Demystifying OT cyber security standard: ISA/IEC 62443
ISA/IEC 62443 is a powerhouse… unless it gets treated like a checkbox
12/01/2026 Podcast
Back to Insights
“We’re Doing the Standard” Isn’t a Plan
If you’ve ever been in a meeting where someone confidently declares, “We’re going to do 62443,” you’ll know the feeling: relief… followed by confusion… followed by the creeping suspicion that nobody agrees on what that actually means.
In this episode of the You Gotta Hack That podcast, Felix is joined by Emily, a principal industrial consultant (and former national utility cyber lead) to unpack what ISA/IEC 62443 really is, why it’s so often misunderstood, and how to approach it without getting crushed under its weight.
ISA/IEC 62443 isn’t one standard, it’s a family
One of the biggest misconceptions Emily tackles is that 62443 is a single document you can “be compliant with.” In reality, it’s a growing set of standards covering everything from governance and security programs to technical requirements and supplier expectations.
That matters because the moment you open the lid, you realise you need to make choices: Which parts apply to your environment? Which parts apply to your role? Are you the operator? The integrator? The vendor? The answers change what “doing 62443” even looks like.
“When someone says ‘we’re going to do 62443’… I go, okay, you haven’t quite opened that lid yet.”
Procurement pain: “Comply with 62443” isn’t a requirement
If you’ve ever written or received an RFP that says “must comply with 62443,” you’ll appreciate Emily’s war-story perspective: those words sound decisive, but they’re not actionable. Without specifics, you’re essentially asking suppliers to guess your intent and that just can’t result in anything useful.
Emily explains why meaningful adoption takes real collaboration: competent people on the operator side who can specify requirements, and skilled teams on the supplier side who can interpret and implement them. It’s not a one-liner. It’s a conversation (usually many).
Standards aren’t silver bullets, because security decays without maintenance
Felix and Emily also get into the “compliance = invincible” myth. Even when organisations build strong controls such as segmentation, firewalls, and governance. Those controls can erode over time, for example through mergers, staffing changes, shifting organisational priorities, or plain old entropy.
“Security is like safety. It’s not something you just do once and go, ‘should be right.’”
Start with basics before you chase the big framework
A key theme: if you don’t have fundamentals like asset visibility and network segmentation, you may not be ready to “do 62443” in a meaningful way. Emily points listeners toward pragmatic, minimum-viable focus areas (think: defensible architecture, incident response planning, and targeted vulnerability management) before trying to swallow the entire standard.
Want the practical version? Listen to the episode
This blog post only scratches the surface. In the full conversation, Emily gets into how security levels are often misused, what “good enough” can look like in the real world, and how to think about 62443 as a roadmap rather than a checkbox.
If ISA/IEC 62443 has ever felt intimidating, or if you’re trying to make OT security progress without boiling the ocean, this episode will help you find your footing.
Felix (00:09)
Hello and welcome to the You Gotta Hack That podcast. Today I am going to welcome Emily here to say hello and talk to us about some of your experiences. So Emily, do you want to tell us a little bit about you?
Emily (00:24)
So I’m Emily. I’m a principal Industrial cyber security consultant. I do consultancy stuff, get to see a lot of very interesting industrial places, and help people figure out what’s wrong and where they need to focus.
My experience is that I also spent 12 years at a national utility company in various roles, starting in the field, very much on the tools, and then holding all kinds of different roles until I became Technical Lead for IT cybersecurity. So quite a journey.
Felix (00:56)
For anybody who’s wondering, Emily and I had the fortune in my case, or maybe misfortune in your case, Emily, of meeting at a conference recently. We got chatting and I really enjoyed one of the conversations in particular. So I thought it would be a really good idea to share some of that and dig into it a bit more.
That conversation was surrounding something called ISA/IEC 62443. I’m pretty sure some people will say I’ve said the name wrong, but I was fascinated by the war stories, what it actually is like to live that experience.
Felix (01:38)
For 2026, the You Gotta Hack That team has two training courses. On March the 2nd, we start this year’s PCB and Electronics Reverse Engineering course. We get hands on with an embedded device and expose all of its hardware secrets, topics like defeating defensive PCB design, chip to chip communications, chip off attacks, and the reverse engineering process.
On June the 8th, we launch the unusual Radio Frequency Penetration Testing course. We dig into practical RF skills so that you can take a target signal and perform attacks against it in a safe and useful way.
Both courses are a week long. They are a deep dive, they’re nerdy, and everything you need other than your enthusiasm.
As the unusual RF penetration testing course is brand new, you can be one of our beta testers and get £1,000 off.
There’s more information available on our website at [insert correct courses URL]. We recommend booking straight away as we have to limit the spaces to ensure the learning experience.
But for now, let’s get back to today’s topic.
Felix (02:34)
I don’t know where to start with this really, because it’s such a big topic. What sort of stuff were you playing with that meant you had this exposure?
Emily (02:44)
In terms of the standard, it’s back when I was working for that utility company. You’re trying to get to grips with this really oddly shaped, abstract thing, which is OT cyber.
You do a search on Google and you’re like, OK, I need some sort of standard, something to help me know where I’m at. You want to have a standard you can look at, get some baselines, and go, right, this is where we’re at, and these are the things we need to improve on.
62443 is one of those that is mentioned all over the place. There’s IEC, there’s ISA, there are various different international bodies. The idea is it’s by consensus, so it’s a complicated standard, but the whole point is it’s consensus based. There are working groups that build individual parts of the standard.
I was going out and trying to understand this. We keep saying 62443, but actually it’s not one thing. It’s like, I think, 14 or 15 different parts, and it’s growing. There are more and more things coming out. It’s massive.
So my journey with 62443 started probably nine years ago.
Felix (04:04)
So you’re maybe a bit long in the tooth on this then. Interesting.
Emily (04:06)
That’s OK because the standard has been around for a number of decades now, and it’s taken quite a long time for various modules to be updated. The one that comes to mind is 2.1, which is just one part of it, and that took nearly a decade to be updated. If we think how much has changed in a decade, right?
Felix (04:32)
Yeah, OK, that’s fair. The roots of it all are in, am I right in thinking ISA99? Have I got that right?
Emily (04:38)
Yeah. There’s a really interesting podcast from one of the original founders. I totally forget the person’s name, I should have thought about it. They were talking about identifying good work from various vendors and organisations, but wanting to formalise it and make it more international. So a group set up to focus on producing these standards, which then moved into the 62443 group of standards.
It covers the whole aspect of OT cyber, from governance, risk and compliance type subjects through to low level technical controls. So it tried to cover every single possible base associated with OT security.
Felix (05:30)
In my own journey, I’m not as far along in terms of depth of experience, certainly not the implementation side and the running of it.
My experience of OT cyber is that there’s quite a lot of good intent out there, but the reality is there’s nothing that really fits the bill, particularly when you start looking at the more nerdy technical bits.
I was looking at some work for UK airports recently, and essentially you need to have completed two of the ISA/IEC 62443 exams to be able to do any work as a cybersecurity person for UK airports, officially at least.
I was like, OK, but these exams are all well and good, but my job isn’t anything to do with upholding the standard. It’s about testing. It’s not even about testing the standard, it’s testing the technical controls. It’s simulating the threat. Therefore, what does this mean to me at all? Why would I bother?
I’ve found this frustrating in that a lot of people turn around and say, well, what are we supposed to do? And I’m like, you can go down this route. It isn’t a bad thing necessarily, but it’s not necessarily exactly what you’re expecting or hoping for.
Emily (06:55)
Basically, the situation I was in, and it’s really common. When you ask people how they ended up trying to adopt 62443, they were trying to get to grips with this thing.
Once you open the lid of 62443, you realise how big it is. It’s like when someone says, “Oh yeah, we’re going to do 62443”, and that’s the end of the conversation. I go, OK, you haven’t quite opened that lid yet, because as soon as you do, you’ll go, what part of 62443 do you intend to adopt and focus on?
So 2.1 is about the security programme for the industrial control system. It’s about understanding what kind of controls, what level of controls, you’re going to have to apply to your industrial control system.
Then you’ve got things like 3.3, which is about security requirements. That starts talking to the technical controls you’re to apply.
Then there are bits for developers of hardware and software. There are people who implement the equipment. If that isn’t yourselves, then you can be an operator, an integrator, an OEM. There are all different bits of the standard that you have to know about if you want to do it.
Felix (08:20)
I can see that being problematic quite quickly.
Emily (08:23)
Absolutely. CAF, the Cyber Assessment Framework, in its third iteration, produced by NCSC, the National Cyber Security Centre, tries to summarise a lot of complex things into minimum viable product type stuff.
Even that covers everything from board level engagement down to how you do backups. That’s still very complex, but it’s nowhere near as complex as something like 62443 if you look at it as a broad standard. Yeah, there are a lot of changes.
Felix (09:04)
So if you were to find this perfect environment where 62443 in its entirety, or at least the relevant parts, have been applied to the system and it’s perfect as it were, do you think that gives a really strong cybersecurity defensive stance?
Emily (09:29)
To have got to that level, right from the start of talking to your suppliers of equipment, basically you’d have to do it at a new plant. It’d be quite hard to do retrospectively, it would be incredibly challenging.
Via the selection of suppliers, you’d have to have a very competent team specifying what you want from the supplier. We’ve seen RFIs and RFPs that say, “you must comply with 62443”. What does that mean? It doesn’t mean anything. You need to go into detail.
Let’s say you do all of that. You also have all of the governance controls. So you have a CSMS, a Cyber Security Management System that covers your OT. You’ve done your risk assessments. You’ve decided on a security level. You do all of these things.
What I’ve seen at some companies that were doing a lot of this stuff about a decade ago is, through time, mergers and acquisitions, staff changes, you could see that a lot of policies and standards were rooted in 62443 because one of the people involved was heavily involved in 62443.
Over time the controls got reduced because they weren’t maintained, which is kind of sad to see because you go, wow, you were at a cutting edge level.
Every element of it requires maintenance. A company has to commit for the life of the asset, the system, however you want to frame it. It is a massive commitment if you want to broadly adopt that.
That’s true for any standard, if I’m honest. I don’t think we’ve realised that security is like safety. It’s not something you just do once and go, should be right. You constantly have to re-evaluate.
Some people put in amazing controls, firewalls, network segmentation, all sorts of stuff. But over time, that diminishes if you don’t maintain it.
Felix (11:16)
Commitment.
Emily (11:22)
Exactly.
Felix (11:49)
I can reflect on this as an individual nerd. At some point in my career I decided it was a good idea to have VLANs at home, and my wife can have her own separate bit where she can do whatever she wants on whatever apps, weird IoT, whatever.
Then I get to the point where I have to be the tech support person as well as the nerd doing the interesting things. Something goes wrong, something breaks, and you go, hmm, can I be bothered? The answer is usually no.
Emily (12:20)
It always happens when you’re away from home as well. I had the same. I did exactly the same, and then something went wrong. You’re just like, OK, just unplug this. You just plug straight into the free… God, what am I going to do? Yeah.
Felix (12:35)
Yeah. I’m glad to know I’m not alone on that one as well, Emily.
The bit I miss with all of this is that, irrespective of what standard we’re talking about, people see them as silver bullets. If only I can get compliant to insert standard here, no hackers can do me over, nobody can destroy my system, nobody can cause me any problems.
It’s not true. Particularly around the more managerial standards, like ISO 27001, it’s about managing risk, not eliminating it.
Please correct me, but I think 62443 is a bit more about trying to eliminate some of the more obvious risks and narrow the field, and therefore get to a place where you’re managing risk rather than eliminating it. But even then, I don’t see it as the silver bullet everyone seems to think it is.
And like you’ve pointed out, maintaining something that vast and complex means most of the time it’s not actually in play anyway, even if you did have brilliant commitments and lofty aspirations. It’s not likely you’ll achieve it or maintain it for very long.
Emily (13:56)
It may surprise you to say I’m kind of a fan of 62443, because it’s so synonymous and it’s so out there. When you think of OT security, most people think of 62443 the world over, which is quite an impressive feat.
The irony is people forget that virtually all standards, especially things like 62443, are about managing risk. Not about, you can’t stop cyber attack happening. There’s no level of controls, if you’re against a skilled adversary, that can prevent them. There will always be some way in.
It’s about understanding your risk appetite, what risk you’re willing to take. Also making sure you’ve got good recovery, and thinking about detection.
I am a fan of 62443 from that point of view. I think it can be helpful to articulate where you want to go.
Security levels are a good example. They define the type of threat you’re trying to defend against, from someone with minimal skills, motivation, interest, money, up to highly sophisticated actors. It’s like SL1 to SL4.
It’s interesting listening to the person who was there on ISA99. They were saying people misuse security levels these days because they were meant to be a notional idea of the kind of thing you’re trying to do, but people fixate on wording. People say, “SL4 is completely impossible”. They weren’t meant to be like that.
They just released an updated version of 2.1, security programme requirements for IACS asset owners. Beautiful.
The new kid on the block is security profiles. This will be really interesting because it starts to say, out of all the stuff you could do, actually for energy, for water, for these different things, what might good look like, because you can’t do everything.
Felix (16:26)
That’s interesting, that it’s being formally recognised that you can’t do everything and you should probably concentrate on the areas that are most useful.
Emily (16:35)
Forget standards for a second. Take a step back and look at the actual situation in front of us.
If you still haven’t got basic network segmentation, and you don’t really know what assets you have, you don’t have any network visibility, you’ve notionally got some level of control on a boundary somewhere in your enterprise, you are not even close to being ready. 62443 should not be your focus. Your focus should be on getting some basics, Cyber Essentials.
I love the SANS five critical controls for ICS because it really tries to go, out of everything we could do, what are the five minimum focus areas. Stuff like incident response plans, visibility, defensible architecture, vulnerability management, very specific vulnerability management.
Thinking of your boundary, firewalls and network switches for example, and not just go, “Oh that PLC is out of date, I need to patch it”. Well, probably not. If you haven’t got basic network segmentation, probably go after that first.
Sorry, I could rant. I feel really strongly about that sometimes. I see it day to day. For the best will in the world, people are trying to do the right thing, but they struggle to take that step back and go, right, we’ve got no network segmentation. That means we’re open to all kinds of very bad scenarios.
Felix (18:09)
Yeah, exactly. Are there any other exciting bits, difficult bits, or areas you’re particularly passionate about?
Emily (18:17)
I would say 62443 has a lot of value. There are updates that have happened and are coming. By all means, catch up with the updates in 2.1, especially security profiles, well worth a look.
Unless you feel you’ve achieved the basics, I will point out the SANS five critical controls for ICS published on the SANS website. Unless you feel you’re doing those five things pretty well, you’re probably not ready to go down your journey on 62443. Or maybe you can go down certain elements, but you’ve got some other things to look at first. Just take the step back.
Felix (18:59)
It’s really interesting, because one of your observations earlier was that if you’re trying to retrofit 62443 into an existing environment, the odds are against you.
Equally, if you’re building a new environment, do you go down the SANS five controls, do you go down 62443 from the get go, or do you try and do both? That could be complicated for people to navigate.
Especially when you’ve got startup companies doing something in this space, wanting to do good security because it matters more to those companies, they need differentiators. They’re faced with this mammoth task of trying to implement 62443, or they do something like the SANS five controls and end up in a position where they’re probably never going to implement 62443 in its entirety because by the time they get competent enough in all other ways, including operational and business requirements, it’s too late and they already have massive hurdles. Or is that not your experience?
Emily (20:30)
I’ve been there on a very large project where we were deploying a very large complex control system. You’re sitting there as the OT technical cyber lead going, how do I get some security into this? My natural go to was 62443.
Then you think, OK, which elements of it am I going to go down? Trying to specify that in an RFP document, or an RFI document, calling for vendors to say, these are the requirements.
The problem is it requires a lot of discussion. The reality is, on the operator side, the person specifying what you need, you need a team of people. Either consultancy, or a seasoned team employed, whatever. You need a team to work together to specify your requirements, then present them to the supplier.
The supplier equally needs a team of people who are highly skilled. So it’s not uncommon to have an RFI or RFP that just says “62443 compliant”, and you know it’s going to be a long journey to explain.
Felix (22:09)
I don’t have any other thoughts or questions for you about 62443 today. I am up for having another discussion about a different topic in the future if you are.
If anybody is listening to this today with questions, I hope they’re able to get out and say hello. Do you frequent social media at all, Emily? Perfect opportunity for people to go, yes, come find me on, or alternatively say, I hate social media, I don’t want to be on it.
Emily (22:21)
Fun, yeah.
Emily (22:39)
I have a love hate relationship with social media because it will occupy my ADHD brain for the rest of my life. I limit it. But I have LinkedIn. I’m EmilyH on LinkedIn. By all means come find me there.
I love talking to people, so message me. But yeah, it’s a murky world. I haven’t got my Insta. I need Insta clearly. I’m missing things. Apparently there’s all kinds of good stuff on there. No, OK, maybe not.
Felix (23:10)
I’m told the same, but I don’t know. I’d rather be doing something that doesn’t involve a social media platform.
Emily (23:19)
Love it.
Felix (23:21)
OK. Thank you very much for your time.
If there are any questions and you don’t want to speak to Emily, feel free to go and do so, you can also get a hold of myself or anybody here at You Gotta Hack That. You can find us on Twitter at gotta_underscore_hack and you can find us on LinkedIn.
Hopefully you’ll be able to get in contact and say hello, and maybe even come on some training courses and other stuff that You Gotta Hack That provides. I’m not going to let you have an opportunity to sell your wares, but.
Emily (23:55)
Wait, I want to go on one of your training courses. I’m really interested, to be honest. That’s how we got chatting, right? I came over going, oh, this is an interesting thing to do, and I can’t wait. Reverse engineering, yeah.
Felix (24:21)
Awesome.
Thank you. See you soon. Cheers. Bye everyone.