49%
of all CEOs say that becoming a victim of a cyber-attack is now a case of “when,” and not “if”
Once a day
the energy sector faces a cyber-attack that hasn’t been seen before
46%
of all cyber-attacks in the OT environment go undetected.
Overview
Introducing OTArmor, GE Vernova's cybersecurity solution
In a complex world of ever-evolving technologies, GE Vernova understands the importance of having an experienced industrial cybersecurity partner to help you safely secure your digital assets. Systems must be continually tuned, monitored, and managed—and many teams struggle to keep pace with all these ongoing demands. Establishing these security mechanisms doesn’t just take time, it takes expertise.
The reality is that implementing general purpose security platforms in OT environments can break business-critical plant operations.
Many decision makers face two highly unappealing scenarios:
- Make the massive investments of staff time and budgets that are required to build a comprehensive security program from scratch.
- Do nothing; or do the minimum, and hope their organizations aren’t exposed by a cyber-attack or hit by significant fines for non-compliance.
But GE Vernova's cybersecurity solution offers a far more appealing alternative.
A single platform
GE Vernova’s cybersecurity team conducted a two-phase assessment that combined technical evaluation with hands-on collaboration: first reviewing the customer’s network architecture, policies, and protections to establish a baseline, then deploying visibility sensors and conducting interviews to map traffic, access, and configurations. The process revealed vulnerabilities such as missing OT firewalls, shared credentials, open ports, weak authentication, outdated patches, limited visibility, and poor encryption. GE Vernova mitigated these risks through centralized asset management with real-time monitoring via Security Information and Event Management (SIEM), data diodes to separate IT and OT networks, and stronger user and password controls—fortifying the OT environment and securing long-term support for continued cybersecurity investment.
Once this assessment was completed, the customer approved additional remediation recommendations that were documented in the report and another site visit happened in late 2025 to continue to improve their cybersecurity posture. This is an excellent example of how the partnership between GE Vernova and one of our customers continues to increase the cyber protection of the control system, in a world where the risk will continue to grow and become more complex.
A range of features
GE Vernova’s cybersecurity solution helps collect, correlate, and forward security logs and events, and it presents this information to plant personnel in a highly usable format. The solution offers identity and password management capabilities for control-system environments. Additionally, the solution can be customized so that it aligns with your existing environment—including your security incident and event management (SIEM) platform, backup mechanisms, anti-virus technologies, log management platforms, and more:
- Hardware appliance and operations console
- Hardened server and thin-client console
- Optional, hardened firewall
- Secure-by-design configuration
- Global regulatory certifications support, including IEC 62443
- High Availability configuration as an option
- OTArmor can be integrated with existing security solutions
Explore
Operational technology cybersecurity guidance
Clarity in a complex regulatory world. Our experts understand the nuances of country-specific OT cybersecurity guidance and will help you satisfy these controls with confidence.
Browse regulations by region and country*
*Where no national OT cybersecurity regulation exists, IEC 62443 standard set provides a globally recognized framework for practical, risk-based OT cybersecurity. Regulations are continually evolving; please allow for potential inaccuracies.
Americas
North America
Canada
- NERC CIP (Bulk Electric System)
- CNSC (REGDOC-2.12.1 mandatory) (Nuclear Power Plants)
- Aligns with globally recognized cybersecurity standards for OT
Mexico
- No specific, unified federal law or dedicated regulation for cybersecurity in its energy sector. Instead, cybersecurity is addressed through a fragmented collection of general laws, sector-specific guidelines, and non-binding protocols.
- International Standards: In the absence of prescriptive national laws, many companies in the energy sector, especially those with international partners, often adopt recognized international standards and best practices, such as the ISO/IEC 27001 or the NIST Cybersecurity Framework, to manage their risks.
Trinidad and Tobago
- Data Protection Act (2011): Protects personal data, requiring consent and appointing information officers.
- Computer Misuse Act (Chap. 11:17) (being replaced): Criminalizes unauthorized access and interference.
- Cybercrime Bill, 2017 (proposed): Aims to modernize laws, criminalize cyber offenses, and set ISP obligations, replacing the Computer Misuse Act.
United States of America
- NERC CIP (Bulk Electric System)
- NRC 10 CFR 73.54 (Nuclear Power Plants)
South America
Argentina
- The Federal Plan for Cybercrime Prevention (2025-2027) coordinates national efforts, while the Second National Cybersecurity Strategy sets guidelines for protecting state, public, and critical services.
- Data Protection: The Personal Data Protection Law (Law 25.326) is central, requiring explicit consent for data processing, enforced by the Data Protection Authority (AAIP).
Brazil
- The ANEEL (National Electric Energy Agency) has issued Resolution 964/2021, which establishes guidelines for cybersecurity and digitalization in the power sector.
- Energy companies frequently adopt international frameworks such as NIST Cybersecurity Framework, ISO 27001, and IEC 62443 to secure critical infrastructure.
Chile
- The Cyber Security Framework Law 21663, enacted in 2023 and homologated on April 8, 2024, marks a milestone in the protection of critical infrastructure and sensitive information from cyber threats.
- Implemented by Chile's Cyber Security Agency, it establishes a series of guidelines and measures that companies must follow to secure their systems and data.
- Some of the main sectors that must comply with the Cyber Security Framework Law 21663 include the state's public network, electricity, energy and supply, telecommunications, transport, financial, health.
Colombia
- Decree 338 of 2022: This regulation specifically addresses digital security by setting general guidelines for identifying critical cybernetic infrastructures, managing risks, and responding to security breaches.
Peru
- National Cybersecurity Strategy (ESNACIB) 2026-2028: This is the primary strategic document, aiming to build a secure and resilient digital ecosystem. Full compliance is mandatory for the public sector, while the private sector is strongly encouraged to align with it.
- Personal Data Protection Law (Law No. 29733): This law and its regulations (Supreme Decree No. 016-2024-JUS) establish provisions for the protection of personal data, including principles, obligations for data controllers, data bank registration, and fines. The new regulation, which fully enters into force in stages by November 2028, introduces requirements for incident notification and the appointment of a Data Protection Officer in certain cases.
APAC
Asia
Brunei
- Cybersecurity Act 2024
- Code of Practice for CII
China
- Regulations on Critical Information Infrastructure Security Protection (2021)
- 网络安全等级保护基本要求
Indonesia
- Presidential Regulation No.82/2022 (Protection for Vital Information Infrastructure)
Japan
- Basic Act on Cybersecurity 2014
- NISC’s cybersecurity/CI protection policies (Cybersecurity Policy for Critical Infrastructure)
Malaysia
- Cybersecurity Act 2024 NCII (National Critical Information Infrastructure)
Pakistan
- NEPRA (National Electric Power Regulatory Authority) CERT (Computer Emergency Response Team), PSS (Pakistan Security Standards)
Philippines
- DICT National Cybersecurity Plan (2023–2028)
Singapore
- Cybersecurity Act 2018
- CCoP 2.0 (Cybersecurity Code of Practise)
South Korea
- Act on the Protection and Use of Information and Communications Infrastructure
- CIIPA (Critical Information Infrastructure Protection Act)
Taiwan
- CSMA (Cyber Security Management Act, effective 2019)
Thailand
- Cybersecurity Act 2019
Vietnam
- Law on Cybersecurity (2018)
Oceania
Australia
- SOCI (Security of Critical Infrastructure)
- AESCSF (Australian Energy Sector Cyber Security Framework) IEC 62443
New Zealand
- NCSC guidance
Europe & CIS
Albania
- NIS2 Directive
- IEC-62443 Standard Set
Andorra
- Qualified Law 29/2021 on Personal Data Protection (LQPD)
- NIS2 Directive
- Governing OT cybersecurity regulation:
- IEC-62443 Standard Set
Armenia
- Law on Cybersecurity (planned)
Austria
- NIS2 Directive
- IEC-62443 Standard Set
Azerbaijan
- Under Development
- IEC-62443 Standard Set
Belarus
- IEC-62443 Standard Set
Belgium
- NIS2 Act / NIS2 Royal Decree
- Critical Entities Resilience Directive (CER) (planned)
- IEC-62443 Standard Set
Bosnia and Herzegovina
- Law on Information Security
- Law on Security Of Critical Infrastrucutre (Republika Srpska)
Bulgaria
- Cyber Security Act
- Information Security Act
- NIS2 Directive (EU 2022/2555) (planned)
Croatia
- Cybersecurity Act (Zakon o kibernetičkoj sigurnosti NN 14/2024)
- Critical Entities Resilience Directive (CER)
- IEC-62443 Standard Set
Cyprus
- Network and Information Systems Security Law of 2025
- Critical Entities Resilience Directive (CER)
- IEC-62443 Standard Set
Czechia (Czech Republic)
- Cyber Security Act No. 264/2025 Coll.
- IEC-62443 Standard Set
Denmark
- NIS2 Act
- Critical Entities Resilience (CER) Act
- IEC-62443 Standard Set
Estonia
- Cyber Security Act
- NIS2 & CRA updates (Planned)
- IEC-62443 Standard Set
Finland
- Cybersecurity Act (Act 124/2025)
- IEC-62443 Standard Set
France
- Critical Infrastructures Information Protection” (CIIP) (planned- Senate Bil No.78)
- IEC-62443 Standard Set
Georgia
- Law on Information Security
- IEC-62443 Standard Set
Germany
- IT-Sicherheitsgesetz (IT Security Act) & IT-Sicherheitsgesetz 2.0 (2020) (KRITIS - Critical Infrastructure - applies to IT and OT). BSI-KritisV defines which operators are legally required to follow IT Sicherheitsgesetz obligations.
- KRITIS-DachG
- NIS2UmsuCG
Greece
- Law 5160/2024 (NIS2)
- Law 5236/2025 (CER)
- IEC-62443 Standard Set
Hungary
- Act LXIX of 2024 on Cybersecurity
- Act LXXXIV of 2024 on the Resilience of Critical Organisations (known as the Critical Infrastructure Act
- IEC-62443 Standard Set
Iceland
- Network Security Act 78/2019
- Regulation No. 866/202
- Network Security Act update (planned 2026)
- IEC-62443 Standard Set
Ireland
- S.I. 360
- Cyber Security Bill 2024 (planned)
- IEC-62443 Standard Set
Italy
- Legislative Decree no. 138/2024
- Legislative Decree No. 134/2024
- IEC-62443 Standard Set
Kazakhstan
- "On National Security" law
- IEC-62443 Standard Set
Kosovo
- Law on Critical Infrastructure
- Law on Cybersecurity
Latvia
- National Cyber Security Law
- Critical Entities Resilience Directive (CER)
- IEC-62443 Standard Set
Liechtenstein
- Cyber-Security Act (CSG)
- IEC-62443 Standard Set
Lithuania
- Cyber Security Law
- Critical Entities Resilience Directive (CER)
- IEC-62443 Standard Set
Luxembourg
- Law of May 28, 2019
- Draft law 8364
- IEC-62443 Standard Set
Malta
- NIS2 MT Order (Legal Notice 71 of 2025)
Moldova
- National Cybersecurity Law
Monaco
- Law No. 1.435 on combating technological crime
- Loi sur la cybersécurité (planned 2027)
Montenegro
- Law on the Determination and Protection of Critical Infrastructure
- Draft Law on Information Security
Netherlands
- Wet beveiliging netwerk- en informatiesystemen, Wbni)
- Cybersecurity Act (Cyberbeveiligingswet - Cbw) (planned 2025)
- Critical Entities Resilience Directive (CER) (planned 2026)
North Macedonia
- Information Security Act (ISA)
- New Cybersecurity Law
Norway
- Digital Security Act (\(digitalsikkerhetsloven\))Security Act (\(Sikkerhetsloven\))
- IEC-62443 Standard Set
Poland
- National Cybersecurity System Act (KSC-1)
- National Cybersecurity System Act (KSC-2) (planned)
- IEC-62443 Standard Set
Portugal
- Law No. 46/2018 (Legal Framework for Cyberspace Security)
- Decree-Law No. 22/2025
- Decree-Law No. 65/2021
- Regime Jurídico da Cibersegurança (RJC) (Planned 2026)
Romania
- Law 155/2024
- Draft law to replace Law 98/2010
Russia
- Federal Law No. 187-FZ, Critical Information Infrastructure (CII) Law
San Marino
- Law No. 171 of 21 December 2018
- Law No. 114 of 23 August 2016
Serbia
- Law on Information Security
- Act on Critical Infrastructure
- Law on Critical Infrastructure (planned)
Slovakia
- Act No. 366/2024 Coll., an amendment to the existing Cybersecurity Act (69/2018 Coll.)
- Act No. 367/2024 Coll., on Critical Infrastructure.
Slovenia
- Information Security Act (ZInfV-1)
Spain
- Royal Decree-Law 12/2018
- Draft Law on Cybersecurity Coordination and Governance (Planned)
Sweden
- Protective Security Act (Säkerhetsskyddslagen)
- Information Security Act (2018:1174)
- Critical Operators Resilience Act (lag om motståndskraft hos kritiska verksamhetsutövare) (Planned)
- Cybersecurity Act (Cybersäkerhetslagen) (Planned)
Switzerland
- KRITIS-Schutz
- Critical Entities Resilience Directive (CER)
Turkey
- Cybersecurity Law (No. 7545)
Ukraine
- Law No. 11290
United Kingdom
- NIS Directive with CAF 4.0
- Cyber Security & Resliance Bill (planned)
- Operational Guidence (OG) 86
Vatican City (Holy See)
- Vatican City IT and Infrastrucutre Regulations
- IEC-62443 Standard Set
Middle East and Africa
Bahrain
- NCSC -Bahrain (National Cyber Security Center)
Israel
- INCD (Israel National Cyber Directorate) National Cyber Security Framework 2025-2028
Kuwait
- NCSC (National Cyber Security Center)
- NDCF (National Data Classification Framework)
Oman
- OCERT (Oman National Computer Emergency Readiness)
- CS&RF (Computer Security & Resiliency Framework)
Qatar
- NCSA (National Cyber Security Agency)
Saudi Arabia
- NCA (National Cybersecurity Authority)
- OTCC-1:2022 OT Cybersecurity Controls, ECC (Essential Cybersecurity controls)
United Arab Emirates
- NESA (National Electronic Security Authority)
- UAE IAS (Information Assurance Standard)
Need help?
Our team is ready to help you navigate the cybersecurity landscape. Connect with our cyber experts and/or let us know if you see any missing or outdated regulations.
Benefits
By working with us, your organization can benefit from:
Platform
Explore our comprehensive cybersecurity platform
Application allow listing
With the application white-listing option, Windows-based devices have an improved security posture by reducing the risk and cost of malware, improving network stability and reliability.
This feature automatically identifies trusted software that is authorized to run on control system human-machine interfaces (HMIs) and prevents unknown or unwanted software.
Asset management
Continuous threat monitoring and advanced logging intelligence that aims to give you deep, granular industrial control system (ICS) visibility via asset identification and asset configuration change detection.
By analyzing network traffic through deep packet inspection and fluent in over 42 of the native industrial protocols commonly found in ICS security, a baseline is constructed of normal operations, which is then used to detect anomalies.
Data security
Automatic, centralized backup and recovery of the process control domain saves time and cost by deploying a quick disaster recovery plan with minimal downtime.
All backup activities are logged and easily accessed for generating reports that conform with compliance reporting.
Data diodes
A data diode is a physical piece of hardware that acts as a unidirectional network communication device that facilitates a secure, one-direction transfer of data between networks.
Its design inherently creates a physical separation between the source and destination networks. Data diodes effectively eliminate all external points of entry to the sending system, thus preventing unauthorized users from gaining access to the protected network.
Network security
GE Vernova’s customizable network security option helps monitor and block malicious activity and attacks and provides continuous visibility of unusual activity and potential threats to the control system network. Stateful tracking of network traffic to allow approved communications between connected devices and the “outside” network.
Additionally, Next Generation Firewalls can inspect certain network traffic types to identify ports that may change during communications to demonstrate that traffic is permitted to flow (for example, FTP, TFTP). Next Generation Firewalls can perform additional checks on traffic—including application-level inspection and filtering of network traffic with exception.
Role-based access control (RBAC)
Provides centralized control and management specific to the controls environment, enabling you to manage access to the industrial control system based on permissions. Benefits of RBAC include:
- Lower risk
- Cost reduction
- Enhanced operational efficiency
- Improved compliance
Security information and event management (SIEM)
GE Vernova provides a scalable solution with both real-time and historic dashboard views of cyber activity—such as changes to switch configurations, failed login attempts, unauthorized port access, and USB usage. Operator cybersecurity dashboards include:
- Data-rich SIEM
- Ready for SOC integration
Multi-factor authentication
Multifactor Authentication (MFA)—sometimes called “two-factor authentication” or 2FA—is a security protocol that requires a user to present two pieces of evidence when logging into a given account or application.
Multi-factor authentication combines hardware-based authentication and public key cryptography to ensure strong authentication and eliminate account takeovers.
Secure remote access
A zero-trust solution that safeguards against cyber risks—including insider threats—through its unique, browser-based hardened platform. Secure remote access technology provides a simple and secure access mechanism to critical assets by using:
- Protocol and system isolation
- Encrypted display
- Multi-factor authentication
Services
Contact us
