of backups before restoration use
RC.RP-05: Confirm normal operating status after asset restoration

CIP-002-5.1a: BES Cyber System Categorization

R1, R1.1, R1.2, R1.3: Identify/categorize BES Cyber Systems by High/Medium/Low impact
R2, R2.1, R2.2: Review categorization and obtain approval every 15 months

CIP-003-9: Security Management Controls

Attachment 1 Section 3.1: Permit only necessary routable inbound/outbound electronic access for Low Impact
Attachment 1 Section 4.5: Test cyber security incident response plan every 36 months

CIP-003-8: Security Management Controls

Attachment 1 Section 5: Plan to mitigate malicious code risk from TCA/Removable Media
Attachment 1 Sections 5.1, 5.2: Use methods like anti-virus or white-listing for TCA

CIP-004-7: Personnel & Training

R4.2: Verify active access authorizations quarterly
R4.3: Verify user account privileges every 15 months
R5.1: Initiate access removal within 24 hours of termination/IRA
R5.2, R6.3: Revoke access by next calendar day for reassignments/BCSI

CIP-005-7: Electronic Security Perimeter(s)

R1.3: EAPs must require access permissions, reason, and deny all other access
R2.1: Interactive Remote Access must utilize an Intermediate System
R2.3: Require multi-factor authentication for all Interactive Remote Access sessions

CIP-006-6: Physical Security of BES Cyber Systems

R1.4, R1.5: Monitor physical access points for unauthorized access; alert response personnel within 15 minutes
R1.6, R1.7: Monitor PACS for unauthorized physical access; alert response personnel within 15 minutes
R1.8: Log authorized unescorted physical entry with identity, date, time
R1.9: Retain physical access logs for 90 calendar days
R2.2: Log visitor entry/exit, name, date, time, contact
R2.3: Retain visitor logs for 90 calendar days
R1.10: Restrict physical access to communication components outside PSPs or use encryption/monitoring

CIP-007-6: System Security Management

R2.1: Patch management process: track, evaluate, install security patches
R2.2: Evaluate patches every 35 days
R2.3, R2.4: Apply patch or implement mitigation plan within 35 days
R1.1: Enable only necessary logical network accessible ports, where technically feasible
R5.5: Enforce minimum 8-character length and 3 character types for passwords
R5.6: Enforce password change/obligation at least every 15 months, if feasible
R5.7: Limit unsuccessful authentication attempts or generate alerts, if feasible
R4.1: Log successful/failed logins and detected malicious code
R4.2: Generate alerts for malicious code detection and logging failure
R4.4: Review logged event summarization/sampling every 15 days
R4.3: Retain event logs for last 90 consecutive days
R2.4: Method(s) to determine active vendor remote access sessions
R2.5: Method(s) to disable active vendor remote access
Attachment 1 Section 6: Implement process to mitigate vendor remote access risks

CIP-008-6: Incident Reporting and Response Planning

R1.1, R1.2, R1.4: Plan must include processes to identify, classify, respond, and handle cyber incidents
R4, R4.2: Notify E-ISAC/NCCIC within 1 hour or by next day for Reportable Incidents/Attempts

CIP-009-6: Recovery Plans for BES Cyber Systems

R1.3: Document process for backup and storage of recovery information
R1.4: Process to verify successful backup completion and address failures
R2.2: Test representative sample of recovery information usability every 15 months
R2.3: Test recovery plans every 36 months via operational exercise

CIP-010-4: Configuration Change Management

R1.6: Verify software source identity and integrity prior to configuration changes
R1.1: Develop configuration baseline including OS, software, ports, patches
R1.2: Authorize and document changes deviating from existing baseline configuration
R1.3: Update baseline within 30 days after configuration change
R2.1: Monitor baseline configuration changes and investigate unauthorized changes every 35 days
R3.1: Conduct paper or active vulnerability assessment every 15 months
R3.2: Active assessment every 36 months for High Impact, if feasible
R3.3: Perform active vulnerability assessment before adding new Cyber Assets to production
R3.4: Document assessment results, remediation action plans, planned daes, execution status
R4: Documented plan for Transient Cyber Assets and Removable Media
Attachment 1 Section 2.2: Mitigation of malicious code risk for vendor TCA

CIP-011-3: Information Protection

R2.1, R2.2: Prevent unauthorized BCSI retrieval prior to reuse or disposal of Cyber Assets
R1.1: Document method(s) to identify BCSI
R1.2: Protect and securely handle BCSI against confidentiality compromise

CIP-012-2: Communications Between Control Centers

R1: Plan to mitigate risks to confidentiality, integrity, availability of real-time data
R1.3: Method(s) to initiate communication link recovery

CIP-013-2: Supply Chain Risk Management

R1.1: Identify and assess cyber security risks during procurement planning
R1.2.5: Require verification of vendor software integrity and authenticity

CIP-015-1: Internal Network Security Monitoring

R1.1, R1.2, R1.3: Monitor network data feeds to detect/evaluate anomalous activity
R2: Retain anomalous network activity data until investigation action is complete

Enforce Identity and Authentication

Mitigation M0801: Enforce authorization through inline network gateways
Mitigation M0804: Require authentication before data or commands
Mitigation M0813: Authenticate remote devices and software processes
Mitigation M0915: Use centralized network-wide authentication services
Mitigation M0932: Utilize multi-factor authentication for remote access
Mitigation M0936: Configure account lockouts and login times
Mitigation M0927: Enforce secure password policies for accounts

Role-Based Access Privileges

Mitigation M0800: Restrict privileges based on security policies
Mitigation M0918: user account permissions and creation
Mitigation M0926: Audit privileged accounts and minimize permissions
Mitigation M0922: Restrict directory and file access permissions
Mitigation M0924: Restrict modification of Windows Registry keys

Verify System and Input Integrity

Mitigation M0945: Enforce binary integrity with digital signatures
Mitigation M0946: Verify boot mechanisms and OS integrity
Mitigation M0947: Perform integrity checks and system audits
Mitigation M0818: Validate program inputs and action formats
Mitigation M0944: Prevent untrusted library loading in software

Segment and Filter Industrial Networks

Mitigation M0930: Isolate critical systems through network segmentation
Mitigation M0937: Filter traffic based on automation protocols
Mitigation M0807: Restrict connections via host-based network allowlists
Mitigation M0935: Limit network access to file shares
Mitigation M0814: Utilize static configurations for host discovery

Detect and Prevent Malicious Activities

Mitigation M0949: Detect malicious software via signature heuristics
Mitigation M0931: Block traffic using network intrusion signatures
Mitigation M0938: Block code execution via application control
Mitigation M0948: Isolate code execution within virtual environments
Mitigation M0950: Block software exploit conditions and behavior
Mitigation M0920: Inspect encrypted sessions for adversary activity
Mitigation M0921: Restrict browser content and block attachments

Encrypt Sensitive Data and Communications

Mitigation M0802: Authenticate sender and verify message integrity
Mitigation M0808: Encrypt network traffic to prevent eavesdropping
Mitigation M0941: Protect sensitive data-at-rest with encryption
Mitigation M0803: Identify exfiltration attempts with loss prevention
Mitigation M0809: Protect confidentiality of operational information mechanisms

Ensure Operational Resilience and Recovery

Mitigation M0953: Maintain hardened data backups and images
Mitigation M0811: Provide redundancy for devices and services
Mitigation M0810: Utilize redundant out-of-band communication channels
Mitigation M0815: Use watchdog timers for unresponsiveness detection

Manage Asset Vulnerabilities and Updates

Mitigation M0951: Update software regularly to mitigate risk
Mitigation M0916: Remediate vulnerabilities through regular scanning
Mitigation M0942: Remove unnecessary software and vulnerable features
Mitigation M0817: Integrity test devices through supply chain
Mitigation M0934: Block installation of unapproved hardware devices
Mitigation M0928: Hardened configuration of the operating system
Mitigation M0954: Implement secure configurations for software applications

Protect Physical Safety Systems

Mitigation M0805: Utilize mechanical protection layers and interlocks
Mitigation M0812: Segment safety instrumented systems from networks
Mitigation M0806: Minimize propagation of wireless radio signals

Awareness and Threat Intelligence

Mitigation M0917: Train users against social engineering techniques
Mitigation M0919: Track trends via threat intelligence programs
Mitigation M0913: Guide developers to avoid security weaknesses

Scope Impact

Software Security Development

Designed using a risk-based secure design approach (SSDF PW.1)
Released without known exploitable vulnerabilities (SSDF PW.1)
Provides secure-by-default configuration and secure reset (SSDF PW.9)
Enforces authentication, identity, and access control (SSDF PW.4)
Protects confidentiality of stored, processed, and transmitted data (SSDF PW.1)
Protects integrity of data, commands, and configurations (SSDF PS.2)
Applies data minimization principles (SSDF PW.1)
Ensures availability and resilience against DoS attacks (SSDF PW.1)
Integrates safely without impacting security or compliance (SSDF PW.1)
Reduces attack surface and exposed interfaces (SSDF PW.1)
Reduces incident impact through exploit-mitigation controls (SSDF PW.6)
Provides logging and monitoring of internal activities (SSDF PW.5)
Supports secure deletion and secure data transfer (SSDF PW.9)

Vendor Security Practices

Identifies components and maintains a machine-readable SBOM (SSDF PS.3.2)
Remediates vulnerabilities rapidly and delivers timely updates (SSDF RV.2)
Performs static, dynamic, fuzzing, and penetration testing (SSDF PW.7, PW.8)
Publicly discloses vulnerabilities once fixes are available *(aligned with SSDF RV.1.3)
Maintains a coordinated vulnerability disclosure policy (SSDF RV.1.3)
Provides a dedicated contact for vulnerability reporting (SSDF RV.1.1)
Distributes secure and authenticated updates (SSDF RV.2.2)
Provides free and timely security updates (SSDF RV.2)
Performs continuous lifecycle cybersecurity risk assessments (SSDF PW.1, RV.3)
Maintains documentation and archives software versions (SSDF PS.3)
Ensures vulnerability management during the support period (SSDF PO.1.2)
Maintains a secure development, build, and test environment (SSDF PO.5)
Performs root-cause analysis and improves SDLC processes (SSDF RV.3)
Provide role-based training for personnel involved in secure software development (SSDF PO.2.2)
Define and maintain clear secure SDLC roles and responsibilities (SSDF PO.2.1)

NERC CIP scoping

NERC CIP Categorisation

Cyber Asset
BES Cyber Asset (adverse impact in <15 minutes)
Protected Cyber Asset (PCA)
Electronic Access Control or Monitoring Systems (EACMS)
Physical Access Control Systems (PACS)
Removable Media
Transient Cyber Asset
Not Applicable

Support a BES Reliability Operating Service (BROS)

Yes
No
Not Applicable

In Electronic Security Perimeter (ESP)

Yes
No
Not Applicable

External Routable Connectivity (ERC) Scope Impact

Reduce ERC
Eliminate ERC
Not Applicable

In Physical Security Perimeter (PSP)

Yes
No
Not Applicable

With Electronic Access Point (EAP)

Yes
No
Not Applicable

Accessibility Attributes

ERC
LERC
IRA
Not Applicable

Connectivity Attributes

Dial-up
Serial
Routable Protocol
Not Applicable

Alternatives

There is no alternative for this software.