Cybersecurity at PROGNOST

At PROGNOST, cybersecurity is an integral part of how we design, develop, and maintain our products. We follow recognized cybersecurity standards, embedding security throughout the product lifecycle, and continuously improve our defenses to address evolving cyber threats in both IT and OT environments.

Our product development follows a secure development lifecycle that has been certified according to IEC 62443-4-1.

This international standard defines cybersecurity requirements for the secure development of industrial automation and control system products. Certification demonstrates that security is systematically addressed across all phases of development - from requirements and design to implementation, testing, and maintenance.

We maintain dedicated product security personnel responsible for cybersecurity governance, vulnerability management, and secure development practices. This supports clear ownership of security topics and continuous oversight across our product portfolio.

To proactively identify and mitigate security risks, we use multiple automated and manual security controls, including, among others:

• Periodic automated vulnerability scans to detect known weaknesses in operating systems, applications, and configurations
• Static Application Security Testing (SAST) tools that analyze source code to identify security flaws early in development
• Software Composition Analysis (SCA) tools to identify vulnerabilities and license risks in third-party and open-source components

We also maintain a Software Bill of Materials (SBOM), which provides a structured inventory of all software components included in our products. The SBOM improves transparency and supports faster risk assessment and response when new vulnerabilities are disclosed.

We perform detailed cyber risk assessments to identify, analyze, and mitigate potential threats and vulnerabilities affecting our products. This helps ensure appropriate security controls are applied based on real-world risk.

Our personnel receive regular OT and IT cybersecurity training to ensure awareness of current threats, secure engineering practices, and industry standards. This training supports a strong security culture across engineering, operations, and support functions.

Our products incorporate, depending on product, configuration, and deployment, a range of security features and design principles to protect data, ensure integrity, and support accountability:

• Data at rest encryption (disk encryption)
  To protect stored data from unauthorized access
• Data in transit encryption
  Using industry-standard TLS to secure communications
• Audit logging
  To record security-relevant events, enabling traceability, monitoring, and incident investigation
• Least functionality
  Our products are designed to provide only the features and services necessary for their intended operation, reducing the potential attack surface
• Defense in depth
  We implement multiple, complementary security layers (such as authentication, encryption, and network segmentation) to ensure that if one control fails, others continue to protect the system
• Secure defaults
  Products are configured with security-first settings out of the box to minimize exposure to threats
• Role-based access control
  Access to product functions and data is restricted based on roles, ensuring that users have only the privileges needed to perform their tasks

By embedding these security principles into our products, we aim to ensure they are resilient against a wide range of cyber threats while supporting safe and reliable operation in both IT and OT environments.

We provide regular product updates to address security vulnerabilities, improve resilience, and adapt to new cybersecurity requirements. Updates are part of our ongoing commitment to maintaining secure and reliable products throughout their lifecycle.

We are committed to the security of our products and services. If you identify a potential security vulnerability, please let us know. 

We appreciate responsible disclosure and will review all reports promptly.