Integrating IEC 62443 into OT security governance

Mature oil and gas companies are already working to secure their OT infrastructure through multiple layers of intervention. On the one hand they are deploying security measures in the form of monitoring their networks, media scanning, ensuring secure remote access and conducting risk assessments with diligence while on the other they are also training their employees and viewing security as part of the overall operations imperatives.

Whether your OT security measures can be classified as mature or foundational, you can definitely look at the IEC 62443 series of standards to improve your security level and to ensure better incorporation of security measures into operations. It is not just about ensuring compliance but is also about tracking compliance and ensuring that your security measures are aligned with your risk exposure and ready to deal with any incidents or events that may threaten disruption.

As the year 2026 emerges on the horizon, it is time to take a new look at how IEC 62443 can help your enterprise scale its security posture, contain risks and keep risk exposure under control.

So here is a write-up on how you can bake IEC 62443 into the DNA of your operations, right from the boardroom all the way to the blast zone.

Before we dive in, don’t forget to check out our previous blog that offers a comprehensive view on the latest guidance from CISA and other agencies on integrating AI in Operational Technology. I am sure you will find this one useful.

Governance: The layer that translates intent

One of the biggest friction points in OT infrastructure is often the culture clash. Any attempt at super imposing IT controls on OT can lead to things going downhill rather quickly. The gap between IT and OT security levels presents threat actors and rogue insiders with an opportunity to intrude and cause chaos.

IEC 62443-2-1 helps you bridge this by demanding a Cybersecurity Management System (CSMS). But how do you actually govern this?

Kill the "Patch Tuesday" approach: In a refinery or on the shopfloor, you can't just reboot a DCS (Distributed Control System) because Windows released an update. Your governance policy must explicitly state that compensating controls (like tighter firewall rules or virtual patches or traffic restrictions) are deemed acceptable alternatives to patching until the next scheduled turnaround.
Risk appetite definition: Management must define what is "tolerable." Is a 4-hour loss of view on a pipeline SCADA acceptable? If not, the governance framework must mandate redundant, segregated networks with additional controls for that specific conduit.
The "Safety" integration: Treat cyber risks like HAZOP (Hazard and Operability Analysis) inputs. If a cyber-compromise can cause a safety instrumented system (SIS) to fail, it belongs in the Process Safety Management (PSM) review, not just an IT ticket.
SL and ML: The Security and Maturity Levels can be a robust and evidence-backed indicator of where you stand vis-à-vis security maturity. This data should be used to improve your security practices in a measured manner

Architecture: Zones, conduits, and castles

IEC 62443 relies heavily on the concept of Zones and Conduits. Think of your plant like a medieval castle protected by a flexible moat.

The Zones (The Rooms): You don't let the messnger walk straight into the King's chamber without clearences. Similarly, your Safety Instrumented Systems (SIS) should be in a separate zone from your Basic Process Control System (BPCS). If the control room gets infected by a USB drive, the safety shutdown system must remain untouched.
The conduits (AKA the hallways): This is the only path data can travel. In OT, we often comes across flat networks where a printer in the admin building can "ping" a PLC in the cracking unit. This is nothing but a disaster waiting to happen.
Governance action: Mandate that no traffic flows between zones unless it passes through a defined conduit (firewall/gateway) with deep packet inspection.

Operations: The "patching paradox"

This is where the rubber meets the road. IEC 62443-2-4 dictates requirements for service providers, but you own the risk.

Vendor management: Your turbine vendor wants remote access to monitor vibration data. Fine. But your governance must enforce IEC 62443-3-3 System Security Requirements. Do not give them a permanent VPN tunnel. Give them a "just-in-time" ephemeral link that is monitored and recorded.
The legacy challenge: You likely have controllers running on Windows XP or 98 or proprietary OSs that haven't been updated since your school prom. You cannot think of replacing them.
- The Fix: Use the Security Level (SL) concept. If the asset is SL-3 (high critical) but cannot be patched, you must wrap it in a "digital blanket" or in simple terms physically lock the cabinet ports, air-gap it if possible, or place it behind a unidirectional gateway (data diode) or place traffic restrictions as mentioned earlier.

The human element: Roles and responsibilities

Governance without accountability is akin to dancing without a partner or even like a interstellar object with an anti-tail.

So here is a list of to-dos for everyone

The CISO (Chief Information Security Officer)

The role: The Strategist.
The shift: The CISO must stop looking at the plant as a "big office network."
Responsibility: Develops the CSMS (Cyber Security Management System). Reports cyber risk to the board in the language of production loss and safety incidents, not just "data breaches."
Key task: Harmonize IT security tools with OT constraints (e.g., ensuring the antivirus scan doesn't crash the HMI).

The Plant Head / Asset Manager

The role: The Owner.
The shift: Must accept that "Cyber Safety" is now part of "Process Safety."
Responsibility: Owns the risk. If the plant goes down due to ransomware, it's on their P&L. They authorize the budget for segmentation and downtime for security upgrades.
Key task: Ensure cyber-drills are added to standard emergency response drills.

The Automation/Instrument Engineer

The role: The Defender.
The shift: No more "security by obscurity."
Responsibility: implementing the zones, configuring the firewalls, and managing the "keys to the kingdom" (PLC passwords).
Key task: Maintain the asset inventory. You can't protect what you don't know exists.

The "No-Fluff" IEC 62443 implementation checklist

Ready to start? Don’t try to boil the stove (instead of the broth). Start with these simple 7 steps:

Asset discovery: Run a passive scan (safe for OT) to find every IP address. You will be shocked at how many "rogue" Raspberry Pis and vendor laptops are on your network.
IEC 62443-based risk assessment: Identify your "Crown Jewels." ( such as the ESD system for the distillation column).
Zone definition: Draw the lines. Separate Safety (SIS) from Control (BPCS) from Supervision (HMI/SCADA) from Enterprise (IT).
Conduit lockdown: Deny all traffic by default. Whitelist only the specific protocols (e.g., Modbus TCP, OPC UA) needed for operations.
Remote access review: Audit every external connection. If a vendor hasn't logged in for 30 days, just disable the account.
Backup verification: Ensure your "Gold Copy" backups for PLCs and SCADA configurations are offline and tested. Ransomware loves to encrypt online backups first.
The "USB Glue" Policy: If a port isn't needed, physically block it or logically disable it. USBs are the number one vector for air-gapped systems. See if you can go for a media scan solution
Pay attention to threat advisories and breaches impacting other companies

OT security in 2026

Integrating IEC 62443 isn't about making your OT infrastructure "unhackable" in 2026. Instead it’s about making it resilient and event proof. It’s also about ensuring that when the digital storm hits, your safety systems hold, your crude keeps flowing, your substation keeps the lights on, your airports continue handling passengers and your people go home safe. We owe it to the people who keep our business running.

Learn more about our IEC 62443 offering.
Find out more about Shieldworkz’ OT Security Solution