Case Sandvik Mining: Strengthening Cybersecurity to Support Competitiveness

Cybersecurity as a New Market Requirement 

With digitalization and autonomy, the attack surface for cyber threats is expanding, and EU-specific regulations are tightening. As a result, information security has become a central competitive factor and a prerequisite for entering the EU market, especially with the upcoming Cyber Resilience Act (CRA). The IEC 62443-4-1 standard is an internationally recognized industrial cybersecurity standard that certifies a supplier’s secure product development process. The Cyber Resilience Act (CRA) makes lifecycle cybersecurity and vulnerability management a legal requirement for access to the EU market (notification obligations begin on September 11, 2026, and most product-specific requirements on December 11, 2027). Additionally, IEC 62443-4-1 is expected to be harmonized as part of CRA requirements. 

Sandvik strengthened its cybersecurity together with Insta 

Sandvik aimed to reinforce its Secure Development Lifecycle (SDL) practices and align them with recognized cybersecurity standards. The company identified the challenge and proactively addressed it, ensuring that security is consistently integrated into product development and that 62443-4-1 requirements are managed comprehensively. 

Insta was selected as a partner for the project due to its strong expertise in industry standards, proven track record in similar implementations, and a ready SDL model that provided a clear starting point for the project. 

Together with Insta, Sandvik Mining launched a project to certify its SDL process according to the IEC 62443-4-1 standard. The starting point was Insta’s SDL reference model, which included processes, templates, training materials, and a data model. Insta first familiarized itself with the current state of product development, and based on this, a roadmap for development activities was created. SDL processes were piloted with two product teams, adapted to Sandvik’s needs, and integrated into the teams’ daily tools and practices. An SDL tool was built to support the processes, integrated into existing lifecycle management, ensuring consistency in the development process. Insta’s support covered everything from pre-audit to handling findings. 

Certification Achieved Through Collaboration

Sandvik became one of the first companies in its industry to achieve IEC 62443-4-1 certification. The company has already drafted a roadmap toward ML-3 level. With certification, Sandvik demonstrates a standard-compliant level of cybersecurity to its customers and authorities. The security of Sandvik’s products has been strengthened across several product lines, solidifying its position as a pioneer in secure product development.

“Sandvik’s development work accelerated significantly thanks to the ready reference model, as it provided a framework that met standard requirements and was efficient to build upon. This enabled focus on changes important to Sandvik and freed up resources for practical implementation. The training program associated with the reference model supported successful implementation and increased awareness within the organization. Insta’s expertise and experience in SDL implementations, along with a practical approach, ensured smooth progress and the suitability of solutions for real-world needs,” says Jarkko Holappa, Offering Cybersecurity Lead at Sandvik Mining.

EU Regulation, Standard, and Framework: 

• CRA = Cyber Resilience Act is the EU’s new regulation requiring companies offering digital products and software to ensure cybersecurity throughout the product’s lifecycle. 

• IEC 62443-4-1 standard = Part of the international IEC 62443 family of standards, addressing cybersecurity for industrial automation and control systems (ICS). 

• Secure Development Lifecycle (SDL) = A systematic model in which security is considered throughout the development of software and products for their entire lifecycle. 

Read more about Cyber security for automation systems: