OT Security
IEC 62443 implementation in live operational environments: what the standard doesn't tell you
IEC 62443 provides the right framework for industrial cybersecurity. It doesn't tell you how to apply it to a facility that can't pause operations for security upgrades. This paper fills that gap.
The operational constraint IEC 62443 doesn't address
IEC 62443 is the most comprehensive framework for industrial control system security. It defines security levels, security zones, conduits, and a structured risk assessment methodology. What it does not define is how to implement these controls in a facility that operates 24/7 with zero tolerance for unplanned downtime. A chemical plant, power generation facility, or water treatment plant cannot take a maintenance window to retrofit network segmentation. The standard tells you what to achieve; this paper tells you how to achieve it without stopping operations.
The zone and conduit implementation sequence
The correct sequence for implementing IEC 62443 zone and conduit architecture in a live environment begins with passive network discovery — deploying span port monitoring to build a complete picture of OT network topology and device communication patterns before any active changes. This phase typically reveals 40–60% more devices and connections than asset inventories document. The second phase implements passive monitoring controls (IDS, NetFlow analysis, protocol-aware DPI) that produce security value without changing network behaviour. Only in the third phase — after 90 days of baseline establishment — are active segmentation controls introduced, beginning with the highest-criticality zone boundaries.
Legacy device integration: PLCs, HMIs, and embedded systems
The majority of OT environments contain PLCs and HMIs running firmware from 2005–2015 that cannot support modern authentication, encryption, or endpoint monitoring. IEC 62443 's security level requirements assume that devices can be upgraded. In practice, the upgrade cycle for embedded industrial devices is 10–15 years. The correct approach is compensating controls — network-layer controls that satisfy the security level requirements without requiring changes to the device itself. This paper documents the compensating control architecture for the most common legacy device scenarios.
Get the full paper
Download the complete 36 pages
The full paper includes detailed implementation guidance, architecture diagrams, compliance control mappings, and worked examples not included in this preview.
Request the full paperSent directly to your email — no form spam, no marketing sequence.
Paper details
Authors
Viktor Sokolov, OT Security Principal
Hannah Park, ICS/SCADA Architect
More research
Looking for research on a specific topic?
Our team produces custom technical briefings for enterprise clients on topics specific to their infrastructure environment and compliance requirements.