Remediating an industrial control system (ICS) after a gap assessment is where "security on paper" meets "steel and wires." As IEC 62443 consultants with decades of experience in the field, we know the goal isn't just to close a gap—it’s to ensure that security never compromises Safety or Availability. In today's post, we do a deep dive into remediation of observations and security gaps identified during an IEC 62443-based risk and gap assessment.

Before we move forward, don't forget to check out our previous blog post on What could an IRGC takeover mean for Iranian threat actor Handala here.

1. Governance and program gaps (IEC 62443-2-1)

The Foundation: Establishing an IACS Security Program

Most assessments find that while technical controls exist, the management system is fragmented. Remediation here focuses on the "Human and Process" element.

• Remediation Strategy: * The Asset Inventory Single Source of Truth: You cannot protect what you cannot see. Remediate 2-1 gaps by implementing an automated asset discovery tool that categorizes devices by hardware version, firmware level, and communication patterns.

  • The IACS Security Policy: Draft a dedicated OT Security Manual. Do not simply copy-paste IT policies. Your OT policy must explicitly define "Emergency Access" procedures where life safety trumps authentication.

  • Risk Assessment Lifecycle: Move from a one-time assessment to a "Continuous Risk Management" model. This involves updating the risk registry every time a new engineering workstation is added or a PLC firmware is upgraded.

2. System architecture and segmentation (IEC 62443-3-2)

The Blueprint: Security Risk Assessment and System Design

Gaps in 3-2 usually involve "flat networks" where a compromised laptop in the office can reach a controller on the plant floor.

• Remediation Strategy:

  • Zone & Conduit Modeling: Physically or logically group assets into "Security Zones" based on functional similarity and risk profile.

  • Defining Conduits: Every communication path between zones must be a "Conduit." Remediate by implementing stateful inspection firewalls that only permit necessary industrial protocols (e.g., EtherNet/IP, OPC UA).

  • The IDMZ Implementation: Create an Industrial Demilitarized Zone. No traffic should ever flow directly from the Enterprise (Level 4/5) to the Control Zone (Level 0-2). All data exchange must terminate in the IDMZ.

3. System technical requirements (IEC 62443-3-3)

The Shield: Implementing Functional Security

This is where we address the "Seven Foundational Requirements" (FRs). Common gaps include shared passwords and unencrypted engineering traffic.

• Remediation Strategy:

  • FR 1: Identification & Authentication: Replace shared "Operator" logins with unique IDs. If the HMI doesn't support individual logins, implement a jump-host in the IDMZ that requires MFA before granting access to the HMI.

  • FR 5: Restricted Data Flow: Deploy Deep Packet Inspection (DPI). If a gap exists in protocol security, DPI can prevent "Write" commands from unauthorized IP addresses, even if the protocol itself is unauthenticated.

  • FR 6: Timely Response to Events: Centralize OT logs into a dedicated OT-SIEM. Ensure your SOC (Security Operations Center) understands the difference between a "Scan" and a "Broadcast Storm."

The table below gives a list of domain-wise action items for IEC 62443 compliance

4. Component requirements (IEC 62443-4-1 and 4-2)

The Building Blocks: Product Development and Technical Components

These gaps often involve legacy equipment that was "secure by obscurity" but is now vulnerable.

• Remediation Strategy (4-1: Lifecycle):

  • Secure Procurement: Update your RFP (Request for Proposal) templates. Require vendors to provide a Software Bill of Materials (SBOM) and evidence of secure coding practices (SDLC).

• Remediation Strategy (4-2: Components):

  • Hardening Endpoints: Disable unused physical ports (USB, RJ45) on PLCs and switches.

  • Compensating Controls for Legacy: If a legacy Windows XP machine cannot be patched (4-2 violation), remediate by "Virtual Patching" via an IPS at the conduit level and strict application whitelisting to prevent any unauthorized binary execution.

Addressing residual risk: The CISO’s ledger

Even after full remediation, Residual Risk remains. In OT, this is often the risk of a "Zero-Day" exploit against a proprietary protocol or the physical compromise of a remote terminal unit (RTU).

1. Quantification: Use a $Risk = Likelihood \times Impact$ matrix to show the Board how remediation has lowered the "Expected Loss."

2. Acceptance: Gaps that cannot be closed due to "Safety Overrides" must be formally accepted by the Operations Director.

3. Insurance: For the remaining "Unmitigatable Risk," ensure the organization’s Cyber Insurance specifically covers "Physical Property Damage" and "Business Interruption" caused by OT incidents.

The 24-month roadmap

• Phase 1 (0-6 Months): Asset Discovery, Zone Segmentation, and Critical Patching.

• Phase 2 (6-12 Months): Identity Management (MFA), IDMZ setup, and OT-SIEM integration.

• Phase 3 (12-24 Months): Full 4-2 Hardening, SBOM procurement integration, and Red Teaming the OT environment.

Final Thought: IEC 62443 compliance is to be considered as a marathon, not a sprint. Every PLC you shield and every conduit you close makes the "Cost of Attack" higher for the adversary. Drive the change through engineering-first principles.

Chat with an IEC 62443 practitioner here.
Test drive Shieldworkz OT Security NDR solution here.
Interested in remediation strategies for your OT infrastructure? Download our free remediation guides here.
Everything you wanted to know about deploying IEC 62443 controls here.