| org.1 Security Policy |
Compliance, Cybersecurity assessment, Risk and Vulnerability Management, Communications plan |
| Installation, deployment and commissioning of Data Diode |
Partial coverage |
| Proposal for reference architectures |
Partial coverage |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| Level of maturity in industrial cybersecurity |
Partial coverage |
| OT (Traffic Monitor) network anomaly detector |
Partial coverage |
| Fox-IT EAL7+ data diode |
Partial coverage |
| org.2 Security standard |
Compliance |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| Level of maturity in industrial cybersecurity |
Full coverage |
| Servidor OPC UA |
Full coverage |
| org.3 Security procedures |
Compliance, Use control policy, Activity log policy, Backup Policy |
| Deploying solutions for change management in OT environments |
Partial coverage |
| Security analysis and audit of industrial networks & SCADA |
Partial coverage |
| Secure remote access for OT environments |
Partial coverage |
| Change management system for OT - MDT Autosave |
Partial coverage |
| org.4 Authorization process |
Account management, PKI infrastructure |
| Secure remote access for OT environments |
Partial coverage |
| Change management system for OT - MDT Autosave |
Partial coverage |
| op.pl.1 Risk analysis |
Cybersecurity assessment, Risk and Vulnerability Management |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| Level of maturity in industrial cybersecurity |
Partial coverage |
| OT (Traffic Monitor) network anomaly detector |
Partial coverage |
| op.pl.2 Security architecture |
Network communications control, Secure network design |
| Installation, deployment and commissioning of industrial DPI firewalls |
Full coverage |
| Installation, deployment and commissioning of Data Diode |
Full coverage |
| Deployment and implementation of SNMP monitoring technologies in OT |
Partial coverage |
| Deployment and commissioning of network electronics for secure remote access for OT |
Full coverage |
| Proposal for reference architectures |
Partial coverage |
| Industrial HiVision (SNMP Monitor) |
Partial coverage |
| Firewall DPI Tofino Xenon |
Full coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Full coverage |
| Fox-IT EAL7+ data diode |
Full coverage |
| LKREMOTE (RTU with integrated firewall) |
Partial coverage |
| op.pl.3 Acquisition of new components |
Configuration control, Equipment use control, Device control |
| Deployment of devices for whitelisting applications for OT |
Partial coverage |
| Deployment, implementation and training of anti-malware technology for OT environments |
Partial coverage |
| Change management system for OT - MDT Autosave |
Partial coverage |
| Whitelisting Applications - StellarEnforce for IT and OT |
Partial coverage |
| op.pl.4 Sizing / Capacity Management |
Hardware and software inventory, Redundancy system |
| Implementation of high availability and fault tolerance technologies in OT |
Partial coverage |
| OT (Traffic Monitor) network anomaly detector |
Partial coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Partial coverage |
| Fault Tolerant Server - Stratus FTServer for IT and OT |
Partial coverage |
| Fault-tolerant industrial servers - Stratus ZTC Edge |
Partial coverage |
| op.pl.5 Certified components |
Certification of the main ICS providers |
|
|
| op.acc.1 Identification |
Hardware and software inventory, Access control policy |
| Secure remote access for OT environments |
Partial coverage |
| OT (Traffic Monitor) network anomaly detector |
Partial coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Partial coverage |
| op.acc.2 Access requirements |
Basic user access control, Multi-factor user access control, Access control policy |
| Deployment and commissioning of network electronics for secure remote access for OT |
Partial coverage |
| Secure remote access for OT environments |
Full coverage |
| op.acc.3 Segregation of functions and tasks |
Account management |
| Change management system for OT - MDT Autosave |
Full coverage |
| Secure remote access for OT environments |
Full coverage |
| op.acc.4 Access rights management process |
Device control, Account management |
| Deployment of devices for whitelisting applications for OT |
Partial coverage |
| Secure remote access for OT environments |
Partial coverage |
| Change management system for OT - MDT Autosave |
Partial coverage |
| op.acc.5 op.acc.5 Authentication methods (external users) |
Hardware Security Keys, Basic user access control, Multi-factor user access control |
| Deployment and commissioning of network electronics for secure remote access for OT |
Partial coverage |
| Secure remote access for OT environments |
Partial coverage |
| op.acc.6 op.acc.6 Authentication methods (organization\'s users) |
Hardware Security Keys, Basic user access control, Multi-factor user access control |
| Deployment and commissioning of network electronics for secure remote access for OT |
Partial coverage |
| Secure remote access for OT environments |
Partial coverage |
| op.exp.1 Asset inventory |
Hardware and software inventory |
| OT (Traffic Monitor) network anomaly detector |
Full coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Full coverage |
| op.exp.2 Security configuration |
Configuration control |
| Deployment, implementation and training of anti-malware technology for OT environments |
Full coverage |
| Change management system for OT - MDT Autosave |
Full coverage |
| Whitelisting Applications - StellarEnforce for IT and OT |
Full coverage |
| op.exp.3 Security Configuration Management |
Configuration control |
| Deployment, implementation and training of anti-malware technology for OT environments |
Full coverage |
| Change management system for OT - MDT Autosave |
Full coverage |
| Whitelisting Applications - StellarEnforce for IT and OT |
Full coverage |
| op.exp.4 Maintenance and security updates |
Reliable updates, Upgrade testing support |
| Deploying solutions for change management in OT environments |
Partial coverage |
| Change management system for OT - MDT Autosave |
Partial coverage |
| op.exp.5 Change Management |
Configuration control |
| Deployment, implementation and training of anti-malware technology for OT environments |
Full coverage |
| Change management system for OT - MDT Autosave |
Full coverage |
| Whitelisting Applications - StellarEnforce for IT and OT |
Full coverage |
| op.exp.6 Protection against malicious code |
Advanced antimalware |
| Deployment, implementation and training of anti-malware technology for OT environments |
Full coverage |
| op.exp.7 Incident Management |
Incident response support |
| Deploying solutions for change management in OT environments |
Full coverage |
| Fault Tolerant Server - Stratus FTServer for IT and OT |
Full coverage |
| Fault-tolerant industrial servers - Stratus ZTC Edge |
Full coverage |
| op.exp.8 Activity log |
Inspect endpoint logs, Activity log policy |
| Secure remote access for OT environments |
Partial coverage |
| Change management system for OT - MDT Autosave |
Partial coverage |
| op.exp.9 Incident management log |
Inspect endpoint logs, Activity log policy |
| Secure remote access for OT environments |
Partial coverage |
| Change management system for OT - MDT Autosave |
Partial coverage |
| op.exp.10 Protection of cryptographic keys |
PKI infrastructure |
|
|
| op.ext.1 Contracting and service level agreements |
Certification of the main ICS providers |
|
|
| op.ext.2 Day-to-day management |
Account management |
| Change management system for OT - MDT Autosave |
Full coverage |
| Secure remote access for OT environments |
Full coverage |
| op.ext.3 Supply Chain Protection |
Awareness and Training |
| Intensive course in Industrial Cybersecurity. Concepts, attacks, countermeasures and procedures |
Full coverage |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| op.ext.4 Systems interconnection |
Network communication visualization |
| Installation, deployment and commissioning of industrial DPI firewalls |
Full coverage |
| Deployment and implementation of SNMP monitoring technologies in OT |
Full coverage |
| Deployment and commissioning of network electronics for secure remote access for OT |
Full coverage |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| Industrial HiVision (SNMP Monitor) |
Full coverage |
| OT (Traffic Monitor) network anomaly detector |
Full coverage |
| Firewall DPI Tofino Xenon |
Full coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Full coverage |
| op.nub.1 Cloud services protection |
Data Protection |
| Deploying solutions for change management in OT environments |
Full coverage |
| op.cont.1 Impact analysis |
Risk and Vulnerability Management |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| OT (Traffic Monitor) network anomaly detector |
Full coverage |
| op.cont.2 Continuity plan |
Redundancy system, Backup system |
| Deploying solutions for change management in OT environments |
Partial coverage |
| Implementation of high availability and fault tolerance technologies in OT |
Full coverage |
| Change management system for OT - MDT Autosave |
Partial coverage |
| Fault Tolerant Server - Stratus FTServer for IT and OT |
Partial coverage |
| Fault-tolerant industrial servers - Stratus ZTC Edge |
Partial coverage |
| op.cont.3 Periodic tests |
Upgrade testing support |
| Deploying solutions for change management in OT environments |
Full coverage |
| Change management system for OT - MDT Autosave |
Full coverage |
| op.cont.4 Alternative means |
Redundancy system |
| Fault-tolerant industrial servers - Stratus ZTC Edge |
Full coverage |
| Implementation of high availability and fault tolerance technologies in OT |
Full coverage |
| Fault Tolerant Server - Stratus FTServer for IT and OT |
Full coverage |
| op.mon.1 Intrusion detection |
Industrial DPI for anomaly detection, Advanced detection of anomalies in the IP layer |
| Installation, deployment and commissioning of industrial DPI firewalls |
Partial coverage |
| Security analysis and audit of industrial networks & SCADA |
Partial coverage |
| OT (Traffic Monitor) network anomaly detector |
Full coverage |
| Firewall DPI Tofino Xenon |
Partial coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Partial coverage |
| op.mon.2 Metrics system |
SIEM integration |
| Deployment and commissioning of network electronics for secure remote access for OT |
Full coverage |
| Implementation of high availability and fault tolerance technologies in OT |
Full coverage |
| Secure remote access for OT environments |
Full coverage |
| Industrial HiVision (SNMP Monitor) |
Full coverage |
| OT (Traffic Monitor) network anomaly detector |
Full coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Full coverage |
| Whitelisting Applications - StellarEnforce for IT and OT |
Full coverage |
| Fault Tolerant Server - Stratus FTServer for IT and OT |
Full coverage |
| Fault-tolerant industrial servers - Stratus ZTC Edge |
Full coverage |
| op.mon.3 Monitoring |
Network communication visualization |
| Installation, deployment and commissioning of industrial DPI firewalls |
Full coverage |
| Deployment and implementation of SNMP monitoring technologies in OT |
Full coverage |
| Deployment and commissioning of network electronics for secure remote access for OT |
Full coverage |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| Industrial HiVision (SNMP Monitor) |
Full coverage |
| OT (Traffic Monitor) network anomaly detector |
Full coverage |
| Firewall DPI Tofino Xenon |
Full coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Full coverage |
| mp.if.1 Separate and access controlled areas |
Physical security in the installation of devices, Separation of environments |
| Installation, deployment and commissioning of Data Diode |
Partial coverage |
| Deployment and commissioning of network electronics for secure remote access for OT |
Partial coverage |
| Proposal for reference architectures |
Partial coverage |
| Fox-IT EAL7+ data diode |
Partial coverage |
| Servidor OPC UA |
Partial coverage |
| mp.if.2 Identification of persons |
Hardware Security Keys |
|
|
| mp.if.3 Fitting out of the premises |
Physical security in the installation of devices |
|
|
| mp.if.4 Electrical energy |
Redundancy system |
| Fault-tolerant industrial servers - Stratus ZTC Edge |
Full coverage |
| Implementation of high availability and fault tolerance technologies in OT |
Full coverage |
| Fault Tolerant Server - Stratus FTServer for IT and OT |
Full coverage |
| mp.if.5 Fire protection |
Physical security in the installation of devices |
|
|
| mp.if.6 Flood protection |
Physical security in the installation of devices |
|
|
| mp.if.7 Entry and exit registration of equipment log |
Equipment protection diagnostics |
| Deployment, implementation and training of anti-malware technology for OT environments |
Full coverage |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| mp.per.1 Job description |
Awareness and Training |
| Intensive course in Industrial Cybersecurity. Concepts, attacks, countermeasures and procedures |
Full coverage |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| mp.per.2 Duties and obligations |
Awareness and Training |
| Intensive course in Industrial Cybersecurity. Concepts, attacks, countermeasures and procedures |
Full coverage |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| mp.per.3 Awareness |
Awareness and Training |
| Intensive course in Industrial Cybersecurity. Concepts, attacks, countermeasures and procedures |
Full coverage |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| mp.per.4 Training |
Awareness and Training |
| Intensive course in Industrial Cybersecurity. Concepts, attacks, countermeasures and procedures |
Full coverage |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| mp.eq.1 Clear workstation |
Equipment use control |
| Change management system for OT - MDT Autosave |
Full coverage |
| Deployment of devices for whitelisting applications for OT |
Full coverage |
| Whitelisting Applications - StellarEnforce for IT and OT |
Full coverage |
| mp.eq.2 Workstation locking |
Equipment use control |
| Change management system for OT - MDT Autosave |
Full coverage |
| Deployment of devices for whitelisting applications for OT |
Full coverage |
| Whitelisting Applications - StellarEnforce for IT and OT |
Full coverage |
| mp.eq.3 Protection of portable equipment |
Equipment use control |
| Change management system for OT - MDT Autosave |
Full coverage |
| Deployment of devices for whitelisting applications for OT |
Full coverage |
| Whitelisting Applications - StellarEnforce for IT and OT |
Full coverage |
| mp.eq.4 Other network-connected devices |
Device control |
| Deployment of devices for whitelisting applications for OT |
Full coverage |
| mp.com.1 perimeter security |
Host-based firewall |
| LKREMOTE (RTU with integrated firewall) |
Full coverage |
| mp.com.2 Confidentiality protection |
Data Protection |
| Deploying solutions for change management in OT environments |
Full coverage |
| mp.com.3 Integrity and authenticity protection |
Verification of integrity of software and hardware code |
| Change management system for OT - MDT Autosave |
Full coverage |
| Deployment of devices for whitelisting applications for OT |
Full coverage |
| mp.com.4 Separation of information flows in the network |
Secure network design |
| Installation, deployment and commissioning of industrial DPI firewalls |
Full coverage |
| Installation, deployment and commissioning of Data Diode |
Full coverage |
| Deployment and implementation of SNMP monitoring technologies in OT |
Full coverage |
| Deployment and commissioning of network electronics for secure remote access for OT |
Full coverage |
| Proposal for reference architectures |
Full coverage |
| Industrial HiVision (SNMP Monitor) |
Full coverage |
| Firewall DPI Tofino Xenon |
Full coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Full coverage |
| Fox-IT EAL7+ data diode |
Full coverage |
| mp.si.1 Support marking |
Industrial network event log (forensic analysis) |
| OT (Traffic Monitor) network anomaly detector |
Full coverage |
| mp.si.2 Cryptography |
PKI infrastructure |
|
|
| mp.si.3 Custody |
Equipment protection diagnostics |
| Deployment, implementation and training of anti-malware technology for OT environments |
Full coverage |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| mp.si.4 Transport |
WI-FI control, Network communications control, Network integrity control, Data Protection |
| Installation, deployment and commissioning of industrial DPI firewalls |
Partial coverage |
| Installation, deployment and commissioning of Data Diode |
Partial coverage |
| Deployment and commissioning of network electronics for secure remote access for OT |
Partial coverage |
| Deploying solutions for change management in OT environments |
Partial coverage |
| Firewall DPI Tofino Xenon |
Partial coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Partial coverage |
| Fox-IT EAL7+ data diode |
Partial coverage |
| mp.si.5 Erased and destruction |
Backup Policy |
| Deploying solutions for change management in OT environments |
Full coverage |
| Change management system for OT - MDT Autosave |
Full coverage |
| mp.sw.1 Application development |
Software usage control, Verify PLC integrity |
| Deployment of devices for whitelisting applications for OT |
Partial coverage |
| Deployment and commissioning of network electronics for secure remote access for OT |
Partial coverage |
| Deploying solutions for change management in OT environments |
Partial coverage |
| OT (Traffic Monitor) network anomaly detector |
Partial coverage |
| Change management system for OT - MDT Autosave |
Partial coverage |
| Whitelisting Applications - StellarEnforce for IT and OT |
Partial coverage |
| mp.sw.2 Acceptance and commissioning |
Cybersecurity assessment |
| Security analysis and audit of industrial networks & SCADA |
Full coverage |
| Level of maturity in industrial cybersecurity |
Full coverage |
| mp.info.1 Personal information |
Data Protection |
| Deploying solutions for change management in OT environments |
Full coverage |
| mp.info.2 Information qualification |
Use control policy |
|
|
| mp.info.3 Electronic signature |
PKI infrastructure |
|
|
| mp.info.4 Timestamps |
Security log, File integrity monitoring |
| Deployment of devices for whitelisting applications for OT |
Partial coverage |
| Deployment and commissioning of network electronics for secure remote access for OT |
Partial coverage |
| Security analysis and audit of industrial networks & SCADA |
Partial coverage |
| Secure remote access for OT environments |
Partial coverage |
| Change management system for OT - MDT Autosave |
Partial coverage |
| mp.info.6 Backup |
Backup system |
| Deploying solutions for change management in OT environments |
Full coverage |
| Change management system for OT - MDT Autosave |
Full coverage |
| Implementation of high availability and fault tolerance technologies in OT |
Full coverage |
| mp.s.1 E-mail protection |
Network communications control, Host-based firewall |
| Installation, deployment and commissioning of industrial DPI firewalls |
Partial coverage |
| Installation, deployment and commissioning of Data Diode |
Partial coverage |
| Deployment and commissioning of network electronics for secure remote access for OT |
Partial coverage |
| Firewall DPI Tofino Xenon |
Partial coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Partial coverage |
| Fox-IT EAL7+ data diode |
Partial coverage |
| LKREMOTE (RTU with integrated firewall) |
Full coverage |
| mp.s.2 Protection of web services and applications |
Device control |
| Deployment of devices for whitelisting applications for OT |
Full coverage |
| mp.s.3 Web browsing protection |
Network communications control, Host-based firewall |
| Installation, deployment and commissioning of industrial DPI firewalls |
Partial coverage |
| Installation, deployment and commissioning of Data Diode |
Partial coverage |
| Deployment and commissioning of network electronics for secure remote access for OT |
Partial coverage |
| Firewall DPI Tofino Xenon |
Partial coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Partial coverage |
| Fox-IT EAL7+ data diode |
Partial coverage |
| LKREMOTE (RTU with integrated firewall) |
Full coverage |
| mp.s.4 Denial of service protection |
Network communications control, Device control, Host-based firewall |
| Installation, deployment and commissioning of industrial DPI firewalls |
Partial coverage |
| Installation, deployment and commissioning of Data Diode |
Partial coverage |
| Deployment of devices for whitelisting applications for OT |
Partial coverage |
| Deployment and commissioning of network electronics for secure remote access for OT |
Partial coverage |
| Firewall DPI Tofino Xenon |
Partial coverage |
| EdgeIPS (Firewall DPI) con Virtual Patching |
Partial coverage |
| Fox-IT EAL7+ data diode |
Partial coverage |
| LKREMOTE (RTU with integrated firewall) |
Partial coverage |
| mp.info.5 Document cleaning |
Backup Policy |
| Deploying solutions for change management in OT environments |
Full coverage |
| Change management system for OT - MDT Autosave |
Full coverage |
