The implementation of the lifecycle for the design and manufacture of systems compliant with Industrial Cyber Security standards is based on the technical compliance of the system, machine or plant, with the requirements of IEC 62443, and also paves the way for subsequent certification processes of OT Cyber Security.

The activities recommended by the IEC 62443 standards focus on architecture, policies and testing prior to the installation of automation solutions.

Our OT Security Lifecycle development consultancy includes a series of modular activities that make it easier for integrators and manufacturers to comply with IEC 62443 standards:

• Security Plan for System Integrators. The security plan refers to the management system documents developed by the integrator for other purposes. We offer support for preparation of the cybersecurity plan to implement the IEC 62443-2-4 requirements, considering the specific contractual scope of the integrator. We also offer consultancy for preparation of the security policies to be implemented for the project, related, for example, to endpoint protection, remote access, backup and patch management.
• Support for System Architecture. The definition of the security architecture takes into account the Zone & Conduit diagram recommended by the standards. We offer advice to support organization of the network and data flow permitted by the security specifications, as proof of compliance with IEC 62443 for a given SL-T.
• Analysis of Cyber Security Requirements. The end customer’s requirements can sometimes be generic or more specific ones beyond the IEC 62443 standard. We offer consultancy on detailed analysis of the requirements and support with their application and the identification of requests that may not be applicable to standard products.
• Test Procedures. The security requirements must be tested at the end of commissioning against the Cyber Security specifications to confirm to the end user, when contractually required, that the project implements these requirements. The procedure we prepare for the integrator covers device configuration review, vulnerability testing, backup verification, patch management and all the security features implemented through the specifications. The procedures for testing are attached to the procedure, if carried out independently by the integrator or, if required, by our specialists.
• Operating Procedures. After preparation and delivery of the project, the user needs safety procedures to make the system work properly and maintain the correct level of safety over time. This involves descriptive procedures on how to perform backup and restore, account management, patch management, monitoring, and all other tasks related to the scope of supply. To meet these needs, we support the integrator and the manufacturer in the preparation of operating procedures in accordance with IEC 62443-2-4.
• Security Plan for Machine and Plant Manufacturers. Manufacturers of machines and large plants are for all purposes suppliers in accordance with IEC 62443 for systems that make up machines configured for specific projects. The more developed the Security Plan is, the more robust the machine is in terms of cybersecurity and the easier the work is even for the system integrator. For this reason, the manufacturer can in turn implement processes that comply with OT Cyber Security with the support of our specialists, and there is the possibility of certifying the process according to ISA/IEC standards.
• Support for Artifact Compliance. When implemented in product development, the IEC 62443-4-1 standard requires artifacts for each specific product developed. This includes threat modeling and risk assessment, cybersecurity specifications, testing procedures, design documentation, patch development and implementation, and activities and documentation that we produce entirely for both the integrator and the manufacturer.

The activities for the OT Security Lifecycle, if aggregated, constitute comprehensive consultancy; they can be agreed separately on request.