At a gap analysis of a chemical enterprise last year, we found the SIS (Safety Instrumented System) Triconex controller, connected to the corporate network via an unmanageable switch. Without a firewall, without a VLAN, without traffic recording in SIEM. In the asset, this connection did not exist. The company formally "corresponded" to the domestic policy of the Security - but the policy was written for IT infrastructure and the industrial network knew nothing. This is a typical starting point of the OT security program: the gap between paper compliance and the real state of segmentation. Two frameworks - IEC 62443 and NIST SP 800-82 Rev.3 - close this gap if you use them together. NIST sets the software frame and risk management, IEC 62443 fills it with engineering requirements: zones, educators, Security Levels, specific foundational requirements. Next is the practical sequence of implementation: from passive asset discovery to the preparation of the evidence base for assessing the maturity of the IB OT.
How the protection of industrial control systems is different from IT
The difference between IT and OT is not on the network scale, but in priorities and physical constraints. In the IT three CIA built a habitually: Confidentiality -> Integrity -> Availability. In OT, the priority will be reversed: Availability -> Integrity -> Confidentiality, and above everything is a category that simply does not exist in the IT domain.
In practice, this is expressed in the restrictions that make standard IT tools inapplicable.
It is impossible to scan the network with active means. Ordinary nmap -sV according to the OT segment can put PLC. The Siemens S7-300 series controllers upon receipt of a non-standard TCP package for port 102 (ISO-TSAP) are capable of moving to STOP. Legacy RTU on the Modbus RTU/ASCII depend on any unrecognized query. NIST SP 800-82 Rev.3 (Section 6.2..1) directly warns against active scanning in the live ICS environment without validation by the vendor.
EDR is not installed on HMI and EWS. Windows-based HMI (Siemens WinCC, Wonderware InTouch, Ignition) work on specific OS assemblies, often without the ability to supply a third-party software agent. On PLC and RTU, the agent can not be physically put - there is no general-purpose OS.
The protocols do not contain authentication. Modbus TCP - binary protocol without built-in source check. Sending the FC6 (Write Single Register) or FC16 (Write Multiple Registers) to port 502 changes the settings of the process without any authorization. DNP3 in the basic configuration is similar. The attacker in the OT-network segment sees all traffic and can inject control commands - this is the IDUSTROYER2 attack mechanics (2022, the power system of Ukraine) and the PIPEDREAM / INCONTROLLER framework aimed at the Schneider Electric and OMRON controllers. The TRITON/TRISIS attack (2017) was aimed at SIS controllers – a level that is responsible for people’s physical safety.
Baseline is stable and anomalies are critical. In the IT-network, hundreds of new connections per minute are the norm. In the OT segment, the set of communication pairs is stable for months: HMI interviews PLC on Modbus FC3 (Read Holding Registers) every 500 ms, Historian takes data from the SCADA server on a fixed schedule. The emergence of a new IP or a new function code (e.g., FC8 - Diagnostics) - an anomaly that in IT-SIEM will drown in noise, and in OT-context requires immediate analysis.
Two frameworks - one security program operating technology
A typical error is to lead two parallel workstreams: one "on NIST", the other "on IEC". This doubles the budget and confuses the staff of the site. The correct bundle: NIST SP 800-82 Rev.3 + CSF 2.0 - software skeleton, IEC 62443 - Engineering Specification. In NIST SP 800-82 Rev.3 (published in September 2023) ISA-62443-2-1 is expressly recommended as a suitable IACS cybersecurity program standard. Six features of CSF 2.0 (Govern, Identify, Protect, Detect, Respond, Recover) set the life cycle. IEC 62443 fills each function of OT-specific engineering content.
What has changed in Rev.3 compared to Rev.2 (2015): full alignment with CSF 2.0 including Govern, extended IIoT and cloud-connected OT coverage, updated threats taking into account ICS-specific malware (TRITON, INDUSTRYER2, PIPEDREAM), as well as obvious cross-ups between SP 800-82 controls.
Security Levels and Security Zones Conduits IEC 62443
The zone is a logical grouping of assets with the same security requirements. Conduit is a controlled communication channel between zones. In the oil and gas infrastructure, according to IEC 62443-3-2 (section 4.3), the typical defense in depth OT architecture looks like this:
• Safety zone (SIS/ESD): minimum SL 3, insulation through hardware data diode (outbound only)
• Basic Process Control (DCS): SL 2, communication with Supervisory through firewall conduit
• Supervisory zone (SCADA/Historian): SL 2, communication with Enterprise through dedicated DMZ with application-layer inspection
• Enterprise/IT : direct connection to OT zones is prohibited
No zone has a direct connection that drops the level. If your current architecture allows ransomware from an enterprise laptop to get to Rockwell ControlLogix without crossing a single firewall - the industrial network segmentation is not implemented. It doesn’t matter what’s written in the documents.
Mapping Control: From SP 800-53 to FR1–FR7
The IEC 62443-3-3 defines the seven Foundational Requirements (FR) and 51 system requirements. NIST SP 800-82 Rev.3 (Section 5) refers to the SP 800-53 Rev.5 control with OT overlays. Mapping between them is a working tool for the daily implementation of IEC 62443 When the OT vendor declares that the MFA is "impossible" on the legacy HMI - IEC 62443-2-1:2024 expressly allows compensatory controls: jump-host from MFA, session recording, limited time access windows. Here the main thing is to document the compensating control, the residual risk and justification of the impossibility of native implementation. This document becomes audit artifact for IEC 62443, and for inspection by FSTEC No31.
Building OT security program by step
Step 1 - Passive Batterance Discover
You can not protect what is not in the inventory (CSF 2.0, ID.AM-01). The gap between the “documented assets” and “really connected devices” on industrial sites is 30-50% – in our experience, this is a stable figure. Method: SPAN-port on OT-switches + passive tool with support for ICS-protocols (Claroty, Dragos, Nozomi Networks, or open-source Zeek with plugins for Modbus/DNP3/S7comm/EtherNet/IP).
Adjustments for the passive asset discovery:
• SPAN/mirror port on each L2-sumt OT segment
• Collection Server: minimum 16 GB RAM, 1 TB storage for 30 days PCAP
• No active probes in OT-VLAN: exceptionally passive capture
• Access to existing network diagrams and firewall configs for verification
The result is a full asset register with device type, vendor, model, firmware version, protocols and communication patterns. This is the basis for Zone & Conduit model IEC 62443-3-2 (Section 4.2).
Step 2 - Zones, Conduits and Target SL Appointment
Frequent error: Draw Zone & Conduit as a network diagram. It's not a network exercise - it's Classification of riskswhich determines the selection of controls. Consistency:
1. Consequence analysis. Work with safety engineers. HAZOP documentation contains the severity assessment for each process node. Mapping: what happens if the attacker changes the line on this PLC? Loss of container? Ecological Ejection? Stop the line?
2. Grouping of assets into zones according to the general requirements of cybersecurity of ICS, the consequences of compromising and operating function.
3. Documentation of the conduits. Each communication channel between zones: protocol, data flow direction, protection mechanism (firewall rule, data diode, VPN).
4. Assignment of Target Security Level (TSL) of each zone based on a threat scenario and consequence severity.
Everything is packaged in Cybersecurity Requirements Specification (CRS) IEC 62443-3-2 - key artifact for audit and at the same time the coverage of section 4 NIST SP 800-82.
Step 3 - Compensating Controls for the Game
Reality OT ICS SCADA protection: lifespan equipment 15-25 years. On the site - PLC with Windows CE, HMI on Windows XP Embedded, RTU without TLS. IEC 62443-2-1:2024 (Edviction from August 2024) clearly addresses legacy systems, allowing compensation measures instead of native opportunities. Format of documentation of each compensation:
1. Requirement (e.g. FR1: User Authentication)
2. Reason for the impossibility of native implementation (WinCC 6.2 SP3, shared account - only mode)
3. Compensating Control (Jump-host with MFA + recording session + time-limited window)
4. Residual risk and acceptance level
5. Signature asset owner
This document is the difference between "we have legacy, we can't do anything" and "We have legacy with a documented residual risk IEC 62443-2-1". For CII facilities in the Russian jurisdiction (FZ-187 and Order FSTEC No. 31), such documentation is also needed for domestic regulatory compliance - the profile of the protection of the MEX (industrial type of firewall) requires certification of OUD4, but Zone/Conduit model and compensating controls on the requirements No. 31 directly.
OT VI malnourished assessment: preparation of evidence base
IEC 62443-2-1:2024 restructured the asset owner requirements in the Security Program Elements (SPE) and introduced a formal maturity model. Maturity assessment is not a "yes/no" questionnaire, but a comparison of the current state with a target for each SPE with visualization through a map.
Heat map on SPE - communication tool with management. Each element is evaluated: "full full", "partially", "not implemented". The result is a single-page strengths/gaps card tied to the consequence of the relativeline zones. It justifies each line of the budget request.
Detection in OT-environment: monitoring without disruption of the process
Detection strategy is based on two principles: Passive fee and Protocol-aware analysis. Any tool with active polling has no right to be inside the control zone.
Passive monitoring of ICS-protocols. Zeek with plugins for Modbus, DNP3, EtherNet/IP, PROFINET or commercial solutions (Claroty, Dragos) connect to the SPAN port and disassemble traffic to the level of functions. Example of the rule for Suricata:
Code:
alert modbus any any -> $OT_PLC_NET 502 (msg:"MODBUS Write Multiple Regs from unauth src"; modbus: function 16; flow:to_server,established; sid:3000001; rev:1
Correlation rules for SIEM. OT-alerts in isolation from IT-context are useless. Basic Correlation Rules for Industrial Cybersecurity:
• New MAC address in OT+ no-install = P1 inventory
• VPN connection to OT jump-host in non-working + Modbus FC5/FC6/FC16 (write commands) = P1
• Shift firmware fingerprint PLC without a record in change management = P2
• The appearance of a new function code (FC8 Diagnostics, FC43 Read Device ID) from the existing host = P2
Baseline built for 2-4 weeks of passive observation: all communication pairs, protocols, function codes and their frequency are recorded. After fixing, any deviation is analt. This covers CSF 2.0 DE.AE-01 (baseline network operations and expected data streams).
Scenario: compromising OT through engineering station
Let's look at the attack with the mapping on MITRE ATT&CK for ICS - typical for industrial environments and not requiring APT-level resources.
Monday, 9:15. The KIPiA engineer connects the laptop to the OT segment for updating the logic project. The laptop is corporate, with access to email. Two weeks ago, the engineer opened a phishing attachment - an implant works on the machine.
9:20. Malware detects new network interfaces. Network Service Discovery (T1046, Discovery) - subnet scanning 10.10.20.0/24, port detection 502 (Modbus TCP), 102 (S7comm), 44818 (EtherNet/IP).
9:22. Connecting to HMI via Default Accounts (T1078.001, Initial Access) - shared account WinCCAdmin with a password that has not changed from the commissioning.
9:25. Network Sniffing (T1040, Credential Access / Discovery) - interception of Modbus traffic: function codes, register addresses, current settings.
9:30. Recording new values in the Holding Registers PLC via Modbus FC16 is a change in the pressure line in the reactor circuit.
The scenario does not require state resources - a sufficiently compromised legitimate host and lack of segmentation. Zone & Conduit model and access control (FR1 + FR2 according to IEC 62443-3-3) break down the kill chain at the lateral phase: the engineering laptop should not have a direct route to the PLC bypassing the jump-host.
How the protection of industrial control systems is different from IT
The difference between IT and OT is not on the network scale, but in priorities and physical constraints. In the IT three CIA built a habitually: Confidentiality -> Integrity -> Availability. In OT, the priority will be reversed: Availability -> Integrity -> Confidentiality, and above everything is a category that simply does not exist in the IT domain.
In practice, this is expressed in the restrictions that make standard IT tools inapplicable.
It is impossible to scan the network with active means. Ordinary nmap -sV according to the OT segment can put PLC. The Siemens S7-300 series controllers upon receipt of a non-standard TCP package for port 102 (ISO-TSAP) are capable of moving to STOP. Legacy RTU on the Modbus RTU/ASCII depend on any unrecognized query. NIST SP 800-82 Rev.3 (Section 6.2..1) directly warns against active scanning in the live ICS environment without validation by the vendor.
EDR is not installed on HMI and EWS. Windows-based HMI (Siemens WinCC, Wonderware InTouch, Ignition) work on specific OS assemblies, often without the ability to supply a third-party software agent. On PLC and RTU, the agent can not be physically put - there is no general-purpose OS.
The protocols do not contain authentication. Modbus TCP - binary protocol without built-in source check. Sending the FC6 (Write Single Register) or FC16 (Write Multiple Registers) to port 502 changes the settings of the process without any authorization. DNP3 in the basic configuration is similar. The attacker in the OT-network segment sees all traffic and can inject control commands - this is the IDUSTROYER2 attack mechanics (2022, the power system of Ukraine) and the PIPEDREAM / INCONTROLLER framework aimed at the Schneider Electric and OMRON controllers. The TRITON/TRISIS attack (2017) was aimed at SIS controllers – a level that is responsible for people’s physical safety.
Baseline is stable and anomalies are critical. In the IT-network, hundreds of new connections per minute are the norm. In the OT segment, the set of communication pairs is stable for months: HMI interviews PLC on Modbus FC3 (Read Holding Registers) every 500 ms, Historian takes data from the SCADA server on a fixed schedule. The emergence of a new IP or a new function code (e.g., FC8 - Diagnostics) - an anomaly that in IT-SIEM will drown in noise, and in OT-context requires immediate analysis.
Two frameworks - one security program operating technology
A typical error is to lead two parallel workstreams: one "on NIST", the other "on IEC". This doubles the budget and confuses the staff of the site. The correct bundle: NIST SP 800-82 Rev.3 + CSF 2.0 - software skeleton, IEC 62443 - Engineering Specification. In NIST SP 800-82 Rev.3 (published in September 2023) ISA-62443-2-1 is expressly recommended as a suitable IACS cybersecurity program standard. Six features of CSF 2.0 (Govern, Identify, Protect, Detect, Respond, Recover) set the life cycle. IEC 62443 fills each function of OT-specific engineering content.
What has changed in Rev.3 compared to Rev.2 (2015): full alignment with CSF 2.0 including Govern, extended IIoT and cloud-connected OT coverage, updated threats taking into account ICS-specific malware (TRITON, INDUSTRYER2, PIPEDREAM), as well as obvious cross-ups between SP 800-82 controls.
Security Levels and Security Zones Conduits IEC 62443
The zone is a logical grouping of assets with the same security requirements. Conduit is a controlled communication channel between zones. In the oil and gas infrastructure, according to IEC 62443-3-2 (section 4.3), the typical defense in depth OT architecture looks like this:
• Safety zone (SIS/ESD): minimum SL 3, insulation through hardware data diode (outbound only)
• Basic Process Control (DCS): SL 2, communication with Supervisory through firewall conduit
• Supervisory zone (SCADA/Historian): SL 2, communication with Enterprise through dedicated DMZ with application-layer inspection
• Enterprise/IT : direct connection to OT zones is prohibited
No zone has a direct connection that drops the level. If your current architecture allows ransomware from an enterprise laptop to get to Rockwell ControlLogix without crossing a single firewall - the industrial network segmentation is not implemented. It doesn’t matter what’s written in the documents.
Mapping Control: From SP 800-53 to FR1–FR7
The IEC 62443-3-3 defines the seven Foundational Requirements (FR) and 51 system requirements. NIST SP 800-82 Rev.3 (Section 5) refers to the SP 800-53 Rev.5 control with OT overlays. Mapping between them is a working tool for the daily implementation of IEC 62443 When the OT vendor declares that the MFA is "impossible" on the legacy HMI - IEC 62443-2-1:2024 expressly allows compensatory controls: jump-host from MFA, session recording, limited time access windows. Here the main thing is to document the compensating control, the residual risk and justification of the impossibility of native implementation. This document becomes audit artifact for IEC 62443, and for inspection by FSTEC No31.
Building OT security program by step
Step 1 - Passive Batterance Discover
You can not protect what is not in the inventory (CSF 2.0, ID.AM-01). The gap between the “documented assets” and “really connected devices” on industrial sites is 30-50% – in our experience, this is a stable figure. Method: SPAN-port on OT-switches + passive tool with support for ICS-protocols (Claroty, Dragos, Nozomi Networks, or open-source Zeek with plugins for Modbus/DNP3/S7comm/EtherNet/IP).
Adjustments for the passive asset discovery:
• SPAN/mirror port on each L2-sumt OT segment
• Collection Server: minimum 16 GB RAM, 1 TB storage for 30 days PCAP
• No active probes in OT-VLAN: exceptionally passive capture
• Access to existing network diagrams and firewall configs for verification
The result is a full asset register with device type, vendor, model, firmware version, protocols and communication patterns. This is the basis for Zone & Conduit model IEC 62443-3-2 (Section 4.2).
Step 2 - Zones, Conduits and Target SL Appointment
Frequent error: Draw Zone & Conduit as a network diagram. It's not a network exercise - it's Classification of riskswhich determines the selection of controls. Consistency:
1. Consequence analysis. Work with safety engineers. HAZOP documentation contains the severity assessment for each process node. Mapping: what happens if the attacker changes the line on this PLC? Loss of container? Ecological Ejection? Stop the line?
2. Grouping of assets into zones according to the general requirements of cybersecurity of ICS, the consequences of compromising and operating function.
3. Documentation of the conduits. Each communication channel between zones: protocol, data flow direction, protection mechanism (firewall rule, data diode, VPN).
4. Assignment of Target Security Level (TSL) of each zone based on a threat scenario and consequence severity.
Everything is packaged in Cybersecurity Requirements Specification (CRS) IEC 62443-3-2 - key artifact for audit and at the same time the coverage of section 4 NIST SP 800-82.
Step 3 - Compensating Controls for the Game
Reality OT ICS SCADA protection: lifespan equipment 15-25 years. On the site - PLC with Windows CE, HMI on Windows XP Embedded, RTU without TLS. IEC 62443-2-1:2024 (Edviction from August 2024) clearly addresses legacy systems, allowing compensation measures instead of native opportunities. Format of documentation of each compensation:
1. Requirement (e.g. FR1: User Authentication)
2. Reason for the impossibility of native implementation (WinCC 6.2 SP3, shared account - only mode)
3. Compensating Control (Jump-host with MFA + recording session + time-limited window)
4. Residual risk and acceptance level
5. Signature asset owner
This document is the difference between "we have legacy, we can't do anything" and "We have legacy with a documented residual risk IEC 62443-2-1". For CII facilities in the Russian jurisdiction (FZ-187 and Order FSTEC No. 31), such documentation is also needed for domestic regulatory compliance - the profile of the protection of the MEX (industrial type of firewall) requires certification of OUD4, but Zone/Conduit model and compensating controls on the requirements No. 31 directly.
OT VI malnourished assessment: preparation of evidence base
IEC 62443-2-1:2024 restructured the asset owner requirements in the Security Program Elements (SPE) and introduced a formal maturity model. Maturity assessment is not a "yes/no" questionnaire, but a comparison of the current state with a target for each SPE with visualization through a map.
Heat map on SPE - communication tool with management. Each element is evaluated: "full full", "partially", "not implemented". The result is a single-page strengths/gaps card tied to the consequence of the relativeline zones. It justifies each line of the budget request.
Detection in OT-environment: monitoring without disruption of the process
Detection strategy is based on two principles: Passive fee and Protocol-aware analysis. Any tool with active polling has no right to be inside the control zone.
Passive monitoring of ICS-protocols. Zeek with plugins for Modbus, DNP3, EtherNet/IP, PROFINET or commercial solutions (Claroty, Dragos) connect to the SPAN port and disassemble traffic to the level of functions. Example of the rule for Suricata:
Code:
alert modbus any any -> $OT_PLC_NET 502 (msg:"MODBUS Write Multiple Regs from unauth src"; modbus: function 16; flow:to_server,established; sid:3000001; rev:1
Correlation rules for SIEM. OT-alerts in isolation from IT-context are useless. Basic Correlation Rules for Industrial Cybersecurity:
• New MAC address in OT+ no-install = P1 inventory
• VPN connection to OT jump-host in non-working + Modbus FC5/FC6/FC16 (write commands) = P1
• Shift firmware fingerprint PLC without a record in change management = P2
• The appearance of a new function code (FC8 Diagnostics, FC43 Read Device ID) from the existing host = P2
Baseline built for 2-4 weeks of passive observation: all communication pairs, protocols, function codes and their frequency are recorded. After fixing, any deviation is analt. This covers CSF 2.0 DE.AE-01 (baseline network operations and expected data streams).
Scenario: compromising OT through engineering station
Let's look at the attack with the mapping on MITRE ATT&CK for ICS - typical for industrial environments and not requiring APT-level resources.
Monday, 9:15. The KIPiA engineer connects the laptop to the OT segment for updating the logic project. The laptop is corporate, with access to email. Two weeks ago, the engineer opened a phishing attachment - an implant works on the machine.
9:20. Malware detects new network interfaces. Network Service Discovery (T1046, Discovery) - subnet scanning 10.10.20.0/24, port detection 502 (Modbus TCP), 102 (S7comm), 44818 (EtherNet/IP).
9:22. Connecting to HMI via Default Accounts (T1078.001, Initial Access) - shared account WinCCAdmin with a password that has not changed from the commissioning.
9:25. Network Sniffing (T1040, Credential Access / Discovery) - interception of Modbus traffic: function codes, register addresses, current settings.
9:30. Recording new values in the Holding Registers PLC via Modbus FC16 is a change in the pressure line in the reactor circuit.
The scenario does not require state resources - a sufficiently compromised legitimate host and lack of segmentation. Zone & Conduit model and access control (FR1 + FR2 according to IEC 62443-3-3) break down the kill chain at the lateral phase: the engineering laptop should not have a direct route to the PLC bypassing the jump-host.