Consulting, certification and training according to IEC 62443 best practices.

IEC 62443 Consulting

Request an analysis of the Cyber Security of the plants optimizing time and results

The IEC 62443 standard states that the security of a plant is based on analysis of the organization and vulnerabilities.

The Cyber Security managers of large manufacturing companies must be able to act while always having an up-to-date picture of the level of security of the plant.
Our OT Smart Security Assessment service provides two different types of consultancy:

  • Complete Assessment. The complete safety assessment of the plant is a service that involves the support of 2 specialists at the plant for 3 days. This option includes the analysis of plant vulnerabilities based on active and/or passive scans, analysis of vulnerabilities related to social engineering, high-level risk analysis, analysis of governance and organization and an assessment of the health status of the network in qualitative and quantitative terms.
  • Basic Assessment. The basic safety assessment of the plant involves the presence of one of our technicians at the plant for 3 days. This option only covers the assessment of plant vulnerabilities based on active and/or passive scans, the analysis of any security issues and an assessment of the health status of the network in qualitative and quantitative terms.

The Basic Assessment is a valid tool for initial analysis, after which it is advisable to plan subsequent analyses.

 

Try our consulting options to reach your goals.


Finalize the Cybersecurity Risk Assessment

The IEC 62443 standard states that the method for cyber risk analysis consists of two phases: a first high-level analysis, and a subsequent detailed analysis of the most critical assets.

The protection of critical infrastructures and key resources is essential for security and productivity, which is why our Cyber Security Risk Assessment service is based on the pillars of the IEC 62443 standard, which sets down a systematic method for managing cyber risks at industrial plants.

The Cyber Security Risk Assessment service provides a two-step path of modular analysis:

  • High Level Risk Assessment. Development of high-level risk assessment according to the process described in IEC 62443-3-2, including business logic.
  • Low Level Risk Assessment. Detailed development of the risk assessment according to the process described in IEC 62443-3-2, following the high-level risk assessment, i.e. carried out on basis of the high-level only on the most critical assets.

 

Information about Cyber Security Risk Assessment according to the IEC 62443 standard:

  • The purpose of high-level analysis is to macroscopically establish the risks and consequences of a cyber attack to set priorities for intervention and break down future analyses according to the criticalities of the device or production process.
  • The following detailed analysis covers the threats to which the systems in use are exposed. Several factors are considered during this second phase, such as the vulnerabilities already known, their complexity, what countermeasures and procedures have been adopted previously and whether there are operational practices already in place for the correct management of the human factor, often the main vehicle of cyber attacks.
  • This information is then used for the correct drafting of the Cyber Security Specifications for the protection of the most critical corporate assets.
  • We prepare the Cyber Security Risk Assessment report for both levels with specific analyses for each type of plant or machine, to document the real threats and the most appropriate countermeasures.
  • The Cyber Security Risk Assessment supports the Cyber Security managers of large manufacturing companies in the implementation and maintenance of countermeasures, with a consequent advantage also in terms of expenditure.

 

Try our consulting options to reach your goals.


Learn how to draft a Governance according to IEC 62443

Discover our consulting options for the cyber security lifecycle.

The IEC 62443 standard states that the security of a plant passes first of all through Governance, specific policies and emergency management, in accordance with the lifecycle of OT Cyber Security.

The implementation of the security lifecycle is the ultimate goal of a complete management process for large manufacturing companies, which includes detailed analysis and definition of corrective actions to protect OT devices from cyber attacks.
The activities recommended by the IEC 62443 standards focus on governance, disaster recovery, security policies, design and security measures for plants.

 

The activities for the Cyber Security Lifecycle, if aggregated, constitute comprehensive consultancy; they can be agreed separately on request:

 

  • Governance Support. In accordance with the Cyber Security Management System recommended by IEC 62443-2-1, our support includes the control of processes documented in IEC 62443-2-1, and the preparation of documentation (manual, procedures, instructions, policy).

 

  • Definition of the Emergency Recovery Plan. Taking into account business continuity and business needs, our specialists assist in the development of the plan, including hardware/software requirements and specifications and a specific plan to prevent the risk of cyber threat to potentially attackable infrastructures, or restore assets in the event of an attack.

 

  • Development of OT Cyber Security Policies. The policies describe the requirements to be implemented to ensure a sufficient level of security of the technologies at the service of the production plants. Our technical support team prepares Policies to achieve these objectives of compliance with IEC 62443 (or NIST) standards.

 

  • Support for High Level Design. Compliance with an OT architecture is related to the current state of the infrastructure. We analyze the current state, assisting the heads of Cyber Security of large manufacturing companies in establishing the measures (remediation) required to mitigate any security risks.

 

  • Preparation of the Remediation Plan. A long-term schedule can be prepared on the basis of the implementable requirements, current state and available budget, to determine the remediation measures to adopt at the facility. Our technical support team assists with setup and implementation.

 

Try our consulting options to reach your goals.


IEC 62443 Certification

The declaration of conformity to IEC 62443 standards is the pinnacle to aim for to prove the security of an efficient infrastructure

Discover the Certification options issued by the ISASecure® Accredited Body.

Our internal BYHON division is accredited by ISASecure® for the issuance of certification according to IEC 62443 schemes.

In the case of a specific installation at a plant, we perform third-party verification to issue a technical report and declaration of conformity. An assessment can be carried out for a new installation, for a revamp of an existing installation or for an infrastructure in use.

 

The purpose of the service is to perform an independent assessment that highlights the compliance of specific contract installations according to a specified level of security (SL-A) compliant with IEC 62443.
The State of Compliance is a valid and proven means of attesting that an OT configuration meets the parameters of security, integrity, availability and confidentiality, as per the ISA/IEC standard.

 

Discover our certification options to reach your goals.


IEC 62243 Training

Plan your company on-the-job training on OT Cyber Security requirements

The IEC 62443 standard suggests that the personnel involved in designing industrial devices and systems must acquire practical skills on how to apply the requirements to products to be used.

You can never know how efficient a safety system is until it is put to the test. Automation is quickly growing and integration between IT technology and OT technology is increasing daily with an enormous amount of data going from OT (Operations Technology) to IT (Information Technology) and vice versa.
We are certain that industrial system safety cannot be guaranteed without appropriate cyber protection. This means that PLCs, HMIs, SCADAs and all automation and control devices must be protected from potential attacks.

In order for all this to be possible, personnel involved in safety and automation must be appropriately trained to understand and prevent cyber risks related to industrial networks and devices.

Training days, planned online or in-person based on what is needed and the number of participants, are intended for roles such as:

  • IT Manager
  • OT Manager
  • Automation Manager
  • Automation Engineer
  • General Manager

The training program develops on the job, as it theoretically and practically follows company roles starting from the analysis of the network infrastructure, based on the guidelines provided by the IEC 62443 standard.

Training sessions are given by our in-house IEC 62443/ISA 99-certified specialists and are based on the pillars of Industrial Cyber Security:

  • The importance of Cyber Security today and differences between IT and OT
  • The Cyber Security Lifecycle according to the IEC 62443 standard
  • Pilot project, penetration tests, and applying Cyber Security practices to the company’s assets

 

Our approach combines the training and consulting plans to guarantee the most efficient results.

The goal is to make the acquired skills immediately usable, as they are an essential part of designing cyber risk assessments on the company’s most critical assets, for which vulnerability and measures to improve the security level must be identified.
The skills acquired can be used to immediately manage these issues within one’s organization. The participation is proved by the certificate of attendance.

 

Find out the benefits of the on-the-job training.

Faq

IT Cyber Security deals with Information Technology security, such as personal electronic devices and company networks; instead, OT Cyber Security is when the security is for Operations Technology, or industrial automation and control systems including PLCs, HMIs, and SCADA systems.

The most common and most perceivable consequences for a company struck by a cyber attack are related, for instance, to business continuity due to interrupted production after stopping the attacked systems. Threats can also entail altering or inhibiting safety functions on machinery and systems; for example, when automation is implemented by safety PLCs connected online. There is also the environmental risk, where dangerous emissions from systems under attack can cause, similarly to business continuity or safety of machinery issues, serious damage financially and to the company’s reputation.

The legislative references in the IEC 62443 standard directed at OT device users are found in IEC 62443-2-1 and IEC 62443-2-4 regarding maintenance requirements of systems in conformity with the standard by introducing cyber security policies and procedures.

The “insurance” investment of prevention represents a minimum cost when compared with the potential cost to repair a cyber attack (disaster recovery), for example in the case of ransoms (typically in Bitcoin and often equivalent to millions of euros), but also the cost to make up for downtime or to repair hacked facilities.

The actions needed are divided into three main areas:
  • Introducing organizational policies and procedures that include, for instance, training personnel who interact with the OT infrastructure
  • Selecting the technical measures related to network segmentation, access control, authentication, and authorization
  • Implementing and maintaining the risk and incident recovery management plan
  • The IEC 62443 guidelines identify three security lifecycle phases: assessment, implementation, and, finally, maintenance of the security level. It is precisely during the implementation stage that the company must structure the entire CSMS to protect itself from future cyber attacks. Based on what was found in the Assessment phase, the goal is to adopt a management system that includes procedures and strategies to prevent cyber attacks and protect industrial systems.

    The most common and perceivable consequences in the industrial sector are mainly financial damages and damaged reputation due to production standstills, safety issues for operators, financial loss, or environmental damage. In addition to interrupted production after stopping the attacked systems, threats can also entail altering or inhibiting safety functions on machinery and systems; for example, when automation is implemented by safety PLCs connected online. Furthermore, the attacked systems releasing dangerous emissions into the atmosphere can also seriously impact the business.

    The cost for a Cyber Security Risk Assessment project varies based on the complexity of the network infrastructure, the company processes, and the OT devices in use, on which the risk assessment is performed according to the IEC 62443 standards. We invite you to contact us for a customized estimate.

    Why choose us

    • We have gained experience in the OT Cyber Security field since 2014
    • We test every solutions thanks to our in-house OT Cyber Security laboratory
    • Our specialists are IEC 62443/ISA 99-certified personnel (Fundamentals Specialist and Cyber Security Risk Assessment Specialist)
    • Automation and OT Network Security are some of our most performing competences
    • We have bulit a wide network of partnerships with the main international OT solution suppliers
    • Our BYHON internal division is the ISASecure® accredited certification body

    What some of our customers say about us