Cybersecurity management according to IEC 62443

The line between IT and OT (Operational Technology) is blurring. In the OT domain of today and tomorrow we no longer have machines with an IT component, but we are dealing with complex IT systems that act on changes in the physical world. These systems are often fully integrated into the process.

The new world is cyber-physical

This cyber-physical interface is unique from the IT world. Complex chemical processes and dangerous operations that occur at this interface can cause serious HSE incidents if errors occur. Cyber-physical thus represents a business risk for organizations. It is therefore of great importance to map out these risks and start managing cybersecurity.

Although there is more awareness of cybersecurity, many companies are still struggling with an important question: Where do I start? Marcel Jutte, managing director of Hudson Cybertec: “Where companies were still struggling with awareness a few years ago, we now mostly see a call for concrete help to make a start with cybersecurity.”

A business case

An international chemical company, like many others, has found its way to Hudson Cybertec. They are well aware of the HSE consequences that the primary process can cause if cybersecurity incidents occur, and the process would be in an unsafe state as a result. Safety PLCs can also fall victim to a cyber-attack and, as a result, fail to operate, or operate differently than expected. This can have major (physical) consequences. The chemical company wanted to start managing cybersecurity, but had no insight into the current security status.

The zero measurement

A security assessment provided insight into the company’s current situation.

This baseline measurement formed a starting point for improvements. The assessment clearly showed which steps the organization had to take to bring cyber security to the desired level.

For example, an up-to-date security policy and associated procedures were lacking. In addition, it appeared necessary to set up the security organization in a proper way. In order to steer all these matters in the right direction, Hudson Cybertec provided an interim CISO who set up the cyber security management and acted as a sounding board for the chemical company’s senior management. The focus was on people, organization and technology.

The basis for the cyber security management is the IEC 62443, the international de facto standard for cyber security in industrial automation and control systems. Hudson Cybertec is internationally recognized as a subject matter expert in this field and is actively involved in the development of the standard.

IEC

Setting priorities with a limited security budget

Because budgets were limited, priorities were set for cybersecurity management. By establishing a scope, the organization has been given direction for security. In doing so, choices were made in which the chemical company would benefit most from the improvements. The choice was made, for example, to assign clear responsibilities for cyber security to a compact security organization and to draw up a security policy with a basic set of procedures. Jutte says: “Clever use was made of things that were already in place and were still topical, such as a high-level risk analysis. This mainly looked at the additional impact of cyber (and cyber-physical) on the high-level risks for the organization.”

Clarity for the organization

By keeping the security organization small, it is possible to switch quickly within the organization. The choice was made to provide input into the organization from various disciplines. As a result, both IT and OT are represented. The new policy and procedures have deliberately been kept concise. It makes clear to all employees what is expected of them in terms of security, both cyber and physical.

Well-trained staff reduces security risks

The organization recognizes the importance of staff in raising the level of cybersecurity. Working with the company, Hudson Cybertec has established a program to improve security awareness among employees. The awareness program ensures that the employees of the chemical company become more aware of the security risks they face on a daily basis. As a result, cybersecurity risks have already decreased while the program is ongoing. “With a security awareness program, periodic repetition is important,” knows Jutte, “After a while, employees become less alert again. Repetition anchors the awareness among employees.”

Network segmentation

On the technical side, the decision was made to segment the existing IT and OT infrastructure. The findings made during the baseline measurement clearly indicated how the segmentation could be shaped. The Zone & Conduit model from the IEC 62443 served as a guideline for drawing up a zone model. With small investments, it was possible to achieve a major improvement in cybersecurity here.

In the spotlight

Monitoring your OT environment is essential. You know what is happening on your network and see to what extent you are compliant with various cyber security standards and laws and regulations.

IEC 62443 Standard

The IEC 62443 standard offers your organization tools to improve the digital security and safety of your IACS environment. Implementation of the standard improves the cybersecurity level of your organization's OT / ICS / SCADA environment.

The IEC 62443 is the international cybersecurity standards framework for operational technology (OT). The framework consists of a collection of standards, technical reports and related information for securing Industrial Automation and Control Systems (IACS).

read more

Hudson Cybertec’s IEC 62443 Competence Center has extensive experience with this standard. We play an active role in the development of the standard, actively promote it internationally and have developed a training program around the IEC 62443.

read more

It is becoming increasingly important for organizations to be able to demonstrate that the digital security of the OT environment is in accordance with standards frameworks. It is therefore possible to certify (parts of) your IACS environment according to IEC 62443.

read more

If you want to know more about this standard and need training on how to apply it within your own organization or at your clients, Hudson Cybertec has a number of very interesting training courses for you.

read more

The IEC 62443 standard provides organizations with tools to improve the digital security and safety of OT / ICS / SCADA environments.

read more

How digitally safe is your organization?

Curious about the possibilities? Please contact us!

Contact us

Newsletter

Sign up for our newsletter. We will keep you posted on the latest developments in our cybersecurity services.

  • This field is for validation purposes and should be left unchanged.