Information-Centric Adoption and Use of Standard Compliant DevSecOps for Operational Technology: From Experience to Design Principles

Abstract

Secure and agile development of operational technology (OT) and related software in industry is a crucial but challenging issue. Generally recognized standards such as IEC 62443–4-1 set up the requirements for cybersecurity processes for OT and software development. The main challenge of IEC 62443–4-1 resides in its adoption and implementation in practice, which originates from the standard’s complexity. We propose three novel design principles and two subsequent design objectives to be prioritized for future design-research oriented work on standard-compliant DevSecOps. The design principles have been formed after six years of experience and observations in cybersecurity consulting in industry, documented here as a piece of action design research (ADR). As a case study, we describe instantiation of the design principles at Valmet Automation Systems, one of the earliest IEC 62443–4-1 -certified companies. The proposed design principles altogether suggest for the information-centric view on the contextual adoption and use of the IEC 62443–4-1 standard in DevSecOps practices for OT.