Industrial Cybersecurity & IEC 62443 Consulting in Germany and Switzerland

CRA Compliance. OT Security. Certification Readiness.

Industrial cybersecurity is no longer optional. Connected components and production facilities must meet the requirements of the Cyber Resilience Act (CRA). The IEC 62443 standard family does provide a framework to support implementation and provide guidance to achieve compliance. Companies that addresse cybersecurity in early conception phases reduce operational risk, quality and security awareness toward end customers and thereby gain competitive advantages.

We help manufacturers, system integrators, and asset owners in Switzerland and across Europe to secure their industrial systems by taking a structured approach to IEC 62443, OT penetration testing, and CRA compliance.

Contact us for a IEC 62443 Security Review

Where OT Systems Face Challenges

In industrial assessments, we regularly encounter:

• Outdated firmware
• Embedded devices with default credentials
• Flat networks without trust boundaries
• Remote maintenance interfaces exposed beyond intended zones
• Communication protocols lacking authentication or integrity protection

Such vulnerabilities carry the risk of production disruptions, loss of manufacturing trade secrets, and, in the worst case, endangerment of human life.

Live testing and research show how embedded systems and industrial networks can be exploited when segmentation or authentication assumptions fail.

Selected examples:

Pwning the Synology BC500 – Embedded Firmware Exploitation

Switching 400’000 Volts with a TCP Packet – Weaknesses in IEC 61850 and IEC 60870-5-104

ICS honeypot research – Observed Attacker Behavior in Industrial Environments
 

These challenges show why frameworks like the CRA and IEC 62443 are essential. Cyber resilience must be tested in real-world conditions, not assumed from diagrams.

Cyber Resilience Act & IEC 62443

The European Cyber Resilience Act (CRA) defines mandatory cybersecurity requirements for products with digital elements. Swiss companies exporting into the EU must demonstrate compliance.

The CRA defines what must be achieved. IEC 62443 standard structures how to achieve it:

• Risk-based security architecture
• Security levels SL1 to SL4 based on attacker capability
• Zone and conduit segmentation models
• Technical component requirements
• Secure development lifecycle integration

Independent validation ensures both are met in practice.

Our Industrial Cybersecurity Services

Industrial cybersecurity requires technical depth and measurable results, not just theoretical compliance.

• Structured threat modeling for industrial systems
• Risk analysis aligned with IEC 62443-3-2
• Security Level definition SL1 to SL4
• Identification of architectural and operational gaps

• Review of zones and conduits design
• Defense-in-depth assessment
• Verification of implemented network segregation
• Validation of remote access boundaries

 

• Industrial protocol testing (IEC 61850, IEC 60870-5-104, MQTT, Modbus, OPC UA, Serial. 2/3-wire serial protocols)
• Embedded firmware and hardware analysis
• Authentication and access control validation
• Controlled lateral movement simulation between zones

 

• Gap analysis against IEC 62443
• Evidence generation for audit readiness
• Technical remediation guidance
• Independent second opinion before certification

 

How We Work

We bridge real-world attack simulation and structured compliance alignment. This ensures your implementation withstands both audits and adversaries.

Compass Security has more than 25 years of cybersecurity experience securing internet-exposed systems, critical infrastructure, and embedded technologies.

It requires deep understanding of industrial processes, attacker capabilities, and regulatory expectations. Our work focuses on measurable resilience, not theoretical alignment.

  1. Conduct threat modelling and verify design choices
  2. Validate controls through hands-on testing
  3. Map findings to IEC 62443 requirements
  4. Deliver prioritized, actionable remediation guidance

Our goal is measurable risk reduction, not theoretical compliance.

We would be pleased to show you how we capture findings, assess them, and prioritize them for remediation.

Request IEC 62443 Analysis

Business Impact

Structured validation translates technical findings into measurable business risk reduction.

• Reduced likelihood of production downtime
• Improved resilience against ransomware and targeted attacks
• Clear roadmap toward CRA compliance
• Independent validation of implemented security controls
• Stronger credibility with partners and customers

Industrial cybersecurity protects availability, operational continuity, and market access.

Strengthen Your Industrial Cyber Resilience

If you require OT penetration testing, IEC 62443 consulting, or CRA compliance support, contact us: 

Get Expert Support

 

Hear directly from customers about their experience with our services: Testimonials

We are glad to answer your questions personally: Your contact person