AVIATION GROUND OT

CFATS Expired. IEC 62443 and Your Insurer Now Set the Standard.

CFATS expired in July 2023 without replacement. Your cyber insurance underwriter and IEC 62443 now define the baseline for vendor access controls at chemical facilities.
Deploy in 20 minutes per facility. No agents on OT endpoints. Deployment requires no changes to OT network topology or control system configurations. Network firewall policies may require minor updates to enable the CSG connection path.

BAKER HUGHES

ALTAGAS

ALUAR

MITSUBISHI

GE VERNOVA

IEC 62443-2-4

SOC 2 TYPE II

OSHA PSM Reference

KUPPINGERCOLE LEADER 2025

20 min

Deployment per Site

July 2023

CFATS Expiration (No Replacement)

2021

Insurance MFA Requirements Began

40+

Countries Deployed
Xona-Chemical-Image

The Triton Incident and the Access Path It Used

In 2017, attackers at a petrochemical facility in the Middle East deployed Triton/TRISIS malware targeting Schneider Electric Triconex safety instrumented system controllers. The attackers moved through the corporate network to an engineering workstation used for remote maintenance. From that workstation, they deployed malware to the SIS with the intent to disable it during a process upset.
The SANS 2025 OT cybersecurity survey ranked remote access among the top three OT vulnerability vectors. For chemical manufacturers, the exposure is specific: DCS service engineers accessing OPC UA historian interfaces, system integrators connecting to PROFIBUS-based batch controllers, and safety system vendors performing remote logic updates on SIS platforms.

The access path that service engineers use to update safety logic is the same path the attackers used to attempt to disable it.

How the Architecture Works

Protocol Isolation

  • OPC UA, PROFIBUS, Modbus, and DCS-specific interfaces terminate at the CSG boundary
  • Zero protocol data crosses to the user side
  • Vendor sees the asset interface through a rendered session
Result
This is not traffic inspection on a tunnel. This is protocol isolation at the gateway.

Identity-Driven Access

  • MFA enforced at the boundary before any asset access
  • Every session is time-limited and scoped to specific assets
  • Persistent vendor access replaced with on-demand sessions
Result

The Triton attack path: architecturally closed as a direct remote access vector.

Session Recording and Audit

  • CSG session recordings with timestamps and user attribution, accessible through Xona Centralizer
  • Asset identifiers, session duration, and access scope recorded
  • On-premises storage, export-ready for underwriter review 
Result

Insurance underwriter questionnaires answered with auditable data, not policy assertions.

On-Premises Process Isolation

  • Air-gapped batch processing networks stay air-gapped
  • CSG operates without cloud dependency
  • No SaaS requirement, no data leaves your facility
Result

Deployed on-premises, hybrid, or in fully air-gapped configurations.

20

minutes to deploy per site

Step 1: Deploy the CSG. No changes to OT network topology or control system configurations. Network firewall policies may require minor updates. No downtime during installation. Step 2: Replace persistent vendor access. Grant DCS vendors and integrators time-limited, asset-scoped sessions. Step 3: Compliance becomes automatic. IEC 62443-2-4 requirements met by architecture. Insurance questionnaires answered by CSG session records accessible through Centralizer. OSHA PSM documentation covered.

Deployed in Process Industries. Not Pilots. Baker Hughes runs Xona across petrochemical operations spanning multiple continents. AltaGas uses the platform for process industry remote access across distributed facilities. These are production deployments, not proof-of-concept evaluations.
Named a Leader in OT/ICS Secure Remote Access by KuppingerCole Leadership Compass 2025. Deployed across 40+ countries at organizations including Aluar, Mitsubishi, and GE Vernova. The SANS 2025 OT Cybersecurity Survey confirms remote access remains among the top three vulnerability vectors for industrial environments. The organizations above chose to close that vector with architecture, not policy documents.

Who This Solves For

Process / Plant Managers

  • Vendor access no longer bypasses your MOC documentation chain
  • Every remote session recorded with timestamps, asset identifiers, and scope
  • DCS vendor access moves from persistent connections to on-demand sessions

OT / DCS Engineers

  • OPC UA, PROFIBUS, and Modbus connections terminate at the CSG
  • 20-minute deployment per facility with no changes to OT network topology or control system configurations
  • Session Hold maintains work through network interruptions without reauthentication

CISOs / Security Leads

  • IEC 62443-3-3 SL2 compliance through architecture, not compensating controls
  • CSG session recordings accessible through Centralizer answer the insurance underwriter's questionnaire
  • Persistent vendor access (the Triton attack path) architecturally closed

EHS / Compliance Officers

  • PSM MOC documentation gap closed by session recordings
  • NIS2 Article 21 supply chain requirements covered
  • SEVESO III change control obligations met by same architecture

Architecture Comparison

Capability
Deployment Time
OT Topology Changes Required
Protocol Isolation
Session Recording
IEC 62443-2-4 Coverage
Insurance Documentation
Process Isolation (Air-Gap)
Persistent Access Risk

Xone-Logo-White@2x

 

20 minutes
No
Yes (gateway termination)
Full (CSG, via Centralizer)
Architectural
Automatic (session records)
Designed for air-gapped and partially connected OT environments
Eliminated (on-demand)
Traditional VPN
Days to weeks
Yes
No (tunnel)
No
Compensating controls
Manual reconstruction
Not designed for OT
Always-on tunnel
Cloud ZTNA
Hours to days
Yes
No (proxy)
Partial
Partial
Partial
Cloud-dependent
Always-on connection
Jump Server
Days
Yes
No (pass-through)
Partial
Manual
Manual
Facility-specific
Shared credentials

Compliance Architecture: IEC 62443, Insurance, and OSHA PSM

The CFATS Vacuum

CFATS (6 CFR Part 27) expired July 28, 2023. Congress has not passed reauthorization. CFATS RBPS 8 (Cyber) required deterrence of unauthorized remote access, least-privilege access controls, and real-time monitoring. Those requirements are now voluntary. What moved into the vacancy was not new regulation. It was insurance carrier questionnaires that now drive remote access controls.

Insurance as Compliance Driver

Cyber insurance underwriters have required remote access controls documentation since Colonial Pipeline in 2021. A chemical manufacturer that answers "no" to MFA, session logging, time-limited vendor access, or provisioning/revocation documentation faces premium increases, reduced coverage, or declination.
CSG session records accessible through Centralizer answer each question with auditable data, not policy assertions.

IEC 62443 and Insurance Compliance Mapping

Requirement
IEC 62443-2-4 §2.3.1
IEC 62443-2-4 §2.3.2
IEC 62443-2-4 §2.3.3
IEC 62443-3-3 SR 2.6
Insurance: MFA
Insurance: Logging
OSHA PSM MOC
Control
Remote access controls for IACS service providers
Session monitoring for remote access
MFA for remote access
Remote session through defined, monitored pathways
Documented MFA on all OT remote access
Timestamped, user-attributed access logs
Documentation of process change pathways
Xona Architecture
Role-based, time-limited, asset-scoped sessions at CSG; no persistent vendor access
CSG session recordings with full timeline: connection, actions, disconnection, accessible through Centralizer
MFA enforced at the boundary before any asset access
CSG is the conduit for all remote OT access; no direct-to-asset vendor connections
Centralizer records MFA events per session; audit-ready documentation
CSG session records, aggregated in Centralizer, answer the logging questionnaire without manual reconstruction
Session recordings capture vendor access scope; access revocation documented in Centralizer
International: NIS2 Article 21 supply chain requirements. SEVESO III change control obligations. Saudi OTCC-1:2022 Control 3.3.

OSHA PSM and the Cyber Safety Intersection

OSHA PSM (29 CFR 1910.119) applies to facilities handling highly hazardous chemicals above threshold quantities. Remote vendor access that bypasses access controls is an unauthorized process change pathway. Remote access that bypasses controls is both a cybersecurity gap and a process safety risk. PSM incident investigations are increasingly examining remote access logs as part of root cause analysis. The absence of session recording is a gap in the PSM documentation chain. Centralizer closes that gap by default.

Technical Specifications

OT Protocols
Telnet
VNC
HTTP/HTTPS
OPC UA
PROFIBUS
Modbus
DNP3
DCS-specific interfaces (Honeywell Experion
Architecture
CSG (site-level gateway)
XCM (centralized policy management)
Centralizer (multi-site governance)
Deployment Models
On-premises
hybrid
air-gapped
Certifications
SOC 2 Type II
FIPS-compliant cryptographic behavior

FAQ

CFATS expired. Do we have any legal obligation for cybersecurity?

Direct federal cybersecurity mandates for chemical manufacturing are absent as of March 2026. CISA publishes voluntary guidance. OSHA PSM has indirect cyber implications through MOC documentation. CIRCIA mandatory incident reporting is expected to apply to the chemical sector when final rules publish. The near-term practical obligation comes from cyber insurance carriers requiring documented remote access controls as a condition of coverage.

How does the architecture address IEC 62443 zone segmentation?

IEC 62443-3-2 defines zones as logical groupings connected through conduits. The CSG functions as the conduit: the defined, monitored pathway through which external access enters the zone. Remote vendor access terminates at the CSG. The vendor sees the asset interface. The process control zone sees no external network connection.

What documentation can we produce for our cyber insurance underwriter?

CSG gateways capture session recordings with timestamps, user attribution, asset identifiers, session duration, and access scope. The records are on-premises, access-controlled, and export-ready for underwriter review. For typical insurer questionnaire items (MFA on remote access, session logging, time-limited vendor sessions, access provisioning and revocation procedures), Centralizer's session records provide the supporting documentation without manual reconstruction.

We have DCS vendors that require persistent remote access for monitoring. How does that work?

Persistent vendor monitoring access is the exact access path Triton exploited: a permanently available connection to your process control network. The architecture replaces persistent access with on-demand sessions. When the DCS vendor needs to check system status, an administrator approves a time-limited, scope-restricted session. The vendor's monitoring visibility is maintained. The persistent attack surface is architecturally closed as a direct remote access vector.

Does the deployment require changes to our DCS vendor's access procedures?

Deployment requires no changes to OT network topology or control system configurations. Network firewall policies may require minor updates to enable the CSG connection path. Vendor access request and approval workflows move to Centralizer's interface. The vendor connects through the same network path; the CSG intercepts and enforces the session controls. From the vendor's perspective, the primary change is an approval step before the session begins and an automatic termination at the end of the maintenance window.

Our facility uses legacy control systems running older industrial protocols. Is the architecture compatible?

Supported protocols include Telnet, VNC, HTTP/HTTPS, Modbus, DNP3, and IEC 62443-compatible industrial protocols. No protocol upgrades or endpoint agents required. The CSG brokers the session at the boundary without requiring the underlying asset to support modern authentication mechanisms.

What about international compliance requirements (NIS2, SEVESO III)?

NIS2 Article 21 requires supply chain security measures including access controls for external service providers. SEVESO III imposes change control obligations on major-accident hazard facilities. The same session recording architecture that satisfies IEC 62443 and insurance requirements also covers NIS2 supply chain controls and SEVESO III change documentation.

We operate a rural water district with 8 treatment plants spread across 200 miles. How does multi-facility management work?

Centralizer provides centralized governance across every connected facility. One administrator manages access policies, reviews session recordings, and enforces controls for all 8 treatment plants from a single console. Each facility has a locally deployed CSG that operates independently of the others. Session Hold (v5.5) handles the intermittent connectivity that is standard across rural water infrastructure. Deploy at each facility in 20 minutes without sending an IT team.

Can the platform support air-gapped batch processing networks?

The CSG operates without cloud dependency. Air-gapped batch processing networks remain air-gapped. No data leaves your facility. The platform deploys on-premises or in fully air-gapped configurations. No SaaS requirement. No external connectivity required for the access control layer to function.

Stop Relying on Voluntary Guidance. Start Building the Architecture Insurers Require.

CFATS is expired. Your insurer is not. Deploy IEC 62443-compliant remote access in 20 minutes per facility. CSG session records accessible through Centralizer answer your underwriter's questionnaire. On-premises. Air-gapped capable. SOC 2 Type II certified.

 Secure access for the systems that keep the world running.
© Xona Systems, 2026
Cookie Policy
Privacy Policy
Disclosure Policy
Website Terms of Service
Terms & Conditions