About Valmet
Valmet has a global customer base across various process industries. The company is a leading global developer and supplier of process technologies, automation, and services for the pulp, paper, and energy industries. With Valmet’s automation and flow control solutions, the company serves an even wider base of process industries. More than 19,000 Valmet professionals around the world work close to their customers every day.
The company has more than 225 years of industrial history and a strong track record in continuous improvement, sustainability, and renewal. Valmet’s net sales in 2024 were approximately EUR 5.4 billion. Valmet’s shares are listed on the Nasdaq Helsinki, and the head office is in Espoo, Finland.
Background
Valmet has been developing both their cybersecurity processes and the cybersecurity capabilities of Valmet DNA automation systems systematically for decades. Already in 2019, Valmet was one of the very first companies to receive an ISASecure® Secure Development Lifecycle Assurance (SDLA) certificate for their security development lifecycle process covering the then brand-new IEC 62443-4-1:2018 standard.
In 2024, Valmet launched Valmet DNAe, the world’s first fully web-based Distributed Control System (DCS). The Valmet DNAe automation system is inherently cybersecure by design. As a part of Valmet’s commitment to continuous cybersecurity improvement, Valmet wanted to have an external assessment conducted against the requirements of ISASecure® System Security Assurance (SSA), covering the ISA/IEC 62443-3-3:2013 standard.
Cyberismo consulting
As a leading technology company, Valmet works together with an ecosystem of partners. In the ISASecure® SSA certification project, Cyberismo consultants supported Valmet cybersecurity leaders and experts in the following areas.
- Planning the SSA certification project together with the Valmet project manager
- Designing cybersecurity technologies and requirements
- Supporting the development teams with the Secure Development Lifecycle Assurance (SDLA), which is a part of the SSA certification
- Supporting the product documentation and security testing teams in cybersecurity topics
- Facilitating the certification process with the certifying company exida
Obtaining and maintaining an SSA certificate in the long term must be an integral part of the daily work in the development organisation. Therefore, the role of Cyberismo consulting was to support the Valmet leaders and experts in building a sustainable capability in the organisation.
Modern technology platform makes a big difference
The fact that Valmet DNAe is a new platform built on a unified set of modern technologies greatly simplified the certification process. Many horizontal security features, such as role-based access control, managing events and logs, installing and upgrading software, or taking backups, work similarly throughout the platform.
Another benefit of the modern technology stack was that we did not have to resort to compensating security mechanisms. Such compensating mechanisms are commonly needed due to the lack of capabilities in various legacy components, but we did not need them as we were able to meet the requirements as they are stated in the standard throughout the platform.
What if you are planning to certify an existing product with a more diverse set of technologies? It is still definitely possible to meet the requirements of the IEC 62443-3-3 standard, but you should consider potential technology renewal and refactoring projects as a part of your certification journey.
It boils down to testing
The implementation of the SSA requirements must be ultimately verified by tests. A big part of the total work effort of an SSA certification project will be spent on testing, both security requirement testing and other kinds of testing that the SDLA process includes.
Many security requirements cannot be properly tested by observing how the product operates in a lab environment. For example, both deprecated and modern cryptographic algorithms produce similar random-looking octets in a Wireshark capture. The solution is to use static testing, or reviews of configuration or code. Static testing must be similarly planned and executed, in a traceable way, as dynamic testing.
Benefits of an ISASecure® SSA certification
If you are developing an industrial product, you might be tempted to skip the process of obtaining an official certification and only refer to an internal analysis of meeting the requirements of a standard. However, in the light of a behind-the-scenes view to the certification process, an official certification deserves significantly more credibility than a self-assessment.
Obtaining an ISASecure® SSA or IEC 62443-3-3 certification
- Demonstrates that the system meets internationally recognized security requirements, even when reviewed rigorously
- Builds trust with customers, partners, and regulators
- Sets the product apart from the competition in the marketplace
- Reduces the risks of non-compliance to the increasingly demanding cybersecurity regulations
Testimonial
We believe that building security into the very foundation of our systems is the most effective way to protect our customers in today’s evolving threat landscape. Valmet DNAe has now become the world’s first fully web-based DCS to reach system-level ISASecure SSA certification. I’m extremely proud of the Valmet DNAe team that made this happen. I’m very happy with how Cyberismo consultants worked as part of the Valmet DNAe team and helped us build the cybersecurity culture that ISASecure SSA certification requires.
Jukka Ylijoki, Vice Precident of R&D, Automation Systems, Valmet