IEC 62443 in Practice: Rolling Out OT Security Across 350+ Factories in 93 Countries

Knauf is a multinational manufacturer with approximately €16 billion in revenue. Its footprint is unique: more than 350 factories across 93 countries, grown through organic expansion and acquisitions.

This sparsely protected, legacy-dominated, highly heterogeneous environment faces a litany of challenges. First, OT-targeted attacks are increasing, making industrial operations a new cyber frontier. Second, IT–OT convergence is expanding exposure to external threats. Lastly, the imperative for availability and operational readiness constrains feasible security measures.

In response, Knauf Corporate Information Security was tasked to identify and possibly mitigate the most critical risks, by rolling out an appropriate security framework across all sites.
First, the team gathered internal and external expertise to draft an “OT Security Standard” based on IEC 62443 — the most comprehensive and internationally recognized framework for industrial automation and control systems. Through a collaborative effort involving more than 50 colleagues, the framework was subsequently tailored to Knauf’s specific requirements.

Senior Business Leadership requested to "test" the recently developed OT Security Standard in practice and present the findings in a heatmap visualization of the resulting risk across the manufacturing environment. To that end, nine factories in nine countries were selected for a gap assessment. Over several months, the team visited each site. Using a standardized assessment framework and lightweight tools for network scanning and packet capture, each factory was evaluated across 16 security domains. The results were shared with senior manufacturing leadership and individual plant managers, through a report with a respective risk heat map and a summary of individual observations and identified issues.

Finally, based on the assessment results, the most significant challenges are being addressed at a global scale. Given the breadth and technological diversity, we chose to focus on people and processes. Standard operating procedures are being created for the most critical security-related activities. Templates are being drafted to facilitate and harmonize practices across all sites. Training materials are being developed to strengthen security culture and raise awareness to an acceptable level. These measures are being combined into an onboarding package for rollout across business regions, with a proof of concept currently in development.

Lernziele

• Translate IEC 62443 into a company-specific OT security standard for heterogeneous, legacy environments, including how to tailor requirements and set realistic targets.
  
• Design and run a scalable OT gap assessment using lightweight tooling and a 16-domain framework, then convert findings into a leadership-ready risk heatmap.
  
• Operationalize results through people and process: build security-critical SOPs, harmonize templates, and develop training and onboarding packages that drive adoption and measurable risk reduction.