BLOG

NIST CSF vs IEC 62443: Which Framework Should OT Security Teams Follow?

Every OT security team eventually hits the same question: NIST CSF or IEC 62443? Experienced OT security practitioners almost always give the same answer: both, but for different purposes.

The problem is that most organizations treating this as an either-or choice end up with a compliance posture that looks strong on paper but leaves critical technical gaps in their actual defenses. The NIST Cybersecurity Framework is widely required by government agencies, regulators, and enterprise security programs. IEC 62443 is the international technical standard designed specifically for industrial automation and control systems.

According to a 2024 SANS OT/ICS survey, 67% of OT security practitioners reported that their organization references NIST CSF for governance purposes while separately referencing IEC 62443 for technical controls. Understanding where each framework starts and stops is the first step to using them effectively together.

What NIST CSF Covers

The National Institute of Standards and Technology Cybersecurity Framework was first published in 2014 and updated to version 2.0 in February 2024. CSF 2.0 is organized around six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each function contains categories and subcategories that define security outcomes.

NIST CSF is intentionally framework-agnostic. It describes what security outcomes an organization should achieve, not how to achieve them. This makes it flexible enough to apply across IT, OT, cloud, and hybrid environments, but it also means it provides limited technical guidance for specific OT environments. NIST CSF will tell you that you should "protect" your industrial network. It will not tell you how to configure firewall rules between Purdue Model zones or how to implement Security Levels in an IEC 62443 zone and conduit architecture.

CSF 2.0 explicitly references OT environments through mappings to other standards, including IEC 62443, NERC CIP, and NIST SP 800-82. These mappings are useful for compliance reporting but do not substitute for OT-specific technical implementation guidance.

NIST CSF Strengths for OT Programs

Widely recognized by regulators, cyber insurers, and enterprise security leadership.p
Provides a common language for reporting OT security posture to non-technical stakeholders
The new Govern function in CSF 2.0 explicitly addresses supply chain and third-party risk, which is directly relevant for OT vendor management.
Maps to multiple sector-specific frameworks, including NERC CIP and TSA Pipeline Security Directives, simplifying multi-framework compliance reporting

NIST CSF Limitations for OT

Does not provide control-system-specific technical guidance
Outcomes are defined at a high level: "anomalies and events are detected" does not tell you how to implement passive monitoring on a Level 1 control network
No formal certification pathway: NIST CSF compliance cannot be independently audited or certified by a third party

What IEC 62443 Covers

IEC 62443 is a series of standards developed by ISA (the International Society of Automation) and adopted by the International Electrotechnical Commission. Unlike NIST CSF, IEC 62443 is designed specifically for industrial automation and control systems. It provides technically prescriptive guidance for system owners, integrators, and component manufacturers.

The IEC 62443 series is organized into four parts:

Part	Series	Who It Applies To	What It Covers
Part 1	62443-1-x	All stakeholders	General concepts, terminology, and security lifecycle definitions
Part 2	62443-2-x	Asset owners and operators	Patch management, security program requirements, and implementation guidance
Part 3	62443-3-x	System integrators	System security requirements, Security Levels, zone, and conduit design
Part 4	62443-4-x	Component manufacturers	Product security requirements, secure development lifecycle

Security Levels in IEC 62443

IEC 62443 introduces Security Levels (SL) to define the capability of a system to withstand a defined class of attacker. Security Levels range from SL 1 (protection against casual or unintentional violations) to SL 4 (protection against nation-state-level attacks using sophisticated means).

For most industrial operators in manufacturing, pharmaceuticals, and utilities, SL 2 is the baseline target: protection against intentional violation using low to moderate sophistication. Organizations in critical infrastructure sectors such as power, water, and oil and gas typically target SL 2 to SL 3, depending on the process criticality of each zone.

Zone and Conduit Architecture

One of IEC 62443's most practically useful contributions is its zone and conduit model. A zone is a group of assets sharing common security requirements. A conduit is a controlled communication path between zones. This model maps directly to network segmentation design and provides a structured method for applying different security controls to different parts of the industrial network based on the process criticality and risk of each zone.

NIST CSF vs IEC 62443: Direct Comparison

Criteria	NIST CSF 2.0	IEC 62443
Origin	NIST (US Government)	ISA and IEC (International)
Primary Scope	IT and OT (technology-agnostic)	Industrial automation and control systems only
Approach	Outcome-based: defines what to achieve	Prescriptive: defines how to achieve it
Technical Depth	Low to medium	High
Certification	No formal certification pathway	Third-party certification available (TUV, BSI)
Adoption	Widely required in North America	Required or preferred in the EU, APAC, and Latin America
OT-Specific Guidance	Limited, relies on mappings to other standards	Comprehensive, designed specifically for OT
Supply Chain Coverage	CSF 2.0 adds supply chain categories	62443-2-4 covers service provider security requirements
Regulatory Recognition	NERC CIP, TSA, HIPAA, FedRAMP, federal contracts	NIS 2 Directive (EU), mandated in several national regulations

When to Use NIST CSF vs IEC 62443

Use NIST CSF When:

Reporting security posture to executive leadership, boards, or regulators who are familiar with CSF language
Building a cross-functional security program that spans both IT and OT environments
Responding to requirements from cyber insurance underwriters, federal contracts, or US regulatory agencies
Mapping OT security controls to enterprise risk management frameworks

Use IEC 62443 When:

Designing or assessing the technical security architecture of an industrial control system
Defining security requirements for new OT deployments or for system integrators performing work in your facility
Conducting a Security Level assessment to understand the defensive capability of your OT zones
Responding to requirements from European regulators under NIS 2, or from customers in sectors where IEC 62443 is contractually required
Procuring OT components: IEC 62443-4 compliance by a vendor is a meaningful and independently verifiable security differentiator.

How NIST CSF and IEC 62443 Work Together

The practical answer to the "which framework?" question is to use NIST CSF as the governance and reporting layer, and IEC 62443 as the technical implementation layer.

NIST CSF's Protect function maps directly to IEC 62443's zone and conduit architecture, patch management requirements, and access control standards. NIST CSF's Detect function maps to IEC 62443's requirements for security monitoring in industrial networks. An organization that implements IEC 62443 at the technical level and reports against NIST CSF at the governance level satisfies both frameworks simultaneously.

This layered approach is explicitly acknowledged in NIST CSF 2.0's informative references, which cite IEC 62443 series documents across multiple framework categories.

A Practical Alignment Approach

Organizations beginning or maturing their OT security program should:

Use NIST CSF to assess current state maturity across the Govern, Identify, Protect, Detect, Respond, and Recover functions
Use IEC 62443-2-1 to define the security management system requirements that will close the identified gaps
Apply IEC 62443-3-3 Security Levels to define technical target states for each OT zone
Report progress against NIST CSF tiers for executive and regulatory audiences
Reference IEC 62443-4 certification requirements when evaluating new OT components or external service providers

Which One Should You Start With?

If your organization is under regulatory pressure from US agencies, insurers, or enterprise security governance, start with NIST CSF. It provides the common language and reporting structure that your stakeholders expect. Build toward IEC 62443 implementation as your technical OT security program matures.

If your organization is evaluating OT system integrators, designing a new control system, or operating in a sector where IEC 62443 is contractually or regulatorily required, start with IEC 62443.

In most cases, the most effective starting point is a gap assessment that maps current controls against both frameworks simultaneously. This surfaces the technical gaps that IEC 62443 reveals alongside the governance gaps that NIST CSF reveals, giving the OT security program a complete picture of where to invest first.

Frequently Asked Questions

Is NIST CSF 2.0 required by law?

NIST CSF is not legally mandated for private sector organizations in the US, but it is referenced in a growing number of regulatory frameworks and government procurement requirements. Federal agencies are required to align with NIST standards under executive orders. Many sector-specific regulations, such as NERC CIP and HIPAA Security Rule,e reference NIST guidance, effectively making CSF alignment a practical compliance requirement even where it is not explicitly mandated.

Does IEC 62443 certification apply to a whole facility or to individual products?

Both. IEC 62443 Part 4 certification (62443-4-1 and 62443-4-2) applies to individual OT products and components and is obtained by the manufacturer. IEC 62443 Part 2 and Part 3 certifications apply to the security management system and the system design of an industrial installation, and are obtained by the asset owner or system integrator. They operate at different scopes and can coexist.

How does IEC 62443 relate to IEC 61511 for functional safety?

IEC 62443 covers cybersecurity for industrial control systems. IEC 61511 covers functional safety for safety instrumented systems. The two standards have a documented relationship: IEC 62443-2-1 requires security controls that protect the integrity of safety systems. A safety instrumented system that is compromised by a cyberattack can fail to perform its safety function. The intersection of these two standards is a specific competency area for OT security practitioners working in process industries.

If we are NERC CIP compliant, do we also need IEC 62443?

NERC CIP and IEC 62443 cover different scopes. NERC CIP is a compliance framework specific to Bulk Electric System assets in North America and focuses on what controls are required to maintain compliance. IEC 62443 is a technical standard that defines how to design and operate secure industrial control systems. NERC CIP compliance does not guarantee IEC 62443 alignment, and many utilities reference both: NERC CIP for regulatory compliance and IEC 62443 for technical implementation depth.