Safety & Security
The multiple disciplines of industrial risks are linked. With the advancement of technology and cyber threats, plants, people, and the environment are not sufficiently protected if plant’s systems are not resilient to remaining undiscovered vulnerabilities and persistent threats.
Efficiently, effectively and safely comply with all the requirements of the ISA/IEC-62443 series of international standards. In accordance with all necessary regulations, each industrial process must be monitored throughout its life cycle. This applies to every facility involved. Oversee the protection and durability of those outdated industrial control systems that urgently require security measures. Similarly, supervise the latest control systems during the engineering stages. This process should span from procurement to construction prior to their installation at the plant.
Manage risk accurately by complying with ISA/IEC-62443 without deviations, saving a substantial amount of work and time combined with accuracy and consistency with all other industrial risk disciplines.
Knowledge & Experience
Our team accumulates decades of experience working with industrial control systems in almost every single industry. We have accredited knowledge and experience mitigating industrial risk for safety, security, and cybersecurity.
We have efficiently bundled several activities from the WBS framework. These are organized into consulting service packages. This arrangement ensures maximum benefit and optimal results. Furthermore, we call this “The Industrial Cybersecurity Lifecycle Services”.
Cybersecurity Lifecycle Services
Start by adhering to the ISA/IEC-62443 series of standards in all your facilities. This compliance should be effortless and simultaneous, avoiding any replication of efforts. Furthermore, it’s essential to prevent potential disagreements. This process should align seamlessly with other industrial risk disciplines.
Quickly enhance the sophistication of your cybersecurity management system. This can be achieved through simple methods to mitigate all unacceptable risks. Optimal utilization of time and plant resources is key. Concurrently, this approach aids in reducing the overall cost of ownership (TCO) for control systems.
Governance Activities (GOVERN)
Firstly, develop and implement significant policies. These should be easy to follow and comply with, thus avoiding any hassle. Secondly, enforce these sound processes and procedures naturally. Importantly, they should align with international standards. As a result, they will automatically generate the necessary evidence for certification. Notably, this will occur without requiring extra effort.
Implementation of Policies & Procedures
This service includes the development, implementation, and natural enforcement of policies and procedures. The ZCM Risk Management System offers premium policy and procedure templates. These are fully aligned with international standards and widely-accepted regulations.
With the application of the WBS Framework and ZCM RMS (Risk Management System), managing policies and procedures is simplified. Essentially, this is because the ZCM produces all required evidence and records. This is done in accordance with the company’s rules and regulations.
This service cannot be provided separately and must be provided together with the additional services offerings indicated below. No additional cost will be added when implementing with the WBS methodology and the ZCM System. Utilizing the WBS and ZCM, the end user can significantly decrease their workload. Additionally, it provides an impressive reduction of overhead costs by 70%.
Development of Training & Awareness
This service includes the development and execution of training programs. Every company will have a variety of different training needs. Introducing Industrial Cybersecurity in a company is a significant cultural shift. It requires careful management to avoid causing disruption. Proper handling of this change is indeed crucial.
We have different training offerings that can typically be required by almost any company, end users and suppliers. These training programs include the de ISA Cybersecurity Certificate Program, and WisePlant’s WBS Industrial Cybersecurity training and certification program. Learn more.
The ISA Certificate Program is highly suggested for professionals requiring a deep understanding of the ISA/IEC-62443 series of standards. It covers all the essentials such as its structure, principles, and concepts. Additionally, it encapsulates terminology and models. This program ensures a comprehensive grasp of all requirements. Basically, everything that needs to be done. ISA-agnostic training imparts knowledge about necessary actions. Yet, it neither advocates nor promotes any specific methodology, tool, products, or system. Learn more.
WisePlant’s WBS Industrial Cybersecurity was specifically designed for easy implementation. It ensures compliance with the ISA/IEC-62443 series of standards. Additionally, it adheres to any other relevant regulations. Our practical approach does not get into the details of the standards and regulations. Numerous users don’t need to delve into the intricate specifics of several requirements. They need practical solutions for swift implementation and adherence. Learn more.
We also provide a set of awareness training for training numerous groups of people, tailored to meet specific end user requirements based on its policies and procedures.
Performing Audits & Verifying Compliance
Utilizing the WBS in tandem with the ZCM simplifies audit and compliance processes. The ZCM produces requisite evidence and meaningful reports, thus facilitating speedy certification. This occurs in real-time without causing any inconvenience. The WBS alongside the ZCM System incurs minimal additional expenses. Yet, it offers an enormous benefit to the end user. In fact, it generates a significant return on investment.
The Cybersecurity Division of WisePlant, also known as WiseSecurity, is proficient in overseeing any ongoing project. Their aim is to ensure that no deviations occur during the industrial cybersecurity lifecycle process. This vigilance significantly reduces the risk of failure within projects.
What can be audited and/or certified for compliance?
- The Cybersecurity Management Program
- The security of any System under Consideration (SUC) through its lifecycle
- New future system from basic engineering.
- Existing system, recently installed or old legacy.
- Vendors and Suppliers
- Solutions Providers.
- Engineering/Service Providers.
- Product Suppliers.
- Cybersecurity Professionals.
- Certificate of Knowledge (ISA Certificate Program)
- Certificate of Experience (WisePlant Certificate Program)
Discover & Assessment Phase (ASSESS)
To fully grasp the systems in question, model zones and conduits with simplicity. This will facilitate an understanding of the industrial process under control. It is also crucial to precisely identify all potential outcomes that must be avoided. This is particularly important if the devices and systems are compromised.
Assess the risk by employing established cybersecurity evaluation methods. These techniques facilitate informed, efficient and effective decision-making. They also sufficiently mitigate any unacceptable risks.
Avoid dedicating valued resources and time to activities, actions, and spending on systems that only mitigates your budget.
Industrial Risk Assessment
This service pertains to the assessment of cybersecurity risks within an industrial context. The objective is to facilitate informed and sound decision-making processes. Ultimately, this aims to significantly mitigate any unacceptable risks.. It can be carried out over one or several systems under consideration (SUC), depending on the scope definition.
We employ the well-established RAGAGEP methodology to assess industrial cybersecurity risks. This approach aids in making robust, long-term decisions. Notably, it truly helps in mitigating potential hazards. Utilising the ZCM RMS, our services generate numerous results from this evaluation. These findings are integral for future mitigating activities.
Here is where all the magic happens. The methodology for risk analysis and long-term decision-making is both unique and robust. It effectively reduces risk by influencing the plant and system design. Therefore, it prevents any potential severe consequences from occurring.
Most of the market is focused on preventing cyber-incidents, guided by IT security standards. This approach, however, is misguided. We take a more comprehensive approach than this. Instead of just halting cyber incidents, we aim to prevent potential consequences from transpiring.
Undertaking a comprehensive industrial cybersecurity risk assessment is always beneficial, even if it’s late. This applies to both antiquated legacy systems and potential future systems. Especially during procurement or the early stages of engineering, such an evaluation can be vital.. The sooner, the better.
Design, Implementation & Verification Phase (IMPLEMENT)
The specific outcomes of the Industrial Cybersecurity Risk Assessment are utilized. They help in restructuring control systems and the plant. This occurs with the implementation of effective, efficient, and adequate mitigation measures.
In order to safeguard industrial control systems, we need to introduce security levels (SL). This will also protect all risk receivers. Furthermore, specific recommendations should be integrated into current control systems.
The consequence-centric approach proposed by ISA99 is the only choice for industrial plants and critical infrastructures.
Design of Zones, Conduits & Countermeasures
This service involves designing the systems under consideration (SUC). It may also include creating the plant’s design. This is done based on the findings from the industrial cybersecurity risk assessment.
Each zone and conduit in a specific SUC is unique. As a result, only a particular set of countermeasures will work effectively. These measures are crucial to mitigate all the intolerable risk efficiently and sufficiently.
There are three design activities, and these are Conceptual Design, Detailed Design, and Alert Management Design. Understanding the results of risk assessment is crucial. Furthermore, we should consistently implement all countermeasures. However, this should not lead to deterioration in other industrial risk disciplines.
Whether we’re dealing with a current legacy SUC or a future one, the design must undergo an official engineering approval. This is to ensure its implementation is optimal and secure. Furthermore, it guarantees safe operation.
Implementation of Countermeasures - Mitigating the Risk
The provider of this service undertakes the execution of all essential modifications on a pre-installed and functioning SUC at a specific plant. Alternatively, they are also responsible for the design and setup of future SUCs. These new units will be installed in a production environment.
Here is where the real job is done and the existing intolerable risk is mitigated. The industrial cybersecurity risk is mitigated by doing the right things right. In today’s business world, many companies are excellently executing the wrong strategies. Furthermore, they are also incorrectly implementing inappropriate actions. Lastly, even when they undertake the right tasks, they often carry them out wrongly. Don’t be one of them. Do the right things right.
Basically, there will be three types of countermeasures. These types are administrative, technological, and physical. Only those countermeasures justified my the industrial risk assessment must be consistently designed and implemented.
Cybersecurity Acceptance Tests
This service consists in the verification and the acceptance or rejection of the implemented countermeasures. The verification and tests must be good to verify the conformance to specific requirements by each zone and conduit. Each zone and conduit will have its own requirements. It is of fundamental importance to avoid over-testing or under-testing.
Finally, what is implemented and installed needs to be contrasted against the results of the industrial risk assessment. There is no benefit in conducting a risk assessment, making decisions, and then implementing and verifying something else.
We take care to avoid “with certainty” the occurrence of potential consequences, and we accept the occurrence of tolerable cyber incidents. Our solution is “long term”, and with much less budget (Investment). The hacker can no longer do damage to the plant. Indeed, it may have the ability to instigate a cyber incident. However, it no longer has the power to inflict harm on the plant.
Operation & Maintenance Phase (MAINTAIN)
After all significant risks are addressed, the plant can function safely. This is true, provided that potential severe consequences are prevented from occurring. As a result, the plant will be secure against both current and future cyber threats.
Even though, all the intolerable risks are already mitigated, preventive and corrective security maintenance activities are still required.
Safe & Secure Operation Assistance
This service consists in the correct and safe operation of the plant. After the implementation and the verification of security countermeasures, the plant is operated within the tolerable risk. Anything intolerable is not expected to happen, and in particular the intolerable consequences.
The ZCM System is responsible for real-time monitoring and diagnostics. It maintains plant safety by averting high-risk situations. Moreover, it accomplishes these tasks without requiring external assistance. There’s no necessity to transmit critical data or real-time information outside the plant. Despite this, the end user may have an interest in additional supportive services. These could potentially contribute to a safer and more secure operation.
Should this be the situation, we are amenable to scrutinizing the associated requests and requirements. This is done with the intent to facilitate any ZCM/WBS installation.
Preventive & Corrective Maintenance
This service consists in the development of preventive and corrective activities related to every single SUC. At this stage the risk has already been mitigated, and intolerable potential consequences won’t be able for happening. This does not mean that there is no need for additional cybersecurity activities. The end user needs to keep the plant operating within the tolerable risk for decades to come.
Cybersecurity maintenance activities are crucial for prevention. This includes updates and patch management. It also involves vulnerability management and hardening. Furthermore, managing change and backup processes are common practices.
Moreover, even if severe consequences are avoided, minor cyber incidents can still happen. Therefore, having an incident response plan with recovery procedures remains crucial.
The end user should be able to perform these activities by its own. Should there be a need for external assistance, we are willing to evaluate such requests. We aim to provide support for any ZCM/WBS installation.
Audit & Continuous Improvement
This service involves auditing already installed SUC at a specified plant or operational environment. Alternatively, it can audit a new system that is currently in its engineering phases. Almost everything can be audited and reviewed for compliance with the standards and for effective and efficient risk mitigation.
The entire Industrial Cybersecurity Management Program can be audited for compliance, and continuous improvement.
At WiseSecurity, we offer a unique solution for JIT auditing and certification. This is done during the execution of projects to prevent rework. It also ensures faster mitigation. We use a very effective audit and compliance methodology.
Would you like to know more?
Our security strategy ensures the protection of your most valuable assets. It shields all risk recipients by preventing cyber incidents. This is aimed at eliminating any possible impact on them. The result is a robust infrastructure that can withstand various threats. It’s designed to resist attacks that could compromise one or more cyber-assets.