Specialization

Cybersecurity-ready OT engineering

SCADA, PLC and HMI systems engineered to IEC 62443 — new build and brownfield.

Most OT cybersecurity problems are not detected in operation — they are introduced during engineering. A PLC connected without segmentation, an HMI with shared accounts, a SCADA project built on an unsupported OS: each becomes a finding the day an auditor walks in, and a risk every day before that.

APARA engineers OT systems differently. Segmentation, role-based access, hardened baselines, governed patching and auditability are designed into the system from the first network diagram — not added afterwards. For systems already in operation, the same principles guide the upgrade path.

New-build SCADA / PLC / HMI

  • Zone-and-conduit architecture designed per IEC 62443-3-2, with documented Security Level Targets (SL-T) for each zone.
  • Segmented network design with explicit conduit definitions, deny-by-default rules, and IT/OT boundary controls aligned to client IT governance.
  • Hardened baselines for Windows servers (Server 2022/2025), SCADA runtime (Zenon LTS), and engineering workstations — minimised services, current patches, supported versions only.
  • PLC and controller configurations engineered against IEC 62443-4-2 component requirements — including Siemens S7-400H/1500, redundant CPU configurations, and CP communication processor hardening.
  • HMI and operator station design with role-based access, no shared accounts, session controls, and full audit logging.
  • Secure remote access via PAM / jump-host architectures with MFA — never uncontrolled vendor tunnels.
  • Evidence-driven FAT and SAT with cybersecurity test cases embedded in the acceptance protocol, not bolted on at the end.

Brownfield upgrades and hardening

  • As-found cybersecurity assessment of the existing SCADA/PLC/HMI estate, mapped to IEC 62443-3-3 system requirements.
  • SCADA platform modernisation — version upgrades (e.g. Zenon legacy → Zenon LTS), OS migration to supported baselines, redundancy review.
  • PLC and RTU hardening — firmware uplift, configuration audit, removal of unused services and protocols, compensating controls where the device cannot be fully upgraded.
  • Network re-segmentation — introducing zones and conduits into a flat OT network without breaking operations.
  • Patch and vulnerability governance — classification, staging, controlled deployment, rollback readiness, vendor advisory tracking (IEC 62443-2-3 aligned).
  • Build-before-flight methodology — lab-based validation of every change before it touches production. Cutover is reversible. Operations come first.

Vendor expertise & credentials

SCADA

COPA-DATA Zenon — APARA BV is listed as a COPA-DATA Bronze Partner (Netherlands) in the COPA-DATA partner community. Proven legacy-to-LTS conversion experience and offshore brownfield delivery.

PLC / RTU

Siemens S7-300 / 400 / 400H / 1500, ET200SP remote I/O, SICAM AK3 and SICAM A8000 — including legacy hardening and migration planning.

Protection & substation automation

SEL (Schweitzer Engineering Laboratories) protection relays, RTAC, axion controllers, and IEC 61850-based substation automation. APARA is a qualified supplier of SEL and delivers SEL-based solutions to end customers.

Network & security

IEC 60870-5-104, Modbus TCP, IEC 61850, OT firewalls, PAM / Bastion Host architectures, segmented switching.

Standards

IEC 62443 (all parts), NIS2 / Cyberbeveiligingswet, ENS, ISO 27001.

Conformance evidence — IEC 62443-2-4 Readiness Assessment

  • Self-Conformance Workbook — all 123 Service Provider requirements (SP.01 through SP.12), scored at Base Requirement and Requirement Enhancement level.
  • Statement of Conformance — one-page management summary identifying achieved maturity by SP domain.
  • Evidence Index — document-by-document map showing which existing policies and records satisfy which requirements.
  • Gap-closure roadmap — prioritised, with realistic timelines to reach your target maturity level.

Delivered in four weeks (indicative for organisations up to ~50 FTE; larger scopes by quotation). APARA operates as an IEC 62443-2-4 Integration Service Provider and has applied the same workbook to ourselves — so we deliver this as practitioners, not consultants.

Plan your IEC 62443 path

Talk to our OT cybersecurity engineers about new-build design, brownfield hardening, or a 4-week readiness assessment.

Get in touch
Get in touch