ISA/IEC 62443 · Identity Lens

ISA/IEC 62443

ISA/IEC 62443 is the standard that brings identity controls into the OT world, where the assumptions of IT identity break.

Back to Thinking

Full name: ISA/IEC 62443 — Security for Industrial Automation and Control Systems
Region: International (referenced by NIS2, NERC CIP, and EU CRA)
Applies to: Operators and vendors of industrial automation and control systems (IACS): manufacturing, energy generation and distribution, water, transport, oil and gas, chemicals, pharma manufacturing.

ISA/IEC 62443 is the multi-part international standard that addresses the cybersecurity of industrial automation and control systems. It is referenced by NIS2 for operational technology and is increasingly cited in EU Cyber Resilience Act compliance work. The standard explicitly recognises that identity in OT environments cannot copy IT patterns — operator workstations are shared, processes outlive personnel, downtime is unacceptable, and many devices have no real concept of an individual user.

What it asks for

The Identity Lens

The clauses that bite when identity architecture is weak, rewritten in plain English. Authoritative text is linked below.

Foundational Requirement 1 — Identification and authentication control (FR 1)

Authenticate and identify all users (human, software process, and device) before allowing access. The standard accepts that this is harder in OT and provides graduated security levels (SL 1-4) for each requirement so operators can match controls to risk.

Foundational Requirement 2 — Use control (FR 2)

Authorisation, session control, supervisor override, audit, and the explicit handling of shared and emergency accounts in plant operations. This is where OT identity diverges most from IT.

Part 3-3 — System security requirements and security levels

Detailed control requirements for each foundational requirement, expressed against security levels SL 1 through SL 4. Identity requirements scale with security level: SL 1 needs basic authentication, SL 4 needs cryptographically-protected mutual authentication for every interaction.

Part 4-2 — Technical security requirements for IACS components

Component-level identity requirements for PLCs, HMIs, controllers, and field devices. Many legacy components do not natively support modern identity; the standard accepts compensating controls but expects them to be documented.

Where teams miss it

Common Misses

Patterns we see again and again — usually because the identity programme runs in parallel to the compliance programme rather than inside it.

Shared operator accounts on HMIs with no individual accountability. Standard practice in operations, audit finding in OT cybersecurity reviews.

Engineering workstations dual-purpose for OT control and email / browsing, allowing identity attack surface to bleed across the IT/OT boundary.

Remote access for vendors and contractors granted as permanent VPN credentials rather than scoped, time-limited, session-recorded access.

Service accounts on SCADA / historian systems with broad permissions, no rotation, no audit, and credentials stored in plant documentation.

What works

Where Design Pays Off

Patterns we have seen survive supervisory review, audit, and the next change.

Identity architecture that explicitly separates IT identity from OT identity, with a documented bridge for the operators and engineers who need both.

Zone-and-conduit modelling (part 3-2) applied to identity flows, so each crossing is an explicit authentication decision rather than implicit trust.

Vendor and contractor access through a session-broker pattern — identity-aware browser, jump host, or PAM gateway — so OT exposure ends when the work ends.

Authoritative sources

Read the source

Every claim above is checkable. Start here.

International Electrotechnical Commission

ISA/IEC 62443 series — IEC overview

ISA

ISA Global Cybersecurity Alliance — ISA/IEC 62443 resources

Related Services

Need a ISA/IEC 62443-ready identity baseline?

We start with an assessment that maps your identity controls to ISA/IEC 62443 requirements, then design and operate the gaps.

Book a Conversation