OT Insights CenterPowerWhy I Wrote Power Generation OT Security: Applying and Interpreting ISA/IEC 62443 Standards

Why I Wrote Power Generation OT Security: Applying and Interpreting ISA/IEC 62443 Standards

Power generation OT security is critical for ensuring operational resilience in the face of growing cyber threats.However, as I researched, it became clear that no document existed to bridge the gap between the general, industry-agnostic ISA/IEC 62443 standards and the specific needs of power generation facilities. In response, I decided to write this ebook.

Dr. Jesus Molina

• November 19, 2024

As a teacher in the Master’s program on Rail Cybersecurity, I’ve had the opportunity to guide rail professionals through the complexities of securing critical infrastructure. In my course, I frequently rely on the European Technical Specification TS-50701, which provides tailored cybersecurity guidance specifically for the rail industry. TS-50701 serves as an essential resource, helping rail professionals interpret and apply broader standards like ISA/IEC 62443 to the unique challenges of rail systems. Of course, the goal of TS-50701 (currently in the process of becoming a standard under PT 63452) goes beyond teaching; it aims to improve cybersecurity in rail networks by building directly from the foundation of the 62443 standards.

But this reliance on TS-50701 led me to ask a simple question: Where is the equivalent guide for power generation?

“…I decided to write this ebook as a resource for power generation professionals. It aims to simplify and clarify the application of ISA/IEC 62443 for this sector.”

Download the eBook Here >>

The Gap

Power generation, like rail, is a critical sector facing unique cybersecurity challenges. However, as I researched, it became clear that no similar document existed to bridge the gap between the general, industry-agnostic ISA/IEC 62443 standards and the specific needs of power generation facilities.

In response, I decided to write this ebook as a resource for power generation professionals. It aims to simplify and clarify the application of ISA/IEC 62443 for this sector. While the standards are essential for Operational Technology (OT) security across industries, applying them effectively in power generation presents unique challenges that require tailored guidance.

Here’s what you’ll find inside the ebook:

• A Consequence-Driven Approach: Learn how focusing on unacceptable outcomes and using a consequence-driven approach can enhance your risk assessments.
• Zoning and Conduits for Power Generation: Practical guidance on structuring zones and conduits to address power generation’s specific needs.
• Engineering-Grade Controls: Explore engineering-based controls that reduce reliance on vulnerable software solutions, helping to simplify security while maintaining robustness.
• Introducing New Technologies: A practical approach to managing cloud computing and remote access within the standard.

Looking Ahead: The Need for Power Generation-Specific Guidance

This ebook is a starting point. My hope is that it will spark further work towards creating a comprehensive guide, similar to TS-50701, but specifically for power generation. Such a document would bridge the gap between the broad 62443 standards and the specialized needs of this critical sector, providing engineers with a clear path for implementing cybersecurity measures.

I’ll be presenting my position on the importance of tailored training materials at the upcoming Sx25 conference. My focus will be on my experience teaching rail professionals, and the urgent need for OT cybersecurity training that prepares engineers to understand and apply cybersecurity principles in their unique operational environments. Right now, power generation lacks both a specialized approach to training and the specific guidance to make ISA/IEC 62443 actionable for its unique needs.

Download the eBook and Join the Effort

If you’re involved in power generation or OT cybersecurity, I invite you to Click here to  download the ebook and join me in pushing for the development of industry-specific resources for power generation.

About the author

Dr. Jesus Molina

Jesus Molina is Waterfall’s Director of Industrial Security. He is a security expert in both OT and IT security. A former hacker, his research on offensive security in industrial systems has been echoed by many publications and media, including Wired and NPR. Mr. Molina has acted as chair of several security organizations, including the Trusted Computing Group and the IoT Internet Consortium. He is the co-writer of the Industrial Internet Security Framework and the author of several security-related patents and academic research papers. Mr. Molina holds a M.S. and a Ph.D from the University of Maryland.

Share

Trending posts

I don’t sign s**t – Episode 143

September 10, 2025

Secure Industrial Remote Access Solutions

August 28, 2025

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

August 28, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post Why I Wrote Power Generation OT Security: Applying and Interpreting ISA/IEC 62443 Standards appeared first on Waterfall Security Solutions.

OT Insights CenterPowerRecorded Webinar: Engineering-Grade IEC 62443 – A Guide For Power Generation

Recorded Webinar: Engineering-Grade IEC 62443 – A Guide For Power Generation

Webinar Recording: An in-depth look at the IEC 62443 standard, IEC 62443-3-2 risk assessments, and why would we need 62443-4-2 certified components for power generation operations.

Waterfall team

• April 2, 2024

IEC 62443 is used widely in power generation, but some aspects of the standard are ambiguous, and others are easily confused.

The Cyber-Informed Engineering (CIE) initiative, funded by the US Department of Energy, is a new way to look at IEC 62443 – a perspective that clears up a lot of confusion.

In this webinar recording, Andrew Ginter guides us through the intricacies of IEC 62443 for power generation, seen through the lens of CIE

In this recorded webinar, Andrew took us through:

What are the IEC 62443 standards and which ones apply to power generation?

How can CIE help IEC 62443-3-2 risk assessments determine Security Level targets?

 How can engineering-grade mitigations eliminate cyber threats, in addition to IEC 62443-3-3 mitigations?

What kind of extra protection do we get from 62443-4-2 certified components?

Watch Now:

Share

Trending posts

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

August 18, 2025

SCADA Security Fundamentals

August 14, 2025

What is OT Network Monitoring?

August 14, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post Recorded Webinar: Engineering-Grade IEC 62443 – A Guide For Power Generation appeared first on Waterfall Security Solutions.

IEC 62443 is a global cybersecurity standard for industrial automation and control systems (IACS). It defines security requirements for system components, processes, and organizations. The standard helps reduce cyber risks by guiding asset owners, system integrators, and product suppliers on implementing secure-by-design principles and defense-in-depth strategies.

The ISA/IEC 62443 set of cyber-security standards are truly great. They are the world’s most popular, most widely applicable, and most comprehensive standards for securing industrial automation and control systems (IACS or ICS). Created by the International Society of Automation (ISA) and then accepted and co-developed by Europe’s International Electro-technical Commission (IEC), the standards were endorsed by the UN for their Cybersecurity Common Regulatory Framework in 2019. In September 2020, the new Part 3-2 of the standard was released, providing guidance on performing risk assessments on an IACS so that security countermeasures can be identified and applied.

In 2021, IEC members voted to make 62443 a horizontal standard, meaning it will form the basis for all future ISA and IEC industry specific industrial security standards and frameworks. Most ICS security standards are narrow in scope and tied to an industry, nation, or government body. It’s very refreshing that 62443 is completely generalized. It would be nice to say that it’s almost perfect, but automation and control technologies are changing fast, and a standard this big does have some confusing spots. This is not lost on ISA’s SP99 technical committee that writes the standard, who are hard at work on a major rewrite of several of the older sections. So, if you’re tasked with implementing IEC 62443, what are the essentials you need to know? What’s confusing, and what’s changing?

Speak with one of our 62443 experts  >> Contact Us >>

Essential Knowledge for Protecting ICS Networks

IEC 62443 is a multi-part standard, and very broad. I’m assuming that readers here will be asset owners or charged with protecting an industrial site. In that case, relevant sections to get started are:

• 1-1, Terminology, concepts and models
• 2-1, Security program requirements for IACS asset owners
• 3-2, Risk assessments for system design
• 3-3, Security requirements and security levels

These are outlined in red in the following chart in Figure 1.

Getting access to the IEC 62443 standards does cost money, but I highly recommend grabbing the free Quick Start Guide, downloadable from the ISA. Also – membership in the ISA is less than the cost of two or three volumes of the standards, and ISA members get free access to ISA and IEC 62443 standards.

In a nutshell, implementing the standard to secure an ICS site means implementing a security program, described in 62443-2-1. To do so, a risk assessment would be carried out and any changes to the network and security design would be made, based on 62443-3-2. Based on the assessment results and design that exists, that site’s cyber defenses would be categorized into one of five levels, described in the 3-3 document. The level selected determines the degree of requirements needed to complete implementation of the security program, so secure the site to what you have determined is an acceptable level. The higher the security level, the greater the strength of the applied protection. The five levels are summarized in Table 1: IEC/ISA 62443-3-3 Security Levels.

Table 1: IEC/ISA 62443-3-3 Security Levels

Effectively, 62443 lays out a roadmap to engineer cyber security defenses, and to iterate between risk assessments and system design until an acceptable level of protection is deployed. IEC 62443 security levels are all defined based on the type of threat – the most capable adversary that the system is designed to defend against. This worst-case attacker is further defined in terms of their means, resources, skills and motivation. While this all sounds great, selecting the appropriate security level is confusing, and it is unfortunately too easy to select the wrong security level as the target level for an automation system or site.

Would you like to speak with one of our IEC 62443 experts?  >> Click Here >>

IEC 62443 Part 3-3: Picking The Right Security Levels

Choosing a security level (SL) target is difficult in the current version of IEC 62443 Part 3-3, because in most of the 62443 series of documents, security levels are described in terms of the characteristics of the perceived adversary, and not in terms of the worst-case consequences of compromise.

In a bit more detail, IEC 62443-1-1 states that a target security level should be assigned to every network zone based on a “… consideration of the likelihood and consequences of security of a zone or conduit being compromised.” The problem is that 62443-3-3 (repeatedly) describes security levels as in Table (1) – in terms of the capabilities of the adversaries the zone must be protected against, not in terms of consequence severity. This is not entirely wrong – it is reasonable for example to look at a safety system designed to prevent an environmental catastrophe and say that this safety system deserves the highest degree of protection – SL4. The problem is that many practitioners forget this one paragraph in 1-1 and look at 3-3, where security levels are repeatedly defined in terms of the capabilities of the adversary.

IEC 62443 section 3-3 was released over a decade ago, in 2013. Back then, risk assessments based on the profile of an attacker alone were understood to be a robust method. This might make sense if you are trying to protect the information in your network, where denying access to the information systems would use the most sophisticated defenses to make it very difficult for the attacker. With industrial systems and critical infrastructure, protecting operations is key. Here the goal is to keep operations running safely, continuously, and reliably. The updated way to look at operational cyber risk is to consider that every CPU, at any level of the control system, could be compromised to mis-operate. Then consider what systems and processes pose a health and safety, or operational reliability risk, with consequences too dangerous or costly for the business or operations team to accept. It is important that the process be protected from harm, and not be solely concerned about who or what type of threat would cause that harm.

Take the example of a small-batch distillery, renowned for their gin made from locally sourced ingredients. Being in the mountains, seasons are short and only one batch is produced per year. Any spoilage of the batch by any threat actor could bring unacceptable harm to the business, including bankruptcy. Tampering of the safety instrumented systems on the still could cause a fire, release of steam, or product. But since a very small number of staff generally stay out of the plant, have a regimented safety program, and stay safe behind a sealed door and tempered glass during operations, the greatest concern is losing their precious gin. They are mostly concerned about their local competition and the rise in the threat of criminal ransomware groups, more than they are about sophisticated ‘nation-state’ attackers.

Contrast the gin distillery to the example of a 600 MW natural gas-fed power plant. Here, mis-operation could cause not only loss of power to thousands of downstream customers, but loss of extremely long lead-time assets such as turbines, power lines, transformers and more. Further, the health and safety consequences of out-of-control rotating equipment, electric arcs, would be completely unacceptable. In some cases, a loss of 600 MW can be absorbed by the electric grid with enough excess capacity, but during times of peak demand could instead cause widespread outages over large geographical regions. The ensuing chaos on such a scale significantly endangers the public. Whether an attack is made by an unsophisticated adversary just poking around (a ‘script-kiddie’), or a highly motivated and well-resourced attacker (a ‘nation state’ group) does not really matter. The power company is expected, and mandated by regulations, to prepare their defenses accordingly. A higher security level and stronger security program should be chosen to protect a power plant than for a distillery, because of the nature of the consequences, not because of the nature of the expected adversary.

Into The Future with IEC 62443

The point is that consequences determine the security level, not the nature of the threat or the adversary. A risk assessment asking the wrong questions could lead to a naively applied security level and program. It’s good to know that the ISA is aware of this fact. About a year ago, on the Industrial Security Podcast Episode #73, Eric Cosman, chair of the ISA99 committee which authors the series of standards, mentioned that a revision to 62443 Part 3-3  is in the works, and that security levels were being re-evaluated in light of issues like this that have come up in the course of using the standards this last decade.

It might sound like IEC 62443 has fatal flaws. Far from it. Last year, Alex Nicoll, co-chair of the ISA99 committee, appeared on the Industrial Security Podcast Episode #79. In it, he expressed the committee’s goal to keep up with industry changes, and the understanding that change is occurring quickly in not only automation and control, but in cyber security as well. The committee has largely achieved its goal of creating a general, widely-applicable and accepted framework for improving security in the industrial and critical infrastructure space.  He re-affirmed concerns around Security Levels and Risk Assessments, while also mentioning that new technologies like containerization, virtualization, edge devices and the cloud need to be incorporated. Alex mentioned that the strength of the standard is that it is made up of volunteers and depends on input from those with experience to ensure standard is relevant and applicable to a wide range of businesses. Applying principles is key, as fundamentals haven’t changed in 20-30 years and requires collaborative input and effort from asset owners, operators, integrators, and suppliers.

In short, the series of standards is useful and valuable. Issues have been identified with the series, and are being addressed in new versions of the standard.

Speak with one of our 62443 experts  >> Contact us>>

The post The Essential Guide To ISA IEC 62443 appeared first on Waterfall Security Solutions.