Operational Technology (OT) Cyber Security Solutions

Contact us

Safeguarding operational technology (OT) environments, protecting the critical assets and technologies that monitor and manage cyber-physical systems (CPS) infrastructure is listed as the top risk for Critical National Infrastructure organisations.

Operational Technology refers to hardware and software that detects or causes changes through direct monitoring and control of physical devices, processes, and events. As industries increasingly rely on OT systems, cybersecurity has become crucial to protect these systems from threats and vulnerabilities.

With vast and varied experience in applying asset management to Operational Technology, Industrial Control Systems, Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS) in the cyber assessment framework (CAF), our teams prioritise reliability and availability to ensure that your operations run smoothly and securely – protecting your organisation’s critical infrastructure against malware attacks, unauthorised access and insider threats.

Send enquiry

Our core OT cyber security services

Our cyber security expertise for operational technology, ICS, SCADA and DCS includes:

  • NIS compliance
  • Cyber Assessment Framework (CAF)
  • OT Security Consulting
  • OT Security Awareness Training
  • OT/ICS/DCS/SCADA Asset Management
  • IT/OT Convergence
  • Cyber Risk Analysis
  • Vulnerability Management
  • Incident Planning & Response
  • Systems Resilience
  • Compliance

OT (Operational Technology) security

OT including ICS, SCADA & DCS Security refers to the protection of hardware and software systems that detect or control physical devices, processes, and events in industrial environments.

It encompasses a broad range of technologies, including manufacturing equipment, energy systems, and building management systems. The focus is on securing the visibility, reliability, availability and safety of these systems, which are critical for operational efficiency and risk mitigation.

How we can help:

Sweco have unparalleled knowledge of OT, ICS, SCADA & DCS in the UK Utilities Critical National Infrastructure (CNI) environment.  Our understanding of the end-to-end technology and processes from instrumentation through to the regulatory drivers and business needs, give us the ability to advise and guide clients on how to enhance their industrial cyber security.

Our onshore UK&I model is one that provides basic security clearance as a minimum for all of our staff and higher clearance levels as required, to give clients that added reassurance.

ICS (Industrial Control Systems) security

ICS Security is a component of OT Security which specifically focuses on the protection of Industrial Control Systems – these include local area network communication systems, PLCs, HMIs, switches, measurement and controlling devices.

ICS Security emphasises safeguarding these systems from cyber threats, ensuring that the data integrity, confidentiality, and availability of control processes are maintained. It often involves compliance with specific regulations and standards tailored to industrial environments (see below for our regulations guidance).

While all ICS Security falls under the broader umbrella of OT Security, not all OT Security is specifically focused on ICS.

SCADA (Supervisory Control and Data Acquisition) cyber security

SCADA provides a real-time control interface to adjust for example set points held in an ICS. SCADA security is centred on protecting these real time systems, essential for automating and managing complex industrial processes such as energy, water, and manufacturing.

This specialised area of cyber security addresses the unique vulnerabilities of SCADA systems, which often involve remote monitoring and control of critical infrastructure. Key measures include securing communication protocols, implementing access controls, and conducting regular vulnerability assessments to safeguard against threats that could disrupt operations or compromise sensitive data. Risk analysis considers Organisational, People, Physical and Technology controls.

SCADA utilises IT technology (e.g. Windows OS computers) to interface with OT technologies (e.g. Programmable Logic Computers). Protection and management of vulnerabilities inherent in SCADA devices operating in an OT environment requires industrial, product and operational experience as well as IT/OT skills and knowledge.

How we can help:

Sweco teams have worked with several utilities to assess their OT security and vulnerabilities of their SCADA systems. For one major UK water company, we developed a risk-based approach considering thousands of installations and incorporating a geospatial dashboard to provide business leaders with an overview and easy access to drill into detail. The regulator the Drinking Water Inspectorate during their annual Cyber Assessment Framework audit highlighted the approach as best practice in the sector.

Cyber security laws, regulations, standards and guidance

In the United Kingdom, several laws and regulations are relevant to cybersecurity. These laws and regulations aim to protect data, ensure privacy, and secure critical infrastructure. The following are key cybersecurity laws and regulations to be aware of, with a focus on Industrial Control Systems (ICS) security.

Network and Information Systems Regulations 2018 (NIS Regulations)

These regulations aim to improve the security of network and information systems across the UK. They apply to operators of essential services (OES) such as energy, water, transport, and health sectors, and digital service providers (DSPs). ICS operators in these sectors must implement appropriate security measures and report significant incidents.

 

NOTE: For the Republic of Ireland and all other EU Countries, NIS Directive (NISD) is the applicable regulation, this was updated in 2024 to become NIS2 Directive. It includes all Operators of Essential Services (OES) as described in NIS.

Cyber Assessment Framework (CAF)

Developed by the NCSC to meet the requirements of NIS, the CAF provides a structured approach for organisations to assess their cybersecurity posture. The CAF helps organisations identify and manage cybersecurity risks, implement appropriate security measures, and ensure compliance with regulatory requirements.

Security and Emergency Measures Direction (SEMD)

This applies to the water industry in the UK and requires water and wastewater undertakers to implement security measures to protect their infrastructure from threats, including cyber threats. The SEMD mandates that water companies develop and maintain security plans, conduct risk assessments, and implement measures to mitigate identified risks.

ISO/IEC 27001 and ISO/IEC 27019

These international standards provide a framework for information security management systems (ISMS). ISO/IEC 27019 specifically addresses information security management guidelines for process control systems used in the energy industry, which can be applied to other ICS environments.

IEC 60870

This series of standards for telecontrol, teleprotection, and associated telecommunications is for electric power systems. These standards define protocols for communication between control systems and remote terminal units (RTUs) or intelligent electronic devices (IEDs) in supervisory control and data acquisition (SCADA) systems.

Worldwide Information Telemetry Systems (WITS)

WITS is built upon the DNP3 protocol, which is widely used in industrial control systems for reliable and secure communication. DNP3 provides the foundation for data transmission, ensuring that telemetry data can be communicated accurately and efficiently over various types of networks. WITS have primarily been applied in the water and wastewater industries.

National Protective Security Authority (NPSA)

NPSA provides guidance and best practices for protecting national infrastructure, including ICS. They offer resources on physical and cybersecurity measures for ICS operators.

National Cyber Security Centre (NCSC)

The NCSC provides guidance, best practices, and incident response support for securing ICS. They offer specific resources for ICS operators to enhance their cybersecurity posture.

Health and Safety at Work etc. Act 1974

This act places a duty on employers to ensure the health and safety of their employees and the public. For ICS operators, this includes ensuring the security and safety of control systems to prevent incidents that could harm people or the environment.

Control of Major Accident Hazards (COMAH) Regulations 2015

These regulations apply to operators of industrial sites with hazardous substances. ICS operators must implement measures to prevent major accidents, including cybersecurity measures to protect control systems.

OT cyber security risk assessment

Conducting a risk assessment is critical for identifying vulnerabilities and implementing appropriate security measures. Key components of a Sweco risk assessment include:

  1. Identifying Assets: Cataloguing all OT assets and their importance.
  2. Assessing Vulnerabilities: Evaluating weaknesses in the systems.
  3. Evaluating Threats: Identifying potential threats that could exploit vulnerabilities.
  4. Determining Impact: Analysing the consequences of a successful attack.
  5. Mitigation Strategies: Developing strategies to reduce risks.

Our key risk assessments

  • NIS2 (impact) assessment
  • NISR risk assessment
  • NISD risk assessment
  • CAF risk assessment
  • SCADA risk assessment
  • ICS risk assessment
Send enquiry