Phase 1Window: 90 days
Days 0-90: Asset inventory + zones
Complete OT asset inventory at device and firmware level. Design the zones and conduits architecture per 62443-3-2. Assign security levels per zone.
Compliance Roadmap · ISA/IEC 62443 × Manufacturing
ISA/IEC 62443 for Manufacturing: Compliance Roadmap (2026)
ISA/IEC 62443 is the international standard for industrial automation and control systems (IACS) cybersecurity and has become the de facto baseline for OT security in US manufacturing. The 62443 series spans multiple parts — 62443-1-1 terminology, 62443-2-1 asset owner program, 62443-2-4 supplier program, 62443-3-2 risk assessment for system design, 62443-3-3 system security requirements, 62443-4-1 product development lifecycle, 62443-4-2 component security requirements. For most manufacturers, the operationally relevant parts are 62443-2-1 (their own IACS security program), 62443-3-2 (risk assessment and zones/conduits design), and 62443-2-4 (requirements they impose on their automation suppliers).
EFROS's experience with manufacturing ISA/IEC 62443 programs is that the zones and conduits architecture work in 62443-3-2 is where most programs succeed or fail. Treating the entire manufacturing environment as one zone produces an unworkable security posture; segmenting into appropriate zones (typically: enterprise IT, plant control DMZ, process control network, safety-instrumented systems) with explicit conduits between them is the architectural foundation that makes everything else possible. The security level assignment per zone drives the technical control selection. The 2024 NIST SP 800-82 Rev. 3 update on industrial control system security aligns substantially with 62443; the CISA ICS Cybersecurity guidance also aligns. For DIB manufacturers, ISA/IEC 62443 coordinates naturally with CMMC and NIST SP 800-171 — OT zones can be scoped out of CMMC where they don't touch CUI, and the 62443 zone architecture supports the CMMC scoping decision.
By Stefan Efros, CEO & Founder, EFROSReviewed by Stefan Efros, Founder & CEO
Reviewed ·
Why ISA/IEC 62443 for Manufacturing matters
OT cybersecurity failures in manufacturing produce equipment damage, safety incidents, and production downtime. ISA/IEC 62443 is the international standard that gives manufacturers a defensible OT security framework. The zones and conduits work is the architectural foundation everything else builds on.
About ISA/IEC 62443
- Framework
- ISA/IEC 62443
- Issuing authority
- ISA and IEC
- Edition / version
- 62443 series (2-1, 2-4, 3-2, 3-3, 4-1, 4-2)
Top 5 requirements that hit hardest for Manufacturing
Of the controls and obligations in ISA/IEC 62443, these are the ones that most consistently show up as audit findings or operational gaps in manufacturing environments. Order reflects sequence of typical implementation, not abstract importance — most items depend on the earlier ones.
- 1
Zones and conduits architecture — 62443-3-2 risk assessment and segmentation design
Most programs start here. Treating the entire OT environment as one zone produces unworkable security; correct zone segmentation is the architectural foundation.
- 2
Security level assignment per zone — informs technical control selection
62443-3-3 defines four security levels (SL 1-4). Assign per zone based on risk; SL 3 is typical for process control networks in regulated industries.
- 3
Asset inventory — comprehensive OT asset inventory at the device and firmware level
Most manufacturers do not have a current OT asset inventory. The first 60 days of any 62443 program is typically inventory work.
- 4
Supplier governance — 62443-2-4 requirements imposed on automation suppliers
Automation suppliers (Rockwell, Siemens, ABB, Honeywell, Emerson, etc.) increasingly support 62443-2-4 compliance but it must be contractually required.
- 5
Monitoring and detection — OT-specific monitoring without disrupting safety
OT monitoring tools (Claroty, Nozomi, Dragos, Armis) provide visibility into the OT environment without active scanning that could disrupt safety-instrumented systems.
Common pitfalls for Manufacturing organizations
Patterns EFROS sees consistently across manufacturing ISA/IEC 62443 engagements. None of these are unfixable; all of them are common enough to be worth naming.
- Treating the entire OT environment as one zone — produces unworkable security.
- Active scanning in the process control network — risks safety-instrumented system disruption.
- Not contractually requiring 62443-2-4 from automation suppliers.
- Letting IT tools (Active Directory, etc.) reach into OT zones without conduit governance.
- Skipping the OT asset inventory because it's hard — the inventory is the foundation.
Implementation timeline
Typical EFROS engagement cadence for a manufacturing organization starting from a credible baseline. Earlier maturity shifts the timeline left; less mature starting positions shift it right.
Phase 2Window: 90 days
Days 90-180: Technical controls + monitoring
Implement zone segmentation. Deploy OT-specific monitoring (Claroty, Nozomi, Dragos, etc.). Document conduit governance between zones.
Phase 3Window: 90 days
Days 180-270: Supplier governance + operate
Cascade 62443-2-4 requirements to automation suppliers. Run the first OT security review. Coordinate with CMMC / NIST SP 800-171 if DIB-relevant.
How EFROS helps with ISA/IEC 62443 for Manufacturing
EFROS operates ISA/IEC 62443 OT cybersecurity for manufacturers with particular focus on the zones and conduits architecture work in 62443-3-2 and the supplier governance work in 62443-2-4. We coordinate with OT monitoring vendors (Claroty, Nozomi, Dragos, Armis) and with CMMC / NIST SP 800-171 scoping for DIB manufacturers.
Disclaimer: this roadmap is a compliance research artifact, not legal advice. Implementation decisions for manufacturing organizations require analysis of specific facts and should be made in consultation with qualified legal counsel and an assessor appropriate to ISA/IEC 62443.
Cite this resource
Reference this resource with attribution under CC-BY-4.0. Copy any of the formats below for academic papers, blog posts, AI citations, or vendor evidence packages.
APA (7th edition)
Efros, S. (2026, May). ISA/IEC 62443 for Manufacturing: Compliance Roadmap (2026). EFROS. https://efros.com/compliance/isa-iec-62443-for-manufacturing/
MLA (9th edition)
Efros, Stefan. "ISA/IEC 62443 for Manufacturing: Compliance Roadmap (2026)." EFROS, May 2026, https://efros.com/compliance/isa-iec-62443-for-manufacturing/.
Chicago (author-date)
Efros, Stefan. 2026. "ISA/IEC 62443 for Manufacturing: Compliance Roadmap (2026)." EFROS. https://efros.com/compliance/isa-iec-62443-for-manufacturing/.
IEEE
S. Efros, "ISA/IEC 62443 for Manufacturing: Compliance Roadmap (2026)," EFROS, May 2026. [Online]. Available: https://efros.com/compliance/isa-iec-62443-for-manufacturing/
BibTeX
@misc{efros2026isaiec62443forma,
author = {Stefan Efros},
title = {ISA/IEC 62443 for Manufacturing: Compliance Roadmap (2026)},
year = {2026},
month = {May},
publisher = {EFROS},
url = {https://efros.com/compliance/isa-iec-62443-for-manufacturing/},
note = {Accessed: May 2026}
}Plain text URL
https://efros.com/compliance/isa-iec-62443-for-manufacturing/
Site-wide citation metadata is also published as a CITATION.cff file at /CITATION.cff for citation-management tools and academic indexers.
More ISA/IEC 62443 and Manufacturing resources
EFROS Compliance Readiness service
End-to-end compliance program design and operation across multiple frameworks.
OpenEFROS Manufacturing practice
Vertical program for manufacturing organizations — security operations, compliance, and AI governance.
OpenEFROS AI Governance service
NIST AI RMF, Colorado AI Act, and state AI law overlays as an operating program.
OpenUS State AI Law Tracker
Citation-ready research on US state-level AI laws and compliance obligations.
OpenFree security assessment
60-second posture scan plus senior engineer follow-up.
Open