DNV Cyber helps GEA Refrigeration to develop in-house expertise on the IEC 62443 standard

The industrial world is rapidly changing, and industrial equipment now needs to be compliant with various cyber security regulations in addition to having a lifetime that often spans decades. For the manufacturers of industrial machinery, the risk of losing market share or financial penalties due to delayed actions is extremely high. When adding the tough cybersecurity job market of the EU to this, it leaves only a few options other than relying on the consultancy services of cyber security companies.  

GEA chose DNV Cybers hybrid alternative model, where DNV Cyber assists in the work to fulfil the cyber security obligations for the customer. At the same time, the customer's engineers are actively involved in the process. This approach allows building up in-house cyber security expertise while still meeting the strict cyber security compliance deadlines. 

GEA Heating & Refrigeration Technologies Division is a global player in industrial cooling solutions. The company serves customers in the food, beverage, chemical, pharma, dairy processing, dairy farming, and marine industries. With a keen focus on sustainability, including the use of natural refrigerants, GEA’s comprehensive portfolio derives from decades of innovation and industry leadership in industrial refrigeration and heating. 

GEA contacted DNV Cyber with a request to help secure their new proprietary platform GEA G-Plex®. G-Plex is an electronic module for monitoring and control of screw compressors. It provides built-in, automatic, optimal volume ratio (Vi) control and on-site and off-site monitoring of the compressor’s performance. This helps to reduce energy use while providing real-time information about the compressor's operating conditions. 

The IEC 62443 compliance framework was chosen as the basis for the cyber security activities. Adhering to IEC 62443 requirements has the great benefit of providing a compliance base for most of the recently introduced cyber security regulations, such as NIS2 and CRA (Cyber Resilience Act). 

After the initial analysis phase, it became clear that to facilitate the product’s compliance with IEC 62443 4-2 requirements, certain changes to the architecture of G-Plex had to be introduced and implemented. This resulted in the need for DNV Cyber to help with the secure development and architectural design process and assist with supplier communication on technical issues. DNV Cyber provided a customized architectural design complying with 62443 4-1 practice 3, per GEA’s requirements. The renewed design resulted in a state-of-the-art IEC 62443 4-2 compliant, fault-tolerant solution, utilizing secure containerization and provisioning for future hardware revisions. 

The development was jointly performed by DNV Cyber security experts and GEA engineers. The objective of the development process was to have GEA engineers learn through hands-on development work.  

In addition, DNV Cyber provided regular knowledge-transfer sessions to train GEA’s engineers in secure development and Advanced Embedded Linux development but also to explain the architectural design; how it fits in the overall security of the system and the choices made and why. 

At the time when DNV Cyber joined the effort with GEA on this project, GEA was already strongly committed to the extensive digitalization efforts as a part of their "Mission 26" strategy. With GEA putting a strong focus on cyber security as a prime strategic priority, the development of the new product platform – being fully IEC 62443 compliant from the start – organically fit into the general vector of company development. The IEC 62443 expertise accumulated by the GEA software developers and automation engineers throughout the project will allow the company to easily execute further development of similar future products.