In the OT cybersecurity world, there’s one standard everyone mentions, IEC 62443. It’s referenced in audits, design reviews, SOCI uplift plans, risk assessments, and presentations. However, organisations can reference IEC 62443 without understanding what it requires and misunderstanding creates risk Here are the three biggest misconceptions I see and what IEC 62443 actually expects.
IEC 62443 is a Checklist
It isn’t. IEC 62443 is a risk-based architecture and governance model, not a box-ticking exercise. It defines outcomes, not specific products or tools. The standard asks three core questions:
- Do you understand how your OT system is designed?
Zones, conduits, trust boundaries, asset functions - Have you defined the security level you need?
Not “best practice” what the consequence of failure demands. - Have you implemented compensating controls where you cannot patch, upgrade, or harden?
This is the real world of OT.
IEC 62443 is not about compliance. It’s about designing systems that are secure and survive failure.
It’s an IT Security Standard Applied to OT
IEC 62443 was built for industrial environments.
Most IT frameworks assume:
- patching is easy
- systems can be rebooted
- software can be replaced
- segmentation is simple
- availability is secondary
None of that is true in OT.
IEC 62443 is built on OT realities:
- 20-year-old PLCs that can’t be patched
- safety systems that cannot be interrupted
- vendor restrictions on system access
- fragile legacy protocols
- environments where uptime is safety-critical
This is why it prioritises:
- zones and conduits
- security levels based on consequence
- segmentation and isolation
- compensating controls
- least privilege access
- protecting integrity and availability
It speaks OT, not IT.
IEC 62443 is Something the Cybersecurity Team Own
Another misconception. IEC 62443 is multi-disciplinary by design. It requires alignment between:
- Controls & Automation
- Operations
- Engineering
- IT Security
- Vendors & service providers
- Projects & capital works
- Maintenance teams
- Safety and risk functions
OT cybersecurity doesn’t work when it’s siloed. Segmentation, system hardening, backup design, access control, and patching windows all depend on operational and engineering constraints. IEC 62443 formalises that collaboration. It brings everyone to the same table.
What IEC 62443 Gives Organisations
Done correctly, IEC 62443 provides three major outcomes:
- A consistent way to describe OT systems across disciplines.
- A risk-based method to justify design decisions.
- Architectures that can tolerate disruption.
It’s not about being “compliant.” It’s about being predictably safe and secure in environments where failure has real-world consequences.
Closing Thought
OT cybersecurity can’t be solved with IT thinking. IEC 62443 succeeds because it was built for the physical world where downtime affects safety, production, and people. If you work in critical infrastructure, understanding IEC 62443 isn’t optional. It’s foundational. If you’re building or uplifting an OT cybersecurity program, start with the basics:
- Understand your zones
- Define your conduits
- Set your security levels
- Use compensating controls
- Engage operations and engineering early
- Align architecture to consequence, not convenience
The organisations that do this well are the ones that stay resilient.