CASE
STUDY
CYBERSECURITY BUILT INTO
A GREENFIELD CHEMICAL PLANT FROM DAY ONE
How a new chemical manufacturing facility embedded ISA/IEC 62443-aligned cybersecurity into its DCS and ESD systems before commissioning, eliminating the compliance gaps and security debts that typically emerge when security is added after design.
| Challenge | Solution | Result |
|---|---|---|
| New DCS/ESD and OT systems with no cybersecurity baseline or defined Security Levels | Eight-phase OT cyber assurance process from architecture validation through commissioning oversight | DCS/ESD systems commissioned at required Security Levels with no post-commissioning rework |
| Risk of misaligned safeguards, insecure configuration, and compliance gaps at commissioning | CyberPHA and DLRA identifying credible threats and residual risk across all OT zones | Cybersecurity embedded in design, procurement, FAT/SAT, and commissioning workflows |
| Need to validate OT architecture and define requirements before engineering was locked | ISA/IEC 62443 Cybersecurity Requirements Specification (CSRs) for all engineering and procurement | Reduced likelihood of cyber-induced process disruption or safety impacts from day one of operations |
Project Background
A greenfield chemical manufacturing facility was commissioning new DCS and emergency shutdown (ESD) systems, with Level 2 and below OT infrastructure spanning multiple new process units. The project team recognized early that cybersecurity requirements needed to be established before engineering and procurement decisions, rather than after. Without a structured framework, the facility risked entering operations with security gaps built into architecture, configuration, and the vendor supply chain gaps that would prove significantly more expensive and complex to resolve post-commissioning. To address this, the organization engaged Arista Cyber to develop a standards-aligned cybersecurity assurance programme covering the entire project lifecycle.
A New Facility, New Systems, and No Security Baseline to Build From
The project presented a challenge common in greenfield industrial construction: the window to embed cybersecurity into design decisions is narrow, and the pressure to progress engineering and procurement ahead of security requirements is significant. Once DCS and ESD vendor selection, network architecture, and zone design decisions are locked, retrofitting security controls becomes costly and operationally disruptive.
The facility needed to validate its OT architecture against security best practices, assess credible cyber threats and vulnerabilities across the new systems, establish target Security Levels (SL-T) and achievable Cyber Security Levels (CyberSL) for each OT zone, and define cybersecurity requirements that engineering and procurement teams could act on. Without this structured input, the project risked misaligned safeguards between what the design assumed and what the vendors delivered, insecure default configurations in SCADA and DCS systems that would persist into operations, and compliance gaps under ISA/IEC 62443 that would require expensive remediation after startup.
The project team had a clear objective: build the cybersecurity case into the plant, not onto it.
An Eight-Phase Assurance Programme from Architecture Review to Commissioning Validation
Arista Cyber implemented a structured eight-phase OT cyber assurance programme that followed the project from architecture validation through commissioning, ensuring that cybersecurity requirements were embedded at every stage where they could influence design and procurement outcomes.
Architecture and Segmentation Validation
The OT zone and conduit design was reviewed against ISA/IEC 62443 requirements, confirming that the network segmentation model, asset inventory, and data flow design were appropriate for the risk profile of the facility.
Asset Identification and Criticality Mapping
DCS and ESD assets were mapped to their process and safety functions, establishing a criticality baseline that informed the threat and risk analysis to follow.
CyberPHA and DLRA
A Cyber Process Hazard Analysis and Device-Level Risk Assessment were conducted, systematically identifying credible threats, vulnerabilities in the planned system configuration, and high-consequence attack scenarios across the OT environment.
Cyber Risk Evaluation
Inherent and residual risk levels were calculated for each identified scenario, and mitigations were prioritized based on risk reduction impact and implementation feasibility within the project schedule.
Security Level Verification
Target Security Levels (SL-T) were set for each OT zone, and achievable Cyber Security Levels (CyberSL) were confirmed per ISA/IEC 62443, establishing the performance baseline that vendors and engineering teams were required to meet.
Cybersecurity Requirements Specification (CSRS)
Structured ISA/IEC 62443 requirements were developed covering all OT systems, zones, and conduits. The CSRS was issued to engineering and procurement teams as a binding design requirement, ensuring that vendor selections and system configurations reflected the defined Security Levels.
Delivery and Validation
Reports and specifications were issued to the project team, and secure implementation was verified against the defined requirements before site acceptance.
Commissioning Oversight
Arista Cyber validated secure configuration of all OT systems during commissioning, confirming that final delivered systems met the Security Level requirements and that no configuration gaps had been introduced during integration and testing.
A Fully Compliant, Security-Embedded OT Environment Ready for Reliable Operations
The client received a comprehensive OT cybersecurity assurance package for all new process units. DCS and ESD systems were commissioned at the required Security Levels, with configuration and architecture validated against the CSRS requirements throughout the project. No security rework was required post-commissioning because the requirements had been defined, specified, and verified progressively across the project lifecycle.
The DLRA and CyberPHA provided the project team and operations management with full visibility into the credible cyber risks facing the new facility, the safeguards in place to address them, and the residual risk profile at startup. The CSRS gave engineering and procurement teams clear, actionable requirements that translated directly into vendor selection criteria, FAT and SAT test cases, and commissioning validation checkpoints.
The facility entered operations with cybersecurity embedded in its design, its configuration, and its operational governance, rather than as a post-commissioning remediation project. The reduced likelihood of cyber-induced process disruption or safety impacts from the first day of operations represented a material reduction in both operational and reputational risk for the organization.
Who Should Engage Arista Cyber?
IT and OT Leaders in industrial & critical infrastructure operations who want assurance, resilience, and measurable security outcomes.
What's The Next Step?
- Schedule a Cyber Risk Assessment
- Conduct an Executive Workshop
- Start OT Security Roadmap Planning
Building a new facility or integrating new OT systems? Contact Arista Cyber to embed cybersecurity from the design phase forward.