Operational Technology Cyber Security Services

The ISA/IEC 62443 series of standards defines a range of controls and processes designed specifically for the electronic security of industrial automation and control systems (IACS). Bridewell’s consultants are not only certified against these standards but are also active contributors to their ongoing upkeep and development. Against this standard series, we offer: 62443-3-2 risk assessment, 62443-3-3 assessment, and 62443-3-3 system design.

The CAF is intended for use by organisations forming part of the UK’s Critical National Infrastructure (CNI), especially those subject to the Network & Information Systems (NIS) regulations. For many of these organisations, OT networks and systems are their most critical. We have extensive experience applying the CAF within OT environments across multiple sectors and provide a full suite of CAF services, from assessment to delivering full remediation to attain the required CAF outcomes.

Health and Safety Executive (HSE) OG86 – Cyber Security for Industrial Automation and Control Systems (IACS) is designed for securing OT at facilities subject to the Control of Major Accident Hazards (COMAH) regulations. OG86 is principally based on IEC62443, but additionally bolstered by requirements of the NCSC Cyber Assessment Framework (CAF). By combining our depth of expertise in OT, IEC62443, and CAF, we assess your current position and develop remediations to meet any areas of deficiency.

Our OT security architecture assessment maps your network architecture to show: data pathways, protection of data-in-transit, network security controls, host (endpoint) security controls, IDAM controls, security monitoring, and system resilience and redundancy. Mapping these areas exposes any weak pathways where you are most vulnerable to attack. Our security architecture assessments are conducted independently of any specific framework or standard, allowing us to highlight anything concerning we come across while not focusing unduly on less applicable areas for the specific system. The output of these assessments are proposed remediations to address deficiencies and improve security defences.

We deliver high and low-level designs detailing system and network architectures, and the specification of security controls and configuration. This is accompanied by a full set of security requirements for action by the delivery team, which can be further supported by our own Security Architecture team. We also offer an assurance service for the duration of delivery that validates security requirements are being correctly interpreted and delivered. This includes re-working security requirements should technical challenges be encountered in their implementation and attending factory and site acceptance tests to verify requirements have been successfully met.

There are many non-mission critical aspects of OT that can only be successfully delivered in the cloud (e.g, storage of historic data, hosting of security management services, and delivery of remote access systems). The use of hybrid cloud is also an exciting opportunity to allow the delivery of mission-critical OT services. Bridewell is ideally placed to support operators of essential OT services in navigating this landscape, due to the expertise and firsthand experience held within our OT function and Security Architecture team.