NERC CIP vs ISA/IEC 62443:Which Standard Applies to Your Oil & Gas Facility?
Oil and gas operators face a compliance question that other industrial sectors rarely have to answer: which cybersecurity standard actually applies to us? NERC CIP is widely known in the energy sector, but it was written for the electric grid. ISA/IEC 62443 applies to industrial automation and control systems broadly - but it is not mandatory in the same way NERC CIP is for bulk electric system operators.
The confusion is understandable. Oil and gas infrastructure sits at the intersection of multiple regulatory environments. Pipeline operators answer to TSA. Offshore platforms have separate safety regulations. Refineries fall under EPA and OSHA for process safety, not cybersecurity. And the question of which OT cybersecurity framework to adopt - and why - does not have a single clean answer that applies across the sector.
This post provides that answer for oil and gas operators. It explains what NERC CIP actually covers and where it applies to your operations, what ISA/IEC 62443 requires and why it is relevant even when it is not mandatory, and how the two frameworks complement each other for operators who need both compliance coverage and genuine security depth.
|
Only 33% of oil and gas operators have a formal OT cybersecurity framework in place despite the sector being the third most targeted for OT cyberattacks globally in 2024. The majority of upstream and midstream operators are relying on IT security policies and vendor recommendations rather than a structured OT security standard. Source: Claroty Global State of CPS Security Report, 2024 |
1. Understanding NERC CIP: What It Covers and What It Does Not
NERC CIP - the North American Electric Reliability Corporation Critical Infrastructure Protection standards - is a mandatory cybersecurity framework enforced by NERC and its Regional Entities. It applies specifically to owners and operators of Bulk Electric System (BES) assets: generation facilities above defined capacity thresholds, transmission facilities at 100kV and above, and the control centers that operate them.
1.1 Where NERC CIP Applies in Oil & Gas
For oil and gas operators, NERC CIP is directly applicable in one primary scenario: when the operator owns or operates electric generation or transmission assets that meet the BES definition. This most commonly applies to:
- Operators with onsite generation above BES thresholds: LNG facilities, refineries, and large upstream operators with cogeneration plants that export power to the grid may be registered BES entities.
- Operators whose natural gas pipelines supply fuel to generation facilities: NERC CIP does not apply directly to the pipeline, but the generation facility on the other end of that supply relationship is subject to CIP supply chain requirements under CIP-013 - which may create indirect compliance obligations.
- Midstream operators with FERC-jurisdictional electric assets: Some midstream operators have electric compressor stations or other assets that fall under FERC jurisdiction and may trigger BES registration obligations.
If your oil and gas operations do not include any BES-registered assets, NERC CIP does not directly apply. But this does not mean it is irrelevant. TSA Security Directives for pipeline operators - issued in 2021 and updated since - reference controls that align closely with NERC CIP requirements, including MFA for remote access, network segmentation, and OT security monitoring. TSA compliance is not NERC CIP compliance, but the operational controls required by both are largely the same.
|
1.2 What NERC CIP Requires - The Standards Most Relevant to OT Operations
For operators who are subject to NERC CIP, the standards with the most direct OT operational impact are:
|
Standard |
Requirement |
OT Operational Impact |
|---|---|---|
|
CIP-002 |
Categorize all BES cyber systems by impact level: High, Medium, Low |
Requires complete OT asset inventory and impact classification - the foundation all other standards build on |
|
CIP-005 |
Define and protect Electronic Security Perimeters around BES cyber systems |
Mandates IT/OT network segmentation at the control center and substation level - directly applicable to SCADA environments |
|
CIP-007 |
Manage ports and services, apply patches, implement malicious code prevention |
Patch management and security monitoring obligations for all BES cyber systems within scope |
|
CIP-010 |
Baseline configurations and vulnerability management |
Requires documented baseline configurations and active vulnerability scanning for in-scope OT assets |
|
CIP-013 |
Supply chain risk management for ICS hardware, software, and services |
Requires vendor security assessments and software integrity verification - applies to OT vendors and ICS software suppliers |
2. Understanding ISA/IEC 62443: The OT Security Standard Built for Industrial Operations
ISA/IEC 62443 is a multi-part standard developed by the International Society of Automation and adopted by the International Electrotechnical Commission. Unlike NERC CIP, it was designed from the ground up for industrial automation and control systems - which means it accounts for the operational constraints, legacy equipment, and process continuity requirements that make OT environments different from IT.
The standard covers the full lifecycle of industrial control system security, from governance and policy (Series 2) through system architecture (Series 3) to individual component security requirements (Series 4). It applies to any industrial sector operating IACS - including oil and gas, manufacturing, energy, chemicals, and water.
2.1 The ISA/IEC 62443 Concepts Most Relevant to Oil & Gas
Security Zones and Conduits
IEC 62443 replaces the rigid Purdue Model hierarchy with a flexible zones and conduits architecture. A security zone is a logical grouping of assets with similar security requirements and a common security policy. A conduit is the controlled communication pathway between zones. For upstream oil and gas operators with geographically distributed assets - wellheads, compressor stations, gathering systems, and central SCADA servers - the zones and conduits model is more practical than the Purdue Model because it is not constrained by physical network topology.
A wellhead RTU cluster, a compressor station, and a field technician remote access portal can each be defined as separate zones with different security requirements, even though they communicate over the same physical network infrastructure. Conduit controls define what traffic is permitted between those zones and under what conditions.
Security Levels (SL1 to SL4)
IEC 62443 assigns Security Levels to zones based on the threat actor capability the zone must be able to resist. For oil and gas operators, the practical application is:
|
Security Level |
Threat Actor Capability |
Applicable Oil & Gas Zones |
|---|---|---|
|
SL 1 |
Casual or accidental - no specific ICS knowledge |
Administrative zones, low-consequence monitoring assets |
|
SL 2 |
Intentional, using generic IT attack tools |
Field site networks, gathering system SCADA, historian servers - baseline for all operational zones |
|
SL 3 |
Sophisticated, with ICS-specific tools and knowledge |
Pipeline transmission SCADA, control room systems, high-consequence process control zones |
|
SL 4 |
Nation-state with unlimited resources |
Safety Instrumented Systems at highest-consequence facilities - rarely required in commercial oil and gas |
Lifecycle Security
IEC 62443 requires security to be designed into systems from procurement through decommissioning - not bolted on after deployment. For oil and gas operators acquiring new SCADA platforms, upgrading RTU infrastructure, or selecting ICS software vendors, IEC 62443 provides a structured way to specify security requirements in procurement contracts. Requiring IEC 62443-4-2 component compliance from new OT equipment suppliers is one of the most effective long-term controls available, because it improves baseline device security without requiring replacement of the existing installed base.
3. NERC CIP vs ISA/IEC 62443: A Direct Comparison for Oil & Gas Operators
|
Factor |
NERC CIP |
ISA/IEC 62443 |
|---|---|---|
|
Mandatory or voluntary? |
Mandatory for BES registered entities in North America |
Voluntary standard - but referenced in TSA Directives, NIS2, and many contractual requirements |
|
Scope |
Bulk Electric System cyber systems only |
All industrial automation and control systems across all sectors |
|
Enforced by |
NERC Regional Entities with financial penalties up to $1M/day |
No direct enforcement authority - referenced by regulators who have enforcement authority |
|
Architecture model |
Electronic Security Perimeters (ESPs) - Purdue-style boundaries |
Zones and conduits - flexible, risk-based, not constrained by network topology |
|
Security classification |
Impact levels: High, Medium, Low based on consequence to the grid |
Security Levels SL1-SL4 based on threat actor capability |
|
Lifecycle coverage |
Controls-focused - what you must have in place now |
Full lifecycle - design, implementation, operation, and decommissioning |
|
Best application in oil and gas |
Compliance baseline for operators with BES assets; TSA alignment for pipeline operators |
Technical security architecture and program depth for all OT environments regardless of regulatory obligation |
The key insight from this comparison is that NERC CIP and ISA/IEC 62443 are not alternatives. They serve different purposes and operate at different levels of specificity. NERC CIP tells you what controls you must be able to demonstrate in an audit. IEC 62443 tells you how to design a security architecture that makes those controls effective and extensible.
An oil and gas operator subject to NERC CIP who implements only the minimum controls required for compliance will have a program optimized for audit performance. An operator who uses IEC 62443 to design the underlying architecture - defining security zones, assigning Security Levels, specifying conduit controls - will have a program that is both compliant and genuinely defensible against the threat actors targeting this sector.
|
4. Which Standard Applies to Each Part of Your Oil & Gas Operations
4.1 Upstream Operations (Exploration and Production)
NERC CIP does not apply to upstream E&P operations unless the operator has BES-registered generation assets. TSA Security Directives apply to designated pipeline operators - which may include gathering systems connected to interstate transmission pipelines depending on TSA designation. ISA/IEC 62443 applies to all OT environments regardless of regulatory status and provides the most practical framework for securing wellhead RTUs, field SCADA systems, and upstream control infrastructure.
Priority framework for upstream operators: IEC 62443 for architecture and controls design; TSA Security Directives for compliance if designated; voluntary alignment with NIST SP 800-82 for government-referenced security guidance.
4.2 Midstream Operations (Gathering, Processing, Transportation)
TSA Security Directives apply to designated critical pipeline owners and operators. Midstream operators with electric compression assets may have NERC CIP obligations. IEC 62443 provides the technical depth for SCADA security, remote site protection, and compressor station access control that neither TSA Directives nor NERC CIP prescribe at the architecture level.
Priority framework for midstream operators: TSA Security Directives for mandatory compliance; IEC 62443 for technical architecture; NERC CIP if BES assets are present.
4.3 Downstream Operations (Refining, Petrochemicals, LNG)
Downstream refinery and petrochemical operations are not subject to NERC CIP or TSA Pipeline Directives for their process operations. Process safety regulations under OSHA PSM and EPA RMP apply to facilities with covered chemicals above threshold quantities, but these are process safety frameworks, not OT cybersecurity frameworks. ISA/IEC 62443 is the primary OT security standard for downstream refining and petrochemical operations. Refineries with onsite power generation that exports to the grid may have NERC CIP obligations for those specific assets.
Priority framework for downstream operators: IEC 62443 for OT security architecture; NIST CSF for governance and program maturity; NERC CIP only if BES generation assets are present.
5. Implementing Both Standards Together: A Practical Starting Point
For operators who need to address both NERC CIP compliance and IEC 62443-aligned security architecture, the implementation sequence matters. Attempting both simultaneously without a structured approach typically results in a compliance program that satisfies audit requirements but does not improve the underlying security posture.
5.1 Start with Asset Inventory and Categorization
Both NERC CIP and IEC 62443 begin with knowing what you have. CIP-002 requires categorization of BES cyber systems by impact level. IEC 62443 requires definition of security zones based on asset function and consequence. These exercises are not identical, but they are complementary: a thorough asset inventory conducted for CIP-002 purposes provides the input data needed to define IEC 62443 security zones.
Conducting a combined asset inventory and categorization exercise - rather than two separate efforts - reduces duplication and produces a more complete picture of the OT environment than either framework produces alone.
5.2 Map NERC CIP Electronic Security Perimeters to IEC 62443 Zones and Conduits
NERC CIP Electronic Security Perimeters (ESPs) define protected boundaries around BES cyber systems. IEC 62443 security zones serve the same conceptual function but are more granular and flexible. Mapping your existing ESP boundaries to IEC 62443 zones is typically straightforward: each ESP becomes one or more IEC 62443 zones, and the firewall rules controlling ESP boundaries become the starting point for conduit definitions.
The zones and conduits mapping will usually reveal conduits that are not documented in the ESP firewall rules - vendor remote access pathways, historian data flows, and IT/OT connections that were established outside the formal change management process. These undocumented conduits are both NERC CIP findings and IEC 62443 gaps.
5.3 Assign Security Levels Based on Consequence Analysis
Once zones are defined, assign IEC 62443 Security Levels based on the consequence of a compromise and the threat actor capability you need to defend against. For NERC CIP-regulated assets, the impact level (High, Medium, Low) maps approximately to Security Level requirements: High impact systems should target SL3, Medium impact SL2, Low impact SL1 as a minimum.
For non-NERC CIP assets in the same facility - process control systems, gathering network SCADA, and field infrastructure - apply the Security Level framework independently based on operational consequence. The Safety Instrumented System is always the highest-priority zone regardless of its NERC CIP status.
5.4 Use IEC 62443 to Specify Controls Beyond the NERC CIP Minimum
NERC CIP specifies what controls must be in place. IEC 62443 specifies what those controls must accomplish technically. For example, CIP-005 requires an Electronic Security Perimeter with controlled external routable connectivity. IEC 62443 specifies that the conduit enforcing that boundary must implement application-layer filtering, encrypted communications, and authentication of connecting systems - controls that CIP-005 does not prescribe at that level of technical detail.
Using IEC 62443 technical requirements to define the implementation standard for NERC CIP controls produces a compliance program that is both auditable and technically defensible.
|
Bottom Line NERC CIP and ISA/IEC 62443 are not competing frameworks. They address different aspects of the same security challenge: NERC CIP defines the regulatory compliance obligation; IEC 62443 defines the technical architecture and controls that make compliance meaningful. Oil and gas operators who implement only one of these frameworks will have either a compliance program without security depth, or a security architecture without regulatory coverage. The most defensible OT security programs in this sector use both. |
Frequently Asked Questions
Is ISA/IEC 62443 mandatory for oil and gas operators in the US?
Not directly. ISA/IEC 62443 is a voluntary standard with no federal enforcement authority in the US oil and gas sector. However, it is referenced in TSA Security Directives as a recognized framework for OT security, and it is increasingly required by customer contracts and supply chain agreements - particularly for operators supplying LNG to European buyers, where the EU NIS2 Directive explicitly references IEC 62443 for critical infrastructure operators. Treating IEC 62443 as mandatory is a defensible and increasingly expected position for operators seeking to demonstrate security maturity to regulators, insurers, and customers.
We are a pipeline operator subject to TSA Security Directives. Do we also need to follow NERC CIP?
Only if you own or operate Bulk Electric System assets that meet the BES registration threshold. TSA Security Directives and NERC CIP are separate regulatory frameworks enforced by different agencies. TSA Directives apply to designated critical pipeline operators. NERC CIP applies to registered BES entities. An operator can be subject to one, both, or neither depending on the assets they own and operate. If you are uncertain whether your operations include BES assets, your legal and regulatory counsel should confirm your registration status with your NERC Regional Entity.
How does IEC 62443 apply to remotely operated wellheads and gathering infrastructure?
The zones and conduits model in IEC 62443 is specifically designed to handle geographically distributed assets communicating over public or shared networks - which is exactly the architecture of most upstream gathering and production operations. Each remote wellhead cluster or compressor station is defined as a separate security zone with a Security Level based on the consequence of its compromise. Conduits between those zones and the central SCADA environment are controlled by encrypted communication tunnels, application-layer filtering, and certificate-based device authentication where the field device supports it. For legacy RTUs that cannot support modern authentication, compensating controls are applied at the conduit level rather than the device level.
What is the difference between TSA Pipeline Security Directives and NERC CIP for OT security?
TSA Security Directives apply to designated critical pipeline owners and operators and focus on pipeline operations including oil, gas, and hazardous liquids transmission. They mandate specific operational controls: MFA for remote access, network segmentation between IT and OT, OT security monitoring, and incident reporting to CISA. NERC CIP applies to Bulk Electric System registered entities and focuses on electric reliability. Both frameworks mandate many of the same underlying controls, but they differ in scope, enforcement mechanism, penalty structure, and the specific asset classes they cover. An operator subject to both frameworks can satisfy many requirements simultaneously through a unified OT security program, but separate compliance documentation is required for each regulatory authority.
Share via
