IEC 62443 compliance plan helps Middle East mining company establish a much-needed security strategy
IEC 62443 compliance plan helps Middle East mining company establish a security strategy
Engineering, procurement and construction (EPC) contractors are using DNV Cyber verification services to check cyber security of third-party suppliers’ operational and information technology components in energy infrastructure.
DNV’s cyber risk assessment and testing has helped major EPC contractors to meet customer requirements for infrastructure to be cyber resilient on handover and start-up.
Applying security best practices that respond to regulatory change mean compliance should be less of a headache.
This project was delivered by Applied Risk, a DNV company. DNV, Nixu and Applied Risk joined forces to form DNV Cyber in 2024, creating one of Europe’s fastest growing cybersecurity services businesses.
Equipment failures in mining can lead to unacceptable consequences for life, property, and the environment. Therefore, operational technology (OT) systems must be capable of running continuously to support production. They also need careful monitoring that they operate within a narrow set of parameters governing the speed of operations and the physical characteristics – e.g. temperature, viscosity, and concentration – of the materials being handled.
On assessing a mining company in the Middle East, DNV Cyber found significant cybersecurity gaps, with few protective measures. The miner was not used to viewing OT systems as a potential target.
DNV Cyber suggested options for improvement. Needing to build cybersecurity strategy almost from the ground up, the customer decided the best option was to seek compliance with IEC 62443 standards covering security measures for industrial automation and control systems.
The miner engaged DNV Cyber to:
Assess the company’s cybersecurity for operational technology
Suggest options for closing the gap between the status quo and best practice
Develop an action plan to help develop a strategy to achieve IEC 62443 compliance.
DNV Cyber’s plan established a path toward regulatory compliance.
DNV Cyber’s report serves as a blueprint for meeting future security challenges and regulatory change.
The report convinced stakeholders at all levels of the need to allocate resources for cyber security.
Raising awareness and communicating paved the way to compliance
DNV Cyber knew from experience that working toward compliance would involve raising awareness from the start. It provided the customer with compelling descriptions of the cyber threats and possible consequences in mining. Crucially, DNV Cyber’s presentation convinced stakeholders of the need for quick, decisive, and thoughtful action.
Then came a series of multi-level workshops to define the scope, outline an action plan, and understand Business Impact Analysis and high-level risk analysis. By communicating individually with workshop participants, DNV Cyber’s experts gained extra insight into the ongoing challenges.
Information from the participants helped DNV Cyber to complete a gap analysis showing the steps needed to achieve IEC 62443 compliance. The analysis also informed DNV Cyber’s final report, which was designed to serve as a baseline guide for meeting the relevant standards and for expanding capacity as needed to remain in compliance.
The mining company:
Expressed appreciation of DNV Cyber’s security knowledge specific to the mining industry.
Valued the time and effort DNV Cyber experts devoted to communicating with stakeholders.
Contracted DNV Cyber for additional cyber-security services, such as gaining visibility into existing systems.
When I went to the first meeting with DNV Cyber, I was certain that all this talk of cyber security risk was exaggerated. But by the end of that meeting, I was on the edge of my seat and ready to move forward right away. The team really brought home what we stood to lose if we didn’t act.
