Your IEC 62443-based risk assessment to-do list for 2026

It does look like the year 2026 will be a pivotal year for Operational Technology (OT) cybersecurity. We will be entering the year a bit wiser with learnings from many cyber events that happened in 2025.

With existing regulatory frameworks like NIS2 and the Cyber Resilience Act (CRA) placing some additional needs (in terms of interventions and attention), and the new ISA Secure Automation and Control System Security Assurance (ACSSA) program for operating sites rolling out, reliance on the IEC 62443 family of standards is not a matter of choice anymore. Instead, it is now a foundational requirement for demonstrating due diligence and resilience. At a strategic level it even demonstrates the level of cybersecurity maturity and more.

As we always say, your risk assessment strategy should evolve beyond basic compliance. So we are happy too share an actionable to-do list for your IEC 62443-based risk assessment program in the new year 2026.

Before we move forward, don’t forget to check out our previous blog post on the best IDS/IPS solution for OT/ICS systems here.

Deep dive into zones and conduits (IEC 62443-3-2)

Physical and virtual network segmentation lies at the core of an effective Industrial Automation and Control System (IACS) defense-in-depth strategy. Such a segmentation should be able to deter threat vectors from moving freely as well as offer a means to recover quickly in case of a cyber incident.

Your 2026 OT risk assessment must move beyond simple network diagrams to fully assess the security of your zones and conduits. It is about developing a higher level of security sensitivity and awareness.

· Finalize IACS Partitioning: Implement the Zones and Conduits model for your entire System Under Consideration (SuC). Ensure your zones group assets based on shared criticality (consequence of compromise) and Target Security Level (SL-T).

· Conduit Risk Assessment: Treat conduits or the communication pathways between zones, as independent security components. Conduct a detailed risk assessment on every conduit to ensure all traffic flows are enabled on strictly necessary basis and that the required security controls such as firewall rules, authentication, encryption are properly enforced to achieve the required SL-T for the communicating zones.

· Verify SL-T Achievement: For each zone, formally verify that the implemented countermeasures, including those in the connecting conduits, are sufficient to meet the Target Security Level (SL-T) against the Achieved Security Level (SL-A). Document any gaps and assign the remediation plan.

Strategic management of legacy systems

The perpetual presence of legacy equipment is easily the single largest risk multiplier in OT environment. In 2026, your risk management strategy needs to fully integrate legacy management directly into the risk assessment program.

· Asset inventory deep enumeration: Identify every legacy asset (such as systems past end-of-life, running unsupported OS, or lacking modern security features) and map their location within your Zones and Conduit model.

· Compensating Controls analysis: For legacy systems that cannot be patched or upgraded to meet their zone's SL-T, document and implement the requisite Compensating Countermeasures. Your risk assessment must formally validate that these controls like host-based firewalls, application whitelisting, or unidirectional gateways (data diodes) provide evidence-based and tangible risk reduction.

· Virtual patching strategy: It is usually tough to patch OT assets for various well known reasons. You need to formalize the use of virtual patching as a documented and tested control for systems where vendor patches are unavailable or deployment risks are too high. Top it up with a procedure for its continuous monitoring and maintenance.

Cybersecurity Management System (CSMS) Program Requirements (IEC 62443-2-1)

The CSMS is the operational backbone for sustaining security. The risk assessment process itself is a key component of the CSMS.

· Integrate IT/OT governance: Align your OT CSMS (IEC 62443-2-1) with your corporate IT Information Security Management System (ISMS, e.g., ISO 27001). The governance structure must holistically address consequence-of-loss scenarios that span both domains.

· Maturity Model Assessment: Utilize the CSMS maturity model (often ML0 to ML4) to objectively score your organization's security posture across key CSMS elements (e.g., risk management, incident response, patch management). This provides management with a clear, quantifiable roadmap for improvement beyond simply technical controls.

· Role-based training: Verify that security awareness and technical training are role-based and specifically address the unique OT environment risks identified in your latest assessment. Operators, engineers, and IT staff need clear, documented security responsibilities.

Focus on Foundational Controls (IEC 62443-3-3)

Your detailed risk assessment must map directly to the seven Foundational Requirements (FRs) and their specific System Requirements (SRs) in IEC 62443-3-3.

Foundational Requirement (FR)	2026 Actionable Control Focus
FR1: Identification and Authentication Control	Mandate Multi-Factor Authentication (MFA) for all remote access and privileged accounts. Review and clean up all dormant/default accounts.
FR2: Use Control	Enforce Principle of Least Privilege for all users and processes. Implement Application Whitelisting on critical control systems.
FR3: System Integrity	Implement Configuration and Change Management policies with automated monitoring and rollback capabilities to detect and prevent unauthorized system changes.
FR4: Data Confidentiality	Apply encryption to all data deemed confidential during the risk assessment (e.g., PII, proprietary formulas, remote access tunnels).
FR5: Restricted Data Flow	Audit firewall and segmentation rules to ensure they strictly enforce the defined conduits, blocking all communication by default.
FR6: Timely and accurate Response to Events	Integrate OT security logs into your Security Information and Event Management (SIEM) and conduct tabletop incident response exercises covering cyber-physical attack scenarios.
FR7: Resource Availability	Verify and test the resilience of critical assets (e.g., redundant systems, tested backups, deterministic network performance) against denial-of-service or resource exhaustion.

Continuous monitoring and review

An IEC 62443-based risk assessment is not a one-time event; it's a phase in the continuous improvement cycle.

· Trigger-Based Reassessment: Formalize triggers for an immediate risk reassessment, such as:

o Any major system change (new equipment, network modification).

o Discovery of a critical vulnerability (zero-day) affecting an IACS component.

o A security incident (even near-misses).

· Vendor and Supply Chain Assurance (IEC 62443-2-4 / 4-1): In light of evolving regulations like CRA, your risk assessment must consider the security posture of your suppliers and service providers. Demand evidence of their adherence to IEC 62443-4-1 (Secure Product Development Lifecycle) and 62443-2-4 (Security Program Requirements for Service Providers).

In 2026, we will have to invest more effort and attention towards ensuring a more contextual OT security risk assessment and link that with tangible security outcomes and incident response interventions.

By rigorously completing this to-do list, you will not only reduce your organization’s cyber-physical risk exposure but also have the necessary auditable evidence to demonstrate (beyond doubt) your security maturity against the highest international or regional standards.

Learn more about our IEC 62443-based risk assessment

Starting your OT security journey or have a question? Reach out to us.