Iñaki Eguia
Hewlett Packard Enterprise (Spain)
Compliance vs. Risk Analysis for the Development of Novel Reference Security Architectures Beyond the Purdue Model in Industry
In industry, various regulations and standards (NCA-OTCC, 62443, ISA-TR84-00-09-Part-1, NISTIR) establish a series of controls. Risk analysis methodologies and compliance approaches are based on these controls but pursue different objectives: the former addresses cybersecurity from its core—system vulnerabilities—although the approach may not always be as structured. Compliance, on the other hand, relies primarily on checklists or control-based frameworks to identify gaps in a system. Compliance methods are generally more formal and provide greater certainty to the industry, as they align better with the overall risk framework managed by the organization (very aligned with safety). For this reason, compliance is more widely adopted. However, risk analysis delves deeper into actual vulnerabilities, allowing for the formulation of new requirements. This leads to the redesign of cybersecurity with more practical approaches, resulting in the development of novel architectures going eve beyond reference model like Purdue Model in case of OT. Several examples from the chemical industry, which operates dozens of sites/plants worldwide, will be presented. Risk: Remote multi-account access by OT vendors providing cloud services to L2 for managing DCS systems (Honeywell or Yokogawa). Novel Architecture: Implementation of OT Landing Zones to enable secure external management by vendors. Risk: Control system alert mechanisms in plants do not encrypt or classify the information sent via email to the corporate network, potentially allowing legitimate messages to be compromised if the source is breached. Novel Process/Architecture: Creation of a standardized process across multiple plants that enables encryption in legacy systems, based on the identification of common risks among subsidiaries.