Skip to content

Cybersecurity

Our digital vision for security provides companies with the right measures
to protect themselves

Securing employees and customers from the risks of a cyberattack is nowadays a
responsibility. Physical security, management of sensitive information, and
business continuity are just some of the risks that our method can help to contain.

Friends protect each other, and that is what we do: we help companies secure their
values over time, opening doors that are ready to welcome guests but tightly closed
to keep away those who are not welcome.

Cybersecurity means

  • Being compliant with all security regulations (see regulations)
  • Implementing a Cybersecurity strategy
  • Ensuring the safety of employees and customers (Safety)
  • Protecting industrial plants and systems (IT/OT Security)
  • Guaranteeing Business Continuity (Productivity)
  • Defending sensitive and personal data
  • Safeguarding corporate reputation

Underestimating the risk
is more convenient...

My company is small, it is not at risk of cyber attacks.

Claiming that a system is secure because no one is attacking it is very dangerous - Bill Gates

Safety and Security: definitions

Safety: Freedom from the occurrence of risks that are not tolerable. Safety protects people from 'things', i.e. events of an accidental nature related to the environment around us.

Security: Condition of a system's resources to be free from unauthorised access and unauthorised or accidental modification, destruction or loss. Security protects 'things' (data, assets,...) from man, i.e. from intentional actions of a malicious nature caused by him.

Cybersecurity scheme desktop EN
Cybersecurity scheme mobile EN 02

The regulatory framework

Regulations -Directive 2006/42/EC - Annex I

Essential health and safety requirements

1.1 - General considerations / 1.1.2 - Principles of safety integration c) When designing and constructing machinery, and when drafting the instructions, the manufacturer or his authorised representative must take into account not only the intended use of the machinery but also any reasonably foreseeable misuse thereof.

1.2 - Control systems / 1.2.1 - Safety and reliability of control systems. Control systems must be designed and constructed so as to prevent hazardous situations from arising. In any case, they must be designed and constructed in such a way that: a failure in the hardware or software of the control system does not create hazardous situations, errors in the logic of the control system do not create hazardous situations.

Particular attention must be paid to the following: the machine must not start up unexpectedly, machine parameters must not change uncontrollably when such a change can lead to dangerous situations, stopping the machine must not be prevented if the stop order has already been given.

 

Regulations - The 62443 Family of Standards (ISA-IEC)

The 62443 series of standards was jointly developed by the ISA99 committee and
the IEC TC65WG10 committee, and is devoted to the need to design and integrate
robust and resilient Cybersecurity into industrial control systems (ICS).

The 62443 series scope:

  • Improving safety, availability, integrity and confidentiality of systems used for
    industrial automation and process control.
  • Providing objective criteria for implementing the appropriate level of Security in industrial process control and management systems.

 

Regulations - ICT Minimum Standard

The minimum standard issued by the Swiss government is intended for providers
and operators of critical and non-critical infrastructures: it is designed as a manual
containing guidelines for cyber security with a focus on the concepts of "identification", "detection", "protection", "response" and "recovery". It aims to raise awareness of the risks of cyber threats and data theft in small and medium-sized enterprises.

 

What happens in reality?
In just over a year, almost 2 billion files containing personal and other sensitive data have been damaged - Ernst & Young

Every day we talk about 'cyber attacks'. But are the implications as clear?

  • A hospital's energy supply system is attacked... the functioning of hospital
    machinery is at risk and thus the lives of its patients!
  • Addresses and sensitive data of a financial institution are stolen. People's safety and corporate reputation are threatened!

Our goal is to create Cybersecurity strategies that preserve corporate values.

The Goodcode approach

Every entrepreneur has the responsibility to protect his or her business and
employees from cyber threats. The method provides customers with constant
support to ensure: Physical Security, Management of Sensitive Information and
Business Continuity.

Analysis

Analysis, logical-functional modelling of the system, zoning and classification of
assets by criticality.

Risk assessment

Risk assessment and definition of Security levels.

Optimisation

Experimental tests to verify assets, design and implementation of any possible corrective measures.

Didactics

Training of staff on regulations and on the use of IT tools to avoid risks arising from
improper use.

Cybersecurity as a service

Like any self-respecting challenge between Good and Evil, the challenge against cybercrime has no end and is renewed day by day. That is why we have come up with an ongoing service based on the implementation of a long-term strategy: Cybersecurity as a Service.

Experience and partnerships

The professionals we field for our customers are true cybersecurity experts, and this is demonstrated by the world-class partnerships we have built over the years, including one with Bureau Veritas, a world leader in inspection services, verification of compliance with Safety and Security standards, and certification.

TOUCH
Paolo Domenighetti Chief Technology Officer After graduating in Software Engineering from the Università della Svizzera Italiana, Paolo Domenighetti managed an IT consultancy
company from 2010 to 2015. That same year, he decided to capitalise on his passion and skills in Software Development by founding Goodcode. An expert in Cybersecurity and cryptography, he works closely with Bureau Veritas.
Paolo Domenighetti Chief Technology Officer
TOUCH
Massimo Bianchini Mechanical engineer A mechanical engineer with a passion for robotics and automation, Massimo Bianchini was operations director of Apave SudEurope Italia, a global player in safety and certification. In 1997, he started his consulting business in validation eCommissioning of production plants, functional safety and finally industrial cybersecurity. Since 2018, he has been a partner of Bureau Veritas Italia.
Massimo Bianchini Mechanical engineer
TOUCH
Bureau Veritas Partner Bureau Veritas uses the method proposed by Paolo Domenighetti and Massimo Bianchini to offer Cybersecurity consulting.
Bureau Veritas Partner

Cybersecurity tidbits

Below are a few key words and insights that you are sure to find interesting in order to better understand the topic of Cybersecurity.

Directive 2006/42/EC - Annex I

Essential health and safety requirements

1.1 - General considerations / 1.1.2 - Principles of safety integration
(c) When designing and constructing machinery and when drafting the instructions, the manufacturer or his authorised representative must take into account not only the intended use of the machinery but also any reasonably foreseeable misuse thereof.

1.2 - Control systems / 1.2.1 - Safety and reliability of control systems. Control
systems must be designed and constructed so as to prevent hazardous situations from arising. In any case, they must be designed and constructed in such a way that: a failure in the hardware or software of the control system does not create hazardous situations, errors in the logic of the control system do not create hazardous situations.

Particular attention must be paid to the following: the machine must not start unexpectedly, machine parameters must not change in an uncontrolled manner, when such a change can lead to dangerous situations, the machine must not be prevented from stopping, if the stop order has already been given.

The 62443 family of standards (ISA-IEC)

The 62443 series of standards was jointly developed by the ISA99 committee and
the IEC TC65WG10 committee, and is devoted to the need to design and integrate
robust and resilient CyberSecurity into industrial control systems (ICS).

The objectives of the 62443 series:

  • Improving Safety, availability, integrity and confidentiality of systems used for
    industrial automation and process control.
  • Providing objective criteria for implementing the appropriate level of Security in industrial control and process management systems.
Minimum ICT standard

The minimum standard issued by the Swiss government is intended for providers
and operators of critical and non-critical infrastructures: it is designed as a manual
containing guidelines for cyber security with a focus on the concepts of 'identification', 'detection', 'protection', 'response' and 'recovery'. It aims to raise awareness of the risks of cyber threats and data theft in small and medium-sized enterprises.

Malware VPNfilter

VPNFilter is a malware designed to infect routers and some network-attached
storage devices. It is estimated to have infected around 500,000 routers worldwide
as of May 24th , 2018, although this is still thought to be a low estimate. VPNFilter
can steal data, contains a 'kill switch' designed to disable the infected router on command and is able to survive a rebooting of the router. The FBI believes it was created by the Russian group Fancy Bear.

Cyber resilience

Cyber resilience refers to an entity's ability to achieve the desired outcome despite
adverse cyber events. Cyber Resilience is a rapidly emerging concept that essentially brings together the areas of information security, business continuity and organisational resilience. The entities most closely associated with this concept are IT systems, critical infrastructures, business processes, organisations, companies and countries.

Cyber threat intelligence

Cyber Threat Intelligence refers to information on threats and threat actors that help
mitigate malicious events in cyberspace. Sources of cyber threat intelligence include open-source intelligence, social media intelligence, human intelligence, technical intelligence or intelligence from the dark and deep web.

Malware

Malware is software intentionally designed to cause damage to a computer, server, client or computer network. There is a wide variety of types of Malware, including computer viruses, Worms, Trojans, Ransomware, Spyware, Adware, Rogue Software and Scareware. Programs are also considered Malware if they covertly act against the interests of the computer user.

Phishing Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy party via e-mail, SMS or instant messaging. Often the communications
are so plausible that the user does not distinguish the fraudulent party from the
official one and confidently transmits all the requested data.
Vishing Vishing is a contracted form meaning 'Voice Phishing'. Vishing is a form of telephone fraud that uses social engineering through the telephone system to gain access to private personal and financial information for financial gain.
Pharming 'Pharming' comes from the combination of the terms 'Phishing' and 'Farming' and is a type of computer fraud very similar to Phishing, in which website traffic is manipulated and confidential information is stolen. Pharming exploits the basics of how the Internet works: the sequence of letters forming an Internet address, such as www.google.com, is converted into an IP address by a DNS server so that a
connection can be established.
Vulnerability Assessment Vulnerability Assessment is the process of identifying, quantifying and prioritising (or classifying) the vulnerabilities of a system, in our case IT. Classifying risks and vulnerabilities of a company's information systems means performing a very thorough scanning that highlights the company's exposure to the risks of a possible cyberattack.
Nist Cybersecurity framework

The Cybersecurity Framework designed by the National Institute of Standards and
Technology (NIST) provides a framework of Cybersecurity guidelines on how private sector organisations in the US can assess and improve their ability to prevent, detect and respond to cyberattacks. Translated into many languages and also used by the Japanese and Israeli governments, the latest release of the framework includes guidance on how to perform self-assessments, guidance on how to manage risk in the supply chain, a handbook on how to interact with stakeholders, and encourages disclosure of the most common vulnerabilities.

Are you cyber-secure?

Protect your company's infrastructure


The first step towards implementing a cybersecurity strategy is a step in the gap, but you are not alone. Let's meet!

GoodCode logo horizontal white
Goodcode Swiss made softwares