Project Management in OT/ICS Projects with IEC 62443 and MITRE ATT&CK using Radiflow

What is Project Management in OT/ICS?

Project management in OT/ICS is the structured execution of engineering, automation, and cybersecurity initiatives within industrial environments.

These projects have a clear start and end point, and typically deliver a service or result, not just a product. In this context, managing an OT cybersecurity project aligned with IEC 62443 or NIS2 involves more than technical execution—it requires professional project governance across all five phases:

1. Initiation – Defining the project scope, goals, and high-level risks.
2. Planning – Developing the project plan, stakeholder engagement (via RACI), budgeting, and procurement strategy.
3. Execution – Implementing technical tasks (e.g., deploying firewalls, segmenting networks).
4. Monitoring & Control – Tracking schedule, cost (using EVM), and scope performance.
5. Closure – Final validation, documentation, compliance reporting, and lessons learned.

This includes projects like:

• Designing or upgrading SCADA/DCS systems
• Implementing network segmentation or firewalls
• Installing PLC/HMI systems
• Deploying remote access or backup infrastructure
• Aligning with IEC 62443, NIS2, or NERC CIP compliance

Unlike IT projects, OT/ICS project management must consider:

• Safety-critical systems
• Real-time process constraints
• Legacy equipment
• 24/7 plant operations
• Strict change control and commissioning windows

It typically involves a mix of IT, engineering, OT personnel, and vendors, working under tight schedules and high uptime requirements.

Example of Project

Goal: Define Success for Stakeholders

For project sponsors, success is not just “deploy firewalls” or “upgrade ICS.” The true goal of an OT cybersecurity project is to mitigate cyber risks, meet compliance, and improve resilience, while staying within scope, time, and budget.
Deploy network segmentation and firewalls in a manufacturing site to meet IEC 62443-3-3 requirements, and by that reduce cyber risk exposure, ensure regulatory approval, and achieve a Cost Performance Index (CPI) above 0.9.

Stakeholders & the RACI Matrix

OT projects often involve multiple parties: internal IT/OT teams, external vendors, engineering, and compliance personnel. Collectively, these are your stakeholders. To manage expectations and accountability, apply a RACI matrix:

1. Responsible – Who executes the task?
2. Accountable – Who owns the outcome?
3. Consulted – Who provides input?
4. Informed – Who needs to stay updated?

Using a RACI chart helps the Project Manager define roles clearly and reduces friction during execution and escalation.

Use of EVM – Emphasizing Scope Over Progress

When applying Earned Value Management (EVM), emphasize scope delivery rather than just activity completion. Many projects look “busy” but deliver little actual value. For example:

“Only 35% of the defined scope was completed, even though 55% of the budget was spent.”

This reframing promotes accountability and aligns with compliance requirements where actual control implementation (e.g., SR 1.2 for firewall rules) is the metric, not task progress alone.

 

Why is EVM Important in OT/ICS Projects?

Earned Value Management (EVM) brings discipline and visibility to OT/ICS projects by linking schedule, budget, and progress into measurable indicators.

1. Tracks Cost and Schedule Together

• Many ICS upgrades overrun because progress looks good on paper—until it’s too late.
• EVM flags if you’re burning money faster than you’re delivering value (via CPI).
• It also shows if work is behind plan (SPI), even when budget looks okay.

2. Connect Progress to Risk

• In OT/ICS, delay = risk (e.g. firewall deployment delays expose control networks).
• EVM helps prioritize tasks tied to IEC 62443 security requirements or critical assets.
• You can link EVM metrics to risk scores, e.g., “delays on SR 1.2 increase exposure to T0837 (Remote Services).”

3. Helps with Compliance

• Frameworks like IEC62443 and directive like NIS2, require evidence of planning, tracking, and continuous improvement.
• EVM gives auditable metrics to show you’re managing security investments properly.

4. Improve Vendor and Contractor Oversight

• Many OT projects involve third parties.
• EVM helps track deliverables, identify slowdowns, and hold vendors accountable with facts—not feelings.

In OT/ICS, you don’t get infinite test environments or rollback buttons. So, you need to know if your project is working not guess. That’s why EVM is essential.

Earned Value Management (EVM) is a proven method for tracking cost and schedule performance in complex projects. When applied to OT (Operational Technology) and ICS (Industrial Control Systems) environments especially those governed by IEC 62443 standards EVM can reveal where delays and overruns pose security, operational, or compliance risks.

 

Key EVM Metrics (in Plain Terms)

• ACWP (Actual Cost of Work Performed): What you’ve actually spent so far.
• BCWP (Budgeted Cost of Work Performed / Earned Value): The budgeted value of the work completed.
• BCWS (Budgeted Cost of Work Scheduled / Planned Value): The value of the work that should have been completed by now.
• BAC (Budget at Completion): Your full project budget.

 

These metrics let you track:

• Schedule Variance (SV) = BCWP − BCWS
• Cost Variance (CV) = BCWP − ACWP
• SPI (Schedule Performance Index) = BCWP / BCWS
• CPI (Cost Performance Index) = BCWP / ACWP

 

Example: EVM in a Real OT/ICS Project

Project goal: Deploy network segmentation and firewalls in a manufacturing site to meet IEC 62443-3-3 requirements.

• Total Budget (BAC): €200,000
• Mid-project status (month 2):
  • BCWS: €100,000 (planned 50% completion)
  • BCWP: €70,000 (actual 35% completion)
  • ACWP: €110,000 (overspent)

Results:

• SV: –€30,000 → Behind schedule
• CV: –€40,000 → Over budget
• SPI: 70 → Only 70% of planned work completed
• CPI:64 → Every euro spent delivers just €0.64 of value

 

IEC 62443 Security Mapping

Delays in this OT project directly impact the implementation of critical IEC 62443 security requirements:

IEC SR	Description	Cybersecurity Needs
SR 1.1	Network segmentation between zones	Unrestricted data flow between zones
SR 1.2	Firewalls/conduits between zones	No communication control
SR 3.1	Authenticated communications	Unverified device access
SR 5.2	Zone access enforcement	Remote access to critical systems

 

MITRE ATT&CK for ICS Risk Mapping

Delaying segmentation and firewall deployment exposes the OT environment to these attack techniques:

Technique ID	Name	Exposure Risk	IEC Link
T0837	Remote Services	Remote access pivots into control	SR 1.2
T0806	Valid Accounts	Enables lateral movement	SR 3.1
T0887	External Remote Services	VPNs/DMZs become breach vectors	SR 1.1
T0859	Commonly Used Port	Predictable traffic is easily scanned	SR 1.2
T0810	Exploitation of Remote Svcs	Potential remote code execution	SR 1.2

Make it easy with Radiflow

CIARA isn’t just a risk management tool; it’s a security management platform, project tracking system, and cost optimization solution. By tracking schedule and cost performance alongside IEC 62443 maturity and known threat vectors (via MITRE ATT&CK), you gain a comprehensive view of project health, risk, and compliance posture.

The Radiflow CIARA Risk Prioritization and Compliance Platform combines:

• EVM metrics
• IEC 62443 control mapping
• MITRE ATT&CK insights

…to create a smarter, more secure OT cybersecurity program.

Mapping project progress and costs with CIARA’s risk-based asset and control assessments is straightforward. CIARA is designed for IEC 62443-aligned risk assessments, so integrating EVM offers measurable tracking for implementation.

Step 1: Map Security Projects to Risk Treatments in CIARA.

In CIARA, each risk treatment (e.g., segmenting a network, implementing SR 1.2 controls, hardening remote access) becomes a trackable project activity.

Step 2: Use EVM to Drive CIARA Prioritization.

CIARA allows you to score threats and residual risk based on control effectiveness. EVM provides a real-world performance view of implementation.

Risk Area	CIARA Prioritization	EVM View	Target
Remote Access (T0887)	Medium risk	CPI = 0.6, SPI = 0.7	Zone 1 – 7PLC, 2HMI
Network Segmentation (SR 1.1)	High risk	CPI = 0.9, SPI = 1.0	Zone 2,3 – 12PLC, 4HMI
Vendor Access Controls	Low risk	SPI = 0.4	Zone 4 – 3 EngStation

Step 3: Risk and Cost Optimization Governance Platform

CIARA generates risk reports and compliance maps for IEC 62443, NIS2, and more, detailing cost and implementation status for each site, zone, and security requirement.

Lessons learned from the field

Merging the experience in the real project of OT Cyber Risk Management and compliance assessment with Radiflow, the time spent to create an overall view of the current environment and track activity by activity to achieve the result of the project.

From zero to target, Radiflow makes it very easy and accurate the work of the Project Manager to follow these guidelines:

• Automatically identify the Asset and Links
• SUC Identification and Zoning
• Mapping attacker, tactic, and technique applicable to the digital twin
• Risk identification and risk scoring
• Simulate the best cybersecurity implementation scenario
• Provide solid documentation in advance for the result pre-validation
• Budget Scheduling and Activities Prioritization
• Track implementation progress and EVM metric calculation
• Reach the proper target with the scheduled time, budget, and resources
• Continuous Real Time Monitoring and Risk / Control change

 

Radiflow monitors the network and provides new TI information consistently to identify any useful change and evidence to resize the project, driving the PM to easily follow the Agile process or a similar common flexible Project Management Framework, keeping in consideration the following point:

• Agile vs Hybrid approaches to manage evolving cybersecurity threats.
• Procurement and vendor risk management, especially when implementing outsourcing.
• Data-driven decision making, using real-time metrics from CIARA.
• Emotional intelligence, to navigate resistance and communicate risks effectively.
• Threat intelligence is provided by Radiflow’s monitoring capabilities.
• Project resilience, ensuring recovery and continuity under changing risk landscapes.
• Managing stakeholder information—sharing the right updates at the right time.
• Project risk management, separate from cyber risk management, for budget, scope, and schedule threats.