Specialization
Cybersecurity-ready OT engineering
SCADA, PLC and HMI systems engineered to IEC 62443 — new build and brownfield.
Most OT cybersecurity problems are not detected in operation — they are introduced during engineering. A PLC connected without segmentation, an HMI with shared accounts, a SCADA project built on an unsupported OS: each becomes a finding the day an auditor walks in, and a risk every day before that.
APARA engineers OT systems differently. Segmentation, role-based access, hardened baselines, governed patching and auditability are designed into the system from the first network diagram — not added afterwards. For systems already in operation, the same principles guide the upgrade path.
New-build SCADA / PLC / HMI
- Zone-and-conduit architecture designed per IEC 62443-3-2, with documented Security Level Targets (SL-T) for each zone.
- Segmented network design with explicit conduit definitions, deny-by-default rules, and IT/OT boundary controls aligned to client IT governance.
- Hardened baselines for Windows servers (Server 2022/2025), SCADA runtime (Zenon LTS), and engineering workstations — minimised services, current patches, supported versions only.
- PLC and controller configurations engineered against IEC 62443-4-2 component requirements — including Siemens S7-400H/1500, redundant CPU configurations, and CP communication processor hardening.
- HMI and operator station design with role-based access, no shared accounts, session controls, and full audit logging.
- Secure remote access via PAM / jump-host architectures with MFA — never uncontrolled vendor tunnels.
- Evidence-driven FAT and SAT with cybersecurity test cases embedded in the acceptance protocol, not bolted on at the end.
Brownfield upgrades and hardening
- As-found cybersecurity assessment of the existing SCADA/PLC/HMI estate, mapped to IEC 62443-3-3 system requirements.
- SCADA platform modernisation — version upgrades (e.g. Zenon legacy → Zenon LTS), OS migration to supported baselines, redundancy review.
- PLC and RTU hardening — firmware uplift, configuration audit, removal of unused services and protocols, compensating controls where the device cannot be fully upgraded.
- Network re-segmentation — introducing zones and conduits into a flat OT network without breaking operations.
- Patch and vulnerability governance — classification, staging, controlled deployment, rollback readiness, vendor advisory tracking (IEC 62443-2-3 aligned).
- Build-before-flight methodology — lab-based validation of every change before it touches production. Cutover is reversible. Operations come first.
Vendor expertise & credentials
SCADA
COPA-DATA Zenon — APARA BV is listed as a COPA-DATA Bronze Partner (Netherlands) in the COPA-DATA partner community. Proven legacy-to-LTS conversion experience and offshore brownfield delivery.
PLC / RTU
Siemens S7-300 / 400 / 400H / 1500, ET200SP remote I/O, SICAM AK3 and SICAM A8000 — including legacy hardening and migration planning.
Protection & substation automation
SEL (Schweitzer Engineering Laboratories) protection relays, RTAC, axion controllers, and IEC 61850-based substation automation. APARA is a qualified supplier of SEL and delivers SEL-based solutions to end customers.
Network & security
IEC 60870-5-104, Modbus TCP, IEC 61850, OT firewalls, PAM / Bastion Host architectures, segmented switching.
Standards
IEC 62443 (all parts), NIS2 / Cyberbeveiligingswet, ENS, ISO 27001.
Conformance evidence — IEC 62443-2-4 Readiness Assessment
- Self-Conformance Workbook — all 123 Service Provider requirements (SP.01 through SP.12), scored at Base Requirement and Requirement Enhancement level.
- Statement of Conformance — one-page management summary identifying achieved maturity by SP domain.
- Evidence Index — document-by-document map showing which existing policies and records satisfy which requirements.
- Gap-closure roadmap — prioritised, with realistic timelines to reach your target maturity level.
Delivered in four weeks (indicative for organisations up to ~50 FTE; larger scopes by quotation). APARA operates as an IEC 62443-2-4 Integration Service Provider and has applied the same workbook to ourselves — so we deliver this as practitioners, not consultants.
Plan your IEC 62443 path
Talk to our OT cybersecurity engineers about new-build design, brownfield hardening, or a 4-week readiness assessment.
Get in touch