IEC 62443 Consulting
Request an analysis of the Cyber Security of the plants optimizing time and results
The IEC 62443 standard states that the security of a plant is based on analysis of the organization and vulnerabilities.
The Cyber Security managers of large manufacturing companies must be able to act while always having an up-to-date picture of the level of security of the plant.
Our OT Smart Security Assessment service provides two different types of consultancy:
- Complete Assessment. The complete safety assessment of the plant is a service that involves the support of 2 specialists at the plant for 3 days. This option includes the analysis of plant vulnerabilities based on active and/or passive scans, analysis of vulnerabilities related to social engineering, high-level risk analysis, analysis of governance and organization and an assessment of the health status of the network in qualitative and quantitative terms.
- Basic Assessment. The basic safety assessment of the plant involves the presence of one of our technicians at the plant for 3 days. This option only covers the assessment of plant vulnerabilities based on active and/or passive scans, the analysis of any security issues and an assessment of the health status of the network in qualitative and quantitative terms.
The Basic Assessment is a valid tool for initial analysis, after which it is advisable to plan subsequent analyses.
Try our consulting options to reach your goals.
Finalize the Cybersecurity Risk Assessment
The IEC 62443 standard states that the method for cyber risk analysis consists of two phases: a first high-level analysis, and a subsequent detailed analysis of the most critical assets.
The protection of critical infrastructures and key resources is essential for security and productivity, which is why our Cyber Security Risk Assessment service is based on the pillars of the IEC 62443 standard, which sets down a systematic method for managing cyber risks at industrial plants.
The Cyber Security Risk Assessment service provides a two-step path of modular analysis:
- High Level Risk Assessment. Development of high-level risk assessment according to the process described in IEC 62443-3-2, including business logic.
- Low Level Risk Assessment. Detailed development of the risk assessment according to the process described in IEC 62443-3-2, following the high-level risk assessment, i.e. carried out on basis of the high-level only on the most critical assets.
Information about Cyber Security Risk Assessment according to the IEC 62443 standard:
- The purpose of high-level analysis is to macroscopically establish the risks and consequences of a cyber attack to set priorities for intervention and break down future analyses according to the criticalities of the device or production process.
- The following detailed analysis covers the threats to which the systems in use are exposed. Several factors are considered during this second phase, such as the vulnerabilities already known, their complexity, what countermeasures and procedures have been adopted previously and whether there are operational practices already in place for the correct management of the human factor, often the main vehicle of cyber attacks.
- This information is then used for the correct drafting of the Cyber Security Specifications for the protection of the most critical corporate assets.
- We prepare the Cyber Security Risk Assessment report for both levels with specific analyses for each type of plant or machine, to document the real threats and the most appropriate countermeasures.
- The Cyber Security Risk Assessment supports the Cyber Security managers of large manufacturing companies in the implementation and maintenance of countermeasures, with a consequent advantage also in terms of expenditure.
Try our consulting options to reach your goals.
Learn how to draft a Governance according to IEC 62443
Discover our consulting options for the cyber security lifecycle.
The IEC 62443 standard states that the security of a plant passes first of all through Governance, specific policies and emergency management, in accordance with the lifecycle of OT Cyber Security.
The implementation of the security lifecycle is the ultimate goal of a complete management process for large manufacturing companies, which includes detailed analysis and definition of corrective actions to protect OT devices from cyber attacks.
The activities recommended by the IEC 62443 standards focus on governance, disaster recovery, security policies, design and security measures for plants.
The activities for the Cyber Security Lifecycle, if aggregated, constitute comprehensive consultancy; they can be agreed separately on request:
- Governance Support. In accordance with the Cyber Security Management System recommended by IEC 62443-2-1, our support includes the control of processes documented in IEC 62443-2-1, and the preparation of documentation (manual, procedures, instructions, policy).
- Definition of the Emergency Recovery Plan. Taking into account business continuity and business needs, our specialists assist in the development of the plan, including hardware/software requirements and specifications and a specific plan to prevent the risk of cyber threat to potentially attackable infrastructures, or restore assets in the event of an attack.
- Development of OT Cyber Security Policies. The policies describe the requirements to be implemented to ensure a sufficient level of security of the technologies at the service of the production plants. Our technical support team prepares Policies to achieve these objectives of compliance with IEC 62443 (or NIST) standards.
- Support for High Level Design. Compliance with an OT architecture is related to the current state of the infrastructure. We analyze the current state, assisting the heads of Cyber Security of large manufacturing companies in establishing the measures (remediation) required to mitigate any security risks.
- Preparation of the Remediation Plan. A long-term schedule can be prepared on the basis of the implementable requirements, current state and available budget, to determine the remediation measures to adopt at the facility. Our technical support team assists with setup and implementation.
Try our consulting options to reach your goals.
IEC 62443 Certification
The declaration of conformity to IEC 62443 standards is the pinnacle to aim for to prove the security of an efficient infrastructure
Discover the Certification options issued by the ISASecure® Accredited Body.
Our internal BYHON division is accredited by ISASecure® for the issuance of certification according to IEC 62443 schemes.
In the case of a specific installation at a plant, we perform third-party verification to issue a technical report and declaration of conformity. An assessment can be carried out for a new installation, for a revamp of an existing installation or for an infrastructure in use.
The purpose of the service is to perform an independent assessment that highlights the compliance of specific contract installations according to a specified level of security (SL-A) compliant with IEC 62443.
The State of Compliance is a valid and proven means of attesting that an OT configuration meets the parameters of security, integrity, availability and confidentiality, as per the ISA/IEC standard.
Discover our certification options to reach your goals.
IEC 62243 Training
Plan your company on-the-job training on OT Cyber Security requirements
The IEC 62443 standard suggests that the personnel involved in designing industrial devices and systems must acquire practical skills on how to apply the requirements to products to be used.
You can never know how efficient a safety system is until it is put to the test. Automation is quickly growing and integration between IT technology and OT technology is increasing daily with an enormous amount of data going from OT (Operations Technology) to IT (Information Technology) and vice versa.
We are certain that industrial system safety cannot be guaranteed without appropriate cyber protection. This means that PLCs, HMIs, SCADAs and all automation and control devices must be protected from potential attacks.
In order for all this to be possible, personnel involved in safety and automation must be appropriately trained to understand and prevent cyber risks related to industrial networks and devices.
Training days, planned online or in-person based on what is needed and the number of participants, are intended for roles such as:
- IT Manager
- OT Manager
- Automation Manager
- Automation Engineer
- General Manager
The training program develops on the job, as it theoretically and practically follows company roles starting from the analysis of the network infrastructure, based on the guidelines provided by the IEC 62443 standard.
Training sessions are given by our in-house IEC 62443/ISA 99-certified specialists and are based on the pillars of Industrial Cyber Security:
- The importance of Cyber Security today and differences between IT and OT
- The Cyber Security Lifecycle according to the IEC 62443 standard
- Pilot project, penetration tests, and applying Cyber Security practices to the company’s assets
Our approach combines the training and consulting plans to guarantee the most efficient results.
The goal is to make the acquired skills immediately usable, as they are an essential part of designing cyber risk assessments on the company’s most critical assets, for which vulnerability and measures to improve the security level must be identified.
The skills acquired can be used to immediately manage these issues within one’s organization. The participation is proved by the certificate of attendance.
Find out the benefits of the on-the-job training.
Faq
Recommended Posts
Why choose us
We have gained experience in the OT Cyber Security field since 2014
We test every solutions thanks to our in-house OT Cyber Security laboratory
Our specialists are IEC 62443/ISA 99-certified personnel (Fundamentals Specialist and Cyber Security Risk Assessment Specialist)
Automation and OT Network Security are some of our most performing competences
We have bulit a wide network of partnerships with the main international OT solution suppliers
Our BYHON internal division is the ISASecure® accredited certification body