CYBERSECURITY FOR INDUSTRIAL CONTROL SYSTEMS

Cybersecurity Services

SMART SOLUTIONS

3 2

“78 percent of security officials were expecting a successful attack on their ICS/

SCADA systems within the next two years”*

A successful cyberattack on a plant’s Industrial Control Systems (ICS) can be catastrophic. It can impact the plant’s operations, finances, damage reputation and even threaten lives. A resilient Cybersecurity programme is essential in order to mitigate against potential cyberattacks.

Your Trusted ICS Cybersecurity Partner

*Source: 2014 Ponemon Institute study, Critical Infrastructure: Security Preparedness and Maturity

To help ensure that your plant is fully prepared to defend against potential cyberattacks, we provide a range of ICS Cybersecurity services, each customised for your plant’s unique requirements, based on the latest international Cybersecurity standards and best practice. Pöyry is active in designing, assessing and supervising the implementation of ICS Cybersecurity programs to both operating and greenfield facilities.

1. ICS CYBERSECURITY ASSESSMENT The first step in determining your current level of protection is a walk-through assessment of your facilities, along with interviews with your Operation Technology (OT) and IT managers. An Assessment Report with recommendations will be delivered and discussed in an evaluation meeting with the Plant Management.

2. ICS CYBERSECURITY CONCEPT Next, a concept is developed that is tailored to the realities of your organisation and the level of protection already achieved. In most cases the ICS Cybersecurity will be the “final piece of jigsaw” and complement the existing Plant IT Security and Physical Security Concept.

4. ICS CYBERSECURITY TRAININGIn order to build a resilient ICS Cybersecurity into your plant, all relevant personnel will be trained by Pöyry Cybersecurity experts.

In the event of a cyber-attack or another type cyber-incident, your personnel will have clear instructions on how to minimise the physical and economic damage to the plant and to initiate the recovery according to the Resiliency Plan, enabling the plant to promptly return back to production.

After the classification of Assets, creation of the ICS Cybersecurity Concept & Program, and Training the plant personnel, an extensive field audit may be considered in order to obtain intensive reports concerning the level of Cybersecurity of your plant at a point in time.

5. ANNUAL ICS CYBERSECURITY REVIEWWe recommend that an annual ICS Cybersecurity review should be done. Over time, new Cybersecurity threats will continue to appear and find ways to exploit vulnerabilities of Industrial Control Systems. Therefore Cybersecurity requires frequent reviews and updates of current threats, and a regular gap analysis is necessary in order to maintain a continued level of required security.

DESIGNThe first design phase starts with a structural assessment of your plant security systems architecture and configuration. A detailed study together with full, up-to-date documentation will be reviewed to discover potential Cybersecurity vulnerabilities.

Together with Pöyry Experts, the target design is compared in detail with your current network architecture. Then a road map with technical details and execution time schedule are finalised.

1. ASSESSMENT(REVIEW)

2. CONCEPT(FOUNDATION)

3. PROGRAMME(IMPLEMENTATION)

4. TRAINING(AWARENESS)

5. ANNUAL REVIEW(CONTINUOUS)

• Verify the current level of your ICS Cybersecurity

• Gap analysis to compare current level with state-of-the-art asset classification

• Define the roles and responsibilities, policies and mandates to related job roles

• Integration of your company’s IT Cybersecurity policies and practices with ICS Cybersecurity

• Foundation of the approach about the main standards used

• Assignment of specific personnel to their roles

• Co-creation of Cybersecurity procedures with your assigned personnel to include plant specifics into the programme

• ICS Cybersecurity training of plant personnel

• Review of the ICS Cybersecurity programme

• Update of the latest ICS Cybersecurity threats and vulnerabilities

• Ensures plant personnel are familiarised with the present vulnerabilities & threats

• Increase the plant’s ICS Cybersecurity resilience

DESIGN AND ENGINEERING(CONFIGURATION MANAGEMENT)

AN HOLISTIC APPROACH TO SECURITY SERVICESIn addition to Cyber security, the physical security of the facility and its surroundings also needs careful consideration. For existing facilities, a security audit covering all engineering disciplines provides an understanding of the current situation and identifies existing gaps.

It also allows the creation of a road map to fix any identified issues. Pöyry provides plant owners with risk based planning services for security. We specify the required emergency response from the plant processes and systems.

ENGINEERINGThe ICS active devices, firewall and cabling systems with detailed connections will be engineered to ensure a swift installation and commissioning. Your engineering package includes all the information required. If a gradual update strategy is chosen, then intermediate documentation will be delivered, and for a comprehensive upgrade, the complete final design will be provided. The complete documentation of your ICS network configuration and architecture will be kept up-to-date after each update in order to maintain grip of your robust ICS Cybersecurity.

So what about your plant?To help support your specific

needs, contact one of our

experts or visit our website for

more details:

cybersecurity@poyry.comwww.poyry.com/cybersecurity

3. ICS CYBERSECURITY PROGRAMME A detailed flow chart for the ICS Cybersecurity processes is then created by your Pöyry Cybersecurity expert, along with the defined roles and responsibilities for the implementation.

Pöyry then acts as Project Manager and reviewer of the ICS Cybersecurity procedures. As your OT and IT personnel are best placed to understand the business processes, and the network and automation architecture of your facility, they will write all necessary operating procedures together with Pöyry ICS Cybersecurity specialists.

PÖYRY AND ICS CYBERSECURITYAs an international engineering and consulting company, with Cybersecurity centres of excellence in Finland and Switzerland, you can trust that integrity, security and discretion are in our ‘DNA’.

Capitalising on our knowledge of Industrial Plant Automation, Process Engineering and IT Security, all forming part of our core businesses, we are highly qualified to advise our clients on ICS Cybersecurity services.

www.poyry.com/cybersecurity

Pöyry has a global office network - please visitwww.poyry.com/contactsfor your nearest office.

cybersecurity@poyry.comwww.poyry.com/cybersecurity

Consulting. Engineering. Projects. Operations.Smart solutions  across power generation, transmission & distribution, forest industry, chemicals & biorefining, mining & metals, transportation and water.6000 experts. 45 countries. 150 offices.