A CISO’s guide to mapping NCSC CAF and IEC 62443 

For the contemporary CISO, the NCSC Cyber Assessment Framework (CAF) is much more than a recommendation. It is the definitive benchmark for securing the UK’s Critical National Infrastructure (CNI) and any organization falling under the Cyber Security and Resilience Bill (2025). 

While IT environments are often well-mapped to CAF, applying CAF to Operational Technology (OT) is not a straight forward affair and creates unique friction. Legacy PLCs, real-time availability requirements, and "unpatchable" systems often make standard IT controls impossible to implement. 

In today OT security blog post, we explore how to bridge that gap by aligning CAF outcomes with the technical rigor of IEC 62443. 

Before we move forward, don’t forget to check out previous blog post on “The OT SOC in 2026 From convergence to consequence management” here. I am sure you will find it useful.  

The CAF-to-OT reality check 

The CAF is an outcome-focused mandate. This means that it tells you what to achieve (such as "managing risks to your essential function") but not how to do it on a 20-year-old controller. This is where the IEC 62443 becomes your technical engine, guide and playbook in a manner of speaking. 

By mapping CAF's 14 Principles to the IEC 62443 series, you move from abstract and nebulous opaque policy to engineering-level compliance. 

Strategic alignment and map 

Navigating the three "OT Compliance Traps" 

The first trap: The asset visibility gap (CAF A3) 

You cannot protect what you cannot see. In OT, simple "pings" can crash legacy devices. 

• The CAF requirement: A complete, accurate inventory of all assets supporting essential functions. 

• The IEC 62443 solution: Use passive monitoring (Part 3-3) to build an asset map without injecting traffic. Focus on identifying the Level 0-2 devices (sensors and controllers) that are often invisible to IT scanners. 

Trap 2: The patching paradox (CAF B1) 

Standard "patch within 30 days" mandates fail in OT where downtime costs millions. 

• The CAF Requirement: Vulnerabilities are managed to prevent exploitation. 

• The IEC 62443 Solution: Lean on Compensating Controls. If you can’t patch a PLC, use Zones and Conduits (Part 3-2) to isolate it. Ensure the "Conduit" (the communication path) is restricted to only the necessary traffic, effectively shielding the vulnerable asset. 

Trap 3: Shared identity (CAF B2) 

Many OT systems use generic "Admin" accounts for 24/7 shift work. 

• The CAF Requirement: Identity and access are strictly controlled. 

• The IEC 62443 Solution: Implement Privileged Access Management (PAM) with an "OT Jump Host." Even if the field device uses a shared login, the person accessing it must be uniquely authenticated at the gateway (aligned with IEC 62443-3-3 SR 1.1). 

CISO Action Plan: From assessment to achievement that is demonstrable  

To meet the compliance needs spelt out by a regulator, you must provide Indicators of Good Practice (IGPs). You cannot just claim you are secure. Instead, you have to prove it with documentation and offer evidence of ongoing compliance. 

• Define the scope: Identify your "Essential Function." In OT, this isn't "the network"; it's "the ability to deliver clean water" or "keep the turbines spinning." 

• Perform a gap analysis: Use the CAF spreadsheet to rate yourself objectively (Achieved / Partially Achieved / Not Achieved). 

• Translate to engineering: When a CAF outcome is "Not Achieved," look to the corresponding IEC 62443 standard to write the technical requirement for your plant engineers. See what can be done to attain compliance..  

• Evidence collection: Store your Purdue-level network diagrams, firewall rule sets, and incident response drill logs. These are your "proof of life" for CAF audits. 

• Define roles and responsibilities  

• Map your compliance journey: With clear goals and milestones with time bound compliance plans backed by knowledge and expertise   

The OT-CAF compliance checklist 

Use this list to get a broad view on your current posture against NCSC expectations. 

Governance and Risk (Objective A) 

• [ ] Dependency mapping: Have you identified IT-to-OT dependencies (e.g., Does the plant stop if the IT-based Active Directory goes down? Or due to a probing attack on a crown jewel.) 

• [ ] Board-level accountability: Does the Board treat OT risk as a safety/operational risk, not just an "IT problem"? 

• [ ] Supply chain: Are your OT vendors (OEMs) contractually required to meet IEC 62443-4-1 (Secure Development)? 

Protections (Objective B) 

• [ ] Network segmentation: Is there a hardened DMZ between IT and OT? (No direct "any-any" rules). 

• [ ] Removable media: Is there a "Sheep Dip" station or strict policy for vendor USBs? Do you have a media scanning solution in place?  

• [ ] Secure configuration: Are default passwords (e.g., "admin/admin") changed on all field devices? Do you have a password policy that is enforced?  

• [ ] Defense-in-depth: Do you have the means to deploy or have already deployed redundant protections for OT? 

Detection and Response (Objective C & D) 

• [ ] OT-aware monitoring: Do you have a tool that understands industrial protocols (Modbus, DNP3, Profinet)? 

• [ ] Response playbooks: Do your incident playbooks include "Manual Overrides" for when digital controls fail? 

• [ ] Backup integrity: Are your PLC logic files backed up offline and tested for restoration? Are your back-ups tested? 

• [ ] Incident response training and simulation: Are your teams trained to manage incidents? Do they know what needs to be done, when and by whom?  

By understanding the mapping of CAF and IEC 62443, you will understand ways to reduce your organization’s cyber-physical risk exposure and learn about the necessary auditable evidence to demonstrate (beyond doubt) your security maturity to regulators and to the board.    

Learn more about our IEC 62443-based risk assessment 

Starting your OT security journey or have a question? Reach out to us.