Industrial Control Systems Cybersecurity
By approaching operations as an integrated system, AcuTech safeguards your business-critical information, operational technology, and industrial control systems from cyber threats. Our consultants conduct holistic evaluations, reviewing system designs and functionalities, identifying vulnerabilities and risks, and recommending robust mitigations and countermeasures. We assist companies in navigating evolving regulatory landscapes, meeting compliance requirements, and adopting best practices. Our seasoned consultants bring expertise in Operational Technology/Industrial Control Systems (OT/ICS) cybersecurity, offering strategic security planning, cost/benefit analyses, and tailored security measures.
AcuTech’s capabilities extend across a spectrum of services designed to meet the unique cybersecurity needs of industrial enterprises, ensuring the resilience of your organizational security.
AcuTech conducts a thorough assessment of industrial cybersecurity systems and associated information technology systems, pinpointing vulnerabilities and recommending countermeasures to empower our partners in the face of evolving cyber threats and expanding regulatory demands. Our consultants excel in providing comprehensive cost-benefit analyses, strategically emphasizing security measures that offer optimal utility. Well-versed in industry best practices, we consistently guide organizations toward meeting and exceeding established benchmarks. Through AcuTech’s dedicated team, companies gain access to in-depth Cyber-Security Risk Assessments (C-SRA). We scrutinize all aspects, from overarching cyber policies to practices, procedures, and platforms, rectifying potential vulnerabilities. Our expertise extends to the latest cybersecurity standards, including ISO 27001/27002, NIST 800 series, NERC CIP/FERC, and ISA/IEC-62443 (formerly ISA-99).
Our services include Cybersecurity Risk Analyses, OT/ICS Cyber Vulnerability Assessments, Operational Technology/Industrial Control Systems Cybersecurity Program Development, Cybersecurity Program Audits, identification of vital data, systems, and resources for post-cyber event recovery, and business continuity and disaster recovery planning. Additionally, we provide sector-specific services including MTSA vulnerability assessment & plan support, maritime cybersecurity drills & exercises, and hydrogen value chain cybersecurity. Partner with AcuTech to navigate the evolving landscape of industrial cybersecurity threats and secure the continuity of your critical operations.
- Cybersecurity Risk Assessment (also referred to as a Cyber Process Hazard Analysis (Cyber PHA) or Cyber Hazard and Operability Analysis (Cyber HAZOP)
- OT/ICS Cyber Vulnerability Assessments
- Cybersecurity Program Development
- Cybersecurity Program Audits
- Identification of vital data, systems, and resources required to recover operations after a cyber event
- Business continuity and disaster recovery
- MTSA vulnerability assessment & plan support
- Maritime cybersecurity drills & exercises
- Hydrogen value chain cybersecurity
AcuTech’s consultants are well versed in codes and standards developed by industry bodies and will refer to these as well as each client’s local jurisdiction codes and standards.
- IEC 62443 – Industrial communication networks – Cybersecurity. IEC 62443 provides guidelines and requirements for implementing cybersecurity measures in industrial automation and control systems (IACS). It aims to protect critical infrastructure from cyber threats by establishing principles for secure system design, operation, and maintenance.
- NIST Cybersecurity Framework (CSF). Developed by the National Institute of Standards and Technology (NIST), the Cybersecurity Framework is organized around five (5) key functions – Identify, Protect, Detect, Respond, and Recover – and is a tool designed to help organizations improve their cybersecurity posture by effectively communicating, integrating, and aligning on cybersecurity risk management across all levels of their organization.
- NIST SP 800-53 Rev. 5. Published by the National Institute of Standards and Technology (NIST), Special Publication 800-53 Rev. 5 provides guidelines on security and privacy controls information systems and organizations to protect operations, assets, individuals, and other organizations. It covers various aspects of cybersecurity, including risk management, functional security and assurance, and incident response.
- NIST SP 800-82 Rev. 2. Published by the National Institute of Standards and Technology (NIST), Special Publication 800-82 Revision 2 provides guidelines on securing industrial control systems. It covers various aspects of cybersecurity, including risk management, access control, and incident response.
- IEC 61511. The International Electrotechnical Commission (IEC) 61511 standard focuses on the functional safety of safety instrumented systems (SIS) used in the process industry. While not explicitly a cybersecurity standard, it emphasizes the importance of considering security aspects in the design and operation of safety systems.
- ISA TR 84.00.09 – ICS Cybersecurity. ISA TR 84.00.09 focuses on cybersecurity for industrial control systems (ICS). It provides recommendations for securing ICS networks and devices against cyber threats, including guidelines for risk assessment, access control, and incident response.
- ISO 27001. Although not specific to industrial control systems, ISO 27001 is a widely recognized international standard for information security management systems (ISMS). Organizations can use ISO 27001 to establish, implement, maintain, and continually improve their information security management.
- ISACA COBIT. Published by ISACA, the COBIT (Control Objectives for Information and Related Technologies) framework is designed for businesses and is focused on IT management, with each process defined together with process inputs and outputs, process activities, process objectives, performance measures, and measures for organizational maturity.
- API 1164. Published by the American Petroleum Institute (API), API 1164 provides guidelines for pipeline supervisory control and data acquisition (SCADA) systems. While focused on the oil and gas industry, its principles are applicable to other process industries. It addresses aspects of security, including network design and data integrity.
- CFATS (Chemical Facility Anti-Terrorism Standards). Administered by the U.S. Department of Homeland Security (DHS), CFATS provides a set of standards and regulations to enhance security at high-risk chemical facilities, including those in the process industries.
- NERC CIP (Critical Infrastructure Protection). The North American Electric Reliability Corporation (NERC) CIP standards are a set of requirements designed to secure the cyber assets of the bulk power system. While specific to the electric utility industry, these standards have implications for other critical infrastructure sectors.
AcuTech consultants have contributed to the following standards, codes, and programs.
- ISA 99 Working Group
- MITRE ATT&CK® for ICS Matrix
- Formalized OT/ICS cyber kill chain methodology utilizing the three MITRE ATT&CK® frameworks
- NIST IR 8473 – Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure
- NIST IR 8406 – Cybersecurity Framework Profile for Liquefied Natural Gas