← Back to Security Hardening
NEXUS Cybersecurity
DOCUMENT REF NX-SH-2026-[REF]
SECTION 01 — Baseline Assessment (Extract)
CLASSIFICATION CONFIDENTIAL
Sample — Page 1 of 2
Security Hardening Sample
■ Redacted Sample
About this sample: This document represents the output of the thinking. The value is in the conversations that produced it — the site walk, the stakeholder interviews, the engineering judgements made along the way. What you are reading is the record. The work that matters happened before the first page was written.
Engagement Overview
Hardening Scope
Client
[REDACTED]
Site
[REDACTED]
Systems in Scope
[N] OT devices
Date
[REDACTED]
Lead Engineer
[REDACTED]
Standard
IEC 62443-3-3 / NIST SP 800-82
Baseline Assessment — Extract
Current State vs Hardening Target

Baseline assessment of [N] OT systems against IEC 62443-3-3 hardening requirements. Score reflects percentage of applicable requirements currently met before hardening.

PLCs & RTUs
28%
SCADA / HMI
45%
Engineering Workstations
52%
Historian Servers
38%
OT Network Devices
31%
Note: Scores above are illustrative sample values. Your baseline will reflect your specific systems, vendor platforms, and existing configuration. Post-hardening scores are included in the full report.
On baseline scores: Scores in the 28–52% range are consistent with what we find in first-time assessments across most OT environments. These figures reflect accumulated configuration debt, not client negligence. The starting point is not the story — the trajectory is.
NEXUS Cybersecurity · Consider It Done.
Confidential — Not for Distribution
Page 1 of 2
NEXUS Cybersecurity
DOCUMENT REF NX-SH-2026-[REF]
SECTION 03 — Hardening Record (Extract)
CLASSIFICATION CONFIDENTIAL
Section 03 — Extract
Hardening Record Sample
■ Redacted Sample
Hardening Record — Extract
Changes Applied by System Type
SystemHardening ActionIEC 62443 RefResult
PLC — [Vendor REDACTED]Disabled unused communication ports and services. Restricted Modbus access to authorised engineering workstation IPs only.SR 1.3 / SR 5.1Applied
SCADA / HMIRemoved default accounts. Implemented individual operator accounts with role-based access. Enabled audit logging for all configuration changes.SR 1.1 / SR 2.8Applied
Engineering WorkstationsApplication whitelist deployed. USB storage disabled. Local admin privileges removed from standard operator accounts. Host firewall enabled.SR 1.2 / SR 2.4Applied
Historian ServerUnnecessary services removed. Web interface access restricted by IP. OS patching applied during maintenance window.SR 7.7 / SR 5.2Applied
Remote AccessVPN configuration hardened. Encryption upgraded. Session timeout implemented. Shared credential removed — individual accounts deployed.SR 1.3 / SR 2.1Applied
Post-Hardening Verification
Functional Testing Results
SystemTestResult
All PLCsControl loop and process communications confirmed operational post-hardeningPass
SCADA / HMIOperator access, display refresh, and alarm functions confirmedPass
Engineering WorkstationsEngineering software (listed) confirmed operational under whitelist policyPass
Remote AccessVendor remote access confirmed functional with new credentials and MFAPass
What this enables: Pre and post-hardening baseline scores, a complete hardening record for all systems, functional test results, and a hardened configuration baseline document for ongoing reference.
NEXUS Cybersecurity · Consider It Done.
Confidential — Not for Distribution
Page 2 of 2