The idea in a sentence
IEC 62443, the industrial equivalent of ISO 27001 The same risk management and control logic... with added constraints related to production (availability, personal safety, long equipment life, limited maintenance windows, maintenance providers, etc.).
What is IEC 62443 used for?
It provides a framework specific to industrial systems (OT/ICS/SCADA) to reduce unplanned stoppages, avoid safety incidents and prove to your customers that the plant is under control. It applies to three roles life cycle : suppliers/builders, integrators and operators.
ISO 27001 structures global governance (ISMS).
IEC 62443 translates this intention to the production line level architecture, workstations, networks, field procedures.
5 concepts that make all the difference
1) Zones & Conduits
We segment the workshop in zones (robot cell, supervision, DMZ, OT server room...) and we control the ducts (flows) between them. Objective: limit propagation and make visible the passage points to be filtered.
2) Safety levels (SL)
We set targets SL by use and risk (e.g. SL2 for supervision, SL3 for machine safety). This guides hardening without over-specifying.
3) "Terrain-compatible" hardening
Shared HMI stations, maintenance accounts, Obsolete OS imposed by an automaton, equipment without corrective action... compensatory measures : machine insulation, virtual patching gateway, network hardening by allow-list, one-way flow (data diode) when necessary.
4) Admin paths and maintenance accesses
We separate the administration paths the rest, we demand nominative accountsand temporary elevations(badges, short sessions), logging of interventions service providers and we keep the proof.
5) Complete life cycle
Design → integration → operation/maintenance. The requirements don't stop with the project: they cover updates, backup/restore of PLC recipes, change management and end-of-life.
Examples of "ISO into atelier" adaptations
-
Regular updates ⟶ when it's impossible : strict insulationsupervision, integrity control.
-
Securing workstations ⟶ Shared HMI : nominative accounts, time-limited sessionsautomatic locking.
-
Network segmentation ⟶ interconnected lines : DMZ OTfiltered gateways, white-listed flows, central logging.
How to get started without blocking production
-
Simple mapping : cells, PLCs, HMI, servers, gateways, IT-OT links.
-
Cut into zones and draw existing conduits; mark unfiltered "bridges".
-
Setting SL by zone (depending on risk and production constraints).
-
Treating 10% which makes 80% of risk These include isolating what cannot be patched, shutting down unnecessary flows, and securing maintenance access.
-
Prove : tested backups, intervention traces, up-to-date list of authorized flows.
Conclusion
IEC 62443 puts ISO 27001 at the machine level. It respects production constraints while imposing a discipline of architecture, access and proof. By addressing isolation, flow and maintenance access first, you greatly reduce risk without shutting down the plant - and you speak the same language as your industrial partners.
A first concrete step towards IEC 62443?
