• ISA provides technical resources and standards to help industrial automation professionals advance their careers and the field. We enable automation professionals worldwide to solve problems and enhance their skills by bringing people together to create new technologies and share best practices with future automation professionals.

    • Industry Insights

  • We attract over 140,000 unique automation professionals monthly, making us the premier online content provider and the only dedicated electronic magazine in the automation industry.

    Monthly Magazine

    • More things to read

    Back
    Back
  • M logo for Automation.com Monthly. Link to current issue.
  • Search Sponsored By:
Feature

Effective Cybersecurity Using ISA/IEC 62443

By: Jason Dely , Aasef Iqbal
Source: ISA Global Cybersecurity Alliance
22 June, 2026
4 min read
Feature Image for Effective Cybersecurity Using ISA/IEC 62443
ISA/IEC 62443 provides a practical framework for aligning cybersecurity investments with operational risk, enabling organizations to build security programs that are measurable, sustainable and adaptable to changing threats.

Industrial organizations face an increasingly difficult challenge: how to modernize their operations, improve connectivity and increase visibility into industrial processes while still protecting critical systems from cyber threats. Legacy industrial automation and control systems (IACS) environments were originally designed for reliability and operational continuity, not cybersecurity. As a result, many facilities operate with legacy technologies, flat network architectures, unmanaged remote access and systems never intended to connect to anything beyond the plant floor. In such environments, cybersecurity can no longer be treated as an isolated IT issue. This is why adopting ISA/IEC 62443 has become so important for asset owners, system integrators and product suppliers alike.  

ISA/IEC 62443 provides a comprehensive cybersecurity framework developed specifically for industrial automation and control systems. Unlike traditional IT security approaches, the standard recognizes that industrial environments must maintain safety, uptime, reliability and operational continuity while defending against cyber threats. This distinction is critical. In operational technology (OT) environments, a cybersecurity incident can disrupt production, reduce visibility or control, damage equipment or create safety and environmental consequences. 

From Fortinet’s perspective, ISA/IEC 62443 shifts cybersecurity discussions away from simply identifying vulnerabilities and toward managing operational risk. ISA/IEC 62443 promotes a lifecycle-based security that continuously evaluates risk, aligns mitigations to operational priorities and improves cybersecurity maturity over time.  

This is especially important for asset owners responsible for continuous operations. A manufacturing plant, utility, refinery or critical infrastructure operator cannot simply shut systems down to immediately implement every security recommendation. ISA/IEC 62443 acknowledges these operational realities and provides a structured, phased approach that allows organizations to strengthen security while maintaining production and reliability.   A core principle of ISA/IEC 62443 is the use of security zones and conduits. Rather than treating the entire IACS environment as a single flat network, the standard encourages organizations to divide systems into logical zones based on operational function, risk and required protection levels. Conduits are then used to securely manage communications between those zones.  

The following image highlights the concept of zones and conduits (originally published on Automation.com), also known as network segmentation.

  • A zone can have sub-zones. 
  • A conduit cannot have sub-conduits. 
  • A zone can have more than one conduit. 
  • Cyber assets within a zone use one or more conduits to communicate. 
  • A conduit cannot traverse more than one zone.
  • A conduit can be used to connect two or more zones. 
Advertisement

This segmentation strategy is important because cyber threats in OT environments often spread laterally once an attacker gains access. By isolating operational areas and controlling communications pathways, organizations can limit the impact of an incident and better protect critical systems. 

The standard also introduces security levels (SLs), ranging from SL 0 through SL 4, allowing organizations to align security controls with the sophistication and capabilities of threats.  

ISA/IEC 62443 protection levels

Asset Owner, System Integrator and Product Supplier    

These levels represent increasing resistance against cyber threats. Lower levels provide protection against accidental or casual violations, while higher levels are intended to withstand sophisticated attacks conducted by skilled and motivated adversaries. Organizations establish a Security Level Target (SL-T) for each zone based on risk assessments and then implement controls necessary to achieve that target.

To support the achievement of these SLs, ISA/IEC 62443-3-3 defines seven Foundational Requirements (FRs). The following tables show high-level mapping of FRs to operational controls.

These controls should work together as part of a cohesive defensive strategy rather than being deployed in isolation. 
This risk-based approach is important because it helps organizations apply cybersecurity investments strategically rather than implementing expensive, one-size-fits-all controls across the entire environment.  

ISA/IEC 62443 provides a common framework and shared cybersecurity expectations across the industrial ecosystem for system integrators and product suppliers. As industrial environments become more interconnected through remote access, cloud connectivity, wireless infrastructure and Industrial Internet of Things (IIoT) technologies, asset owners are realizing the importance of having vendors and integrators demonstrate how their systems align with recognized OT cybersecurity practices. 

Importantly, ISA/IEC 62443 recognizes that industrial cybersecurity maturity evolves over time. Many organizations operate brownfield environments containing decades-old technologies that cannot realistically be replaced overnight. Rather than forcing immediate wholesale redesigns, the standard supports incremental improvements through phased implementation and continuous monitoring. This practical approach is important because it allows organizations to improve security in a measurable and sustainable manner while working within operational and financial constraints.  

As technology, business requirements and threat landscapes evolve, organizations must continuously reassess whether their assigned security levels remain appropriate. Ultimately, adopting ISA/IEC 62443 provides industrial organizations with a structured, operationally realistic roadmap for improving cybersecurity resilience.  

Advertisement
  • For asset owners, it helps align cybersecurity with operational risk and uptime requirements.  
  • For system integrators, it provides guidance for designing and deploying more secure architectures.  
  • For product suppliers, it establishes a common framework for building technologies that support modern OT security expectations. 

As incidents of cyber threats targeting industrial environments continue to increase, organizations need more than isolated security tools or vulnerability checklists. They need a cohesive strategy that aligns cybersecurity with operational objectives. Fortinet believes ISA/IEC 62443 provides that foundation, helping industrial organizations move from reactive security efforts toward proactive, risk-based operational resilience. 

ISA/IEC 62443 provides a practical framework for aligning cybersecurity investments with operational risk, enabling organizations to build security programs that are measurable, sustainable and adaptable to changing threats. By using risk-based security levels, well-defined zones and conduits, continuous monitoring and lifecycle management practices, organizations can strengthen the resilience of their IACS environments while maintaining the safety, reliability and availability that today’s industrial operations depend on.

The opinions and views expressed are solely those of the authors and do not necessarily reflect any official policy, position or views of the International Society of Automation (ISA), Automation.com or the ISA Global Cybersecurity Alliance (ISAGCA). 

Previous Column Article Next Column Article
Categories:
Cover image for ISA Global Cybersecurity Alliance

ISA Global Cybersecurity Alliance

The ISA Global Cybersecurity Alliance (ISAGCA) is a global consortium collaborating to advance OT cybersecurity awareness, education, readiness, standardization and knowledge sharing, based on the ISA/IEC 62443 series of standards. 

Photo of Jason Dely

Jason Dely

Jason Dely’s career has covered a broad spectrum of experiences. While working on his electronics engineering degree in the 1990s, he drew on his passion for automotive technology by working for an aftermarket garage improving the electronics and programming of late model Ford Mustangs and trucks. He spent 15 years at Rockwell Automation working directly with customer systems such as proof-of-concepts, systems design, deployments, assessments, troubleshooting and response activities. He joined Cylance in 2016, directing its ICS cybersecurity consulting practice and earning its “Best ICS Consultant” award two years in a row.

Jason joined the SANS Institute as an instructor teaching the ICS515: Active Defense and Incident Response course in 2015. Since then he is also a co-author of the ICS612: ICS Cybersecurity In-Depth course. Jason has built a successful career on that early foundation. As a seasoned industrial control systems and operational technology cybersecurity professional with over 20 years in the field, his broad range of expertise cuts across many sectors, industries and process control environments. Today he brings his wealth of hands-on technological expertise and business knowledge to his own company, Northern Strong Security, and to SANS in his roles as consultant, author and instructor. SANS’ goal to fuse theory and practice in its ICS instruction resonates with Jason and fits his working philosophy.

Photo of Aasef Iqbal

Aasef Iqbal

Aasef Iqbal is a senior director of product management and a cybersecurity subject matter expert in operational technology (OT) at Fortinet, where he helps address cybersecurity challenges involving industrial automation and control systems (IACS). He has more than a decade of experience in cybersecurity architecture, risk management, penetration testing, assurance and compliance across various critical infrastructure (CI) sectors. His thought leadership extends beyond Fortinet, and he frequently participates in industry forums, webinars and advisory groups.
 
Aasef holds numerous technical certifications, including the CISSP and CISM, as well as the ISA/IEC 62443 Cybersecurity Expert credential. He is also certified in GICSP and GRID, cybersecurity certifications focused on industrial control systems from the SANS Institute.

Advertisement

Trending Articles

Advertisement

Related Articles

View all Articles and News
Advertisement
Advertisement

International Society of Automation
PO Box 12277

Research Triangle Park, NC 27709

E-Mail: [email protected]

©2026 Automation.com, a subsidiary of the International Society of Automation.