If you’re trying to secure Operational Technology (OT) and Industrial Control Systems (ICS), these three references answer three different questions:
- NIST SP 800-82 = How to secure ICS technically (architecture patterns, hardening, monitoring, remote access, patching constraints, and operational security controls).
- IEC 62443 = How to design, build, operate, and certify OT security across the lifecycle (roles, requirements engineering, security levels, zones/conduits, product & system requirements, and certification readiness).
- NIS2 = What the law requires organizations to do (governance, risk management measures, incident reporting, supply chain expectations, and accountability—especially for EU in-scope entities).
Best practice: Use NIS2 to define minimum legal outcomes, implement an IEC 62443 lifecycle program to make security repeatable and auditable, and apply NIST SP 800-82 for concrete ICS hardening and operational guidance.
Why these three are compared (and why they’re not interchangeable)
Most organizations don’t struggle because they lack “a framework.” They struggle because they apply the wrong type of guidance to the wrong problem:
- A plant engineer asks: “How do I secure PLC networks without breaking availability?”
That’s a technical architecture + operations question → NIST SP 800-82 shines. - A CISO asks: “How do we standardize OT security across sites, vendors, and integrators and prove it?”
That’s a lifecycle program + requirements + assurance question → IEC 62443. - A board member asks: “What do we legally have to do, and what happens if we don’t?”
That’s regulatory compliance and governance → NIS2.
Think in terms of three layers
- Law / governance layer: sets minimum obligations and accountability → NIS2
- Engineering lifecycle layer: makes security repeatable and certifiable → IEC 62443
- Technical controls layer: makes security work in real ICS environments → NIST SP 800-82
If you treat NIS2 as a technical hardening guide, you’ll be lost. If you treat NIST 800-82 as a certification program, you’ll have gaps. If you treat IEC 62443 as “a checklist,” you’ll miss the engineering intent.
Quick comparison table: NIST 800-82 vs IEC 62443 vs NIS2
| Dimension | NIST SP 800-82 | IEC 62443 | NIS2 Directive |
|---|---|---|---|
| Core purpose | Practical ICS security technical guidance | OT security lifecycle requirements + assurance + certification alignment | Legal obligations for cybersecurity risk management + incident reporting |
| Best for | Operators, OT/ICS engineers, security architects | Asset owners, system integrators, product vendors, auditors | Executives, CISOs, compliance, legal, risk |
| Primary output | Reference architectures, control guidance, operational practices | Requirements sets, roles/responsibilities, security levels, certification-ready artifacts | Policies, governance evidence, reporting processes, supplier controls |
| Scope | ICS/OT environments (SCADA, DCS, PLCs, etc.) | Components, systems, and organizations in industrial automation/control | In-scope EU entities and their network/information systems |
| “How-to” depth | High (technical) | High (requirements + lifecycle), varies by part | Medium (outcomes and governance), not a hardening manual |
| Certification | Not a certification standard | Commonly used for certification approaches in OT ecosystems | Not a certification standard (compliance assessed legally/regulatorily) |
| Geographic influence | Global (widely referenced) | Global (industry standard) | EU-wide (implemented via national law) |
| What it answers | “How do we secure ICS technically?” | “How do we design/build/operate OT security and prove it?” | “What must we do under law, and how fast must we report incidents?” |
Deep dive: NIST SP 800-82 — securing ICS technically
NIST SP 800-82 is widely used because it respects the reality of OT:
- Availability and safety dominate.
- Patch cycles are constrained.
- Vendor certification and legacy systems are common.
- Protocols may be insecure by design.
- Monitoring and change control must be careful and often passive.
What NIST SP 800-82 is best at
- ICS architecture patterns
- Separation of enterprise IT and OT networks
- Use of an industrial DMZ (IDMZ)
- Carefully controlled conduits (traffic paths) between zones
- Hardening guidance that won’t break the plant
- Secure configurations for hosts used in control environments
- Reduce attack surface while preserving deterministic operations
- Remote access done safely
- Vendor remote access as a high-risk path
- Strong authentication, session recording, and jump hosts
- Monitoring and incident response tailored to OT
- Passive network monitoring, baselining
- OT-aware triage and containment strategies
- Bridging IT security controls into OT constraints
- Applying security control families with OT nuance (identity, logging, segmentation, vulnerability management, etc.)
Key technical areas to implement (NIST 800-82 style)
1) Asset inventory that includes “invisible OT”
In OT, inventory is more than listing Windows hosts. You need:
- PLCs, RTUs, safety controllers, HMIs
- Engineering workstations
- Historians and OT servers
- Network gear (industrial switches, serial gateways)
- IIoT gateways and protocol converters
- Remote access appliances, modem paths, vendor tunnels
Practical tip: prioritize communications mapping (who talks to whom, on what protocol/port) because segmentation depends on it.
2) Network segmentation and an industrial DMZ
A strong baseline architecture is:
- Enterprise zone (IT)
- Industrial DMZ (IDMZ)
- OT zones (control networks segmented by process/cell/area)
- Safety zone (often isolated and tightly controlled)
Segmentation goals:
- Prevent malware in IT from laterally moving to PLC networks
- Limit blast radius in OT by process cell
- Enforce strict OT-to-IT data flows (e.g., historian replication outward)
Operational reality: segmentation must reflect process dependencies. If you segment “by org chart,” you’ll break operations.
3) Secure remote access (employees + vendors)
A defensible OT remote access pattern typically includes:
- VPN or ZTNA terminating in the IDMZ (not directly in the control zone)
- A jump server (bastion) with MFA
- Least privilege and time-bounded access (JIT)
- Session recording and command logging
- Strong vendor governance: named accounts, approvals, and monitoring
Anti-pattern: direct vendor VPN into the controls network, shared credentials, or unmanaged remote tools.
4) Vulnerability and patch management with compensating controls
OT patching is constrained, so you must build compensating controls:
- Network controls (allowlisting, segmentation)
- Application allowlisting on Windows HMIs/servers
- Portable media controls (USB scanning kiosks, restricted usage)
- Virtual patching where feasible (IPS rules carefully deployed)
- Maintenance windows aligned with production schedules
Your vulnerability program should distinguish:
- Vulnerabilities that are exploitable in your topology
- Vulnerabilities that are mitigated by segmentation
- Vulnerabilities that require vendor approval to patch
5) Logging and monitoring that’s OT-safe
OT environments often need:
- Passive network sensors (SPAN/TAP)
- Protocol-aware detection (industrial protocols)
- Baselines for “normal” traffic and commands
- Alerting tuned to operational reality
Critical: monitoring must not introduce latency or packet loss in real-time control segments.
6) Incident response for ICS
ICS response differs from IT:
- “Reimage and restore” may be impossible mid-production.
- Containment may require process shutdown decisions.
- Safety and engineering teams must be integrated into the IR plan.
Build playbooks for:
- Ransomware in the enterprise with risk of OT spread
- Unauthorized logic changes
- Historian compromise and data integrity issues
- Remote access credential theft
Deep dive: IEC 62443 — OT security by design, operations, and certification
IEC 62443 is the most comprehensive OT security standard family for industrial automation and control systems because it’s built to cover:
- Asset owners/operators (how to run a secure program)
- System integrators (how to design and implement secure systems)
- Product suppliers (how to build secure components)
- Assurance/certification concepts (how to prove requirements are met)
The mental model: lifecycle + zones and conduits + security levels
IEC 62443 pushes organizations away from “bolt-on security” and toward:
- Requirements-driven engineering
- Security built into procurement and design
- Operational governance and continuous improvement
- Consistent segmentation via zones and conduits
- “Right level of security” via Security Levels (SLs)
The most practical IEC 62443 concepts
1) Zones and conduits (design language everyone can share)
- A zone groups assets with similar security needs (e.g., “Packaging Cell,” “Utilities,” “Safety Instrumented System interface”).
- A conduit is a controlled communications path between zones.
This is powerful because it becomes a shared artifact between:
- Engineering
- Operations
- Cybersecurity
- Integrators
- Vendors
2) Security Levels (SL1–SL4) to set realistic targets
Security levels help you state intent like:
- “This zone must resist casual or coincidental violations” (lower SL)
- “This zone must resist intentional violation with sophisticated means” (higher SL)
Even if you don’t formalize SLs everywhere, the thinking helps prevent two common errors:
- Overspending on low-criticality zones
- Under-protecting high-consequence process areas
3) Foundational Requirements (FRs) to structure controls
IEC 62443 commonly groups requirements into foundational areas such as:
- Identification and Authentication Control
- Use Control (authorization)
- System Integrity
- Data Confidentiality
- Restricted Data Flow
- Timely Response to Events
- Resource Availability
This gives you a clean way to turn “secure the plant” into an auditable requirements set.
Where IEC 62443 adds value beyond NIST 800-82
A) Procurement and supplier requirements
IEC 62443 is especially effective for:
- Writing RFP security requirements
- Specifying secure remote support capabilities
- Defining evidence you expect from vendors (secure development practices, vulnerability handling, patch processes)
B) Secure system integration
If you build or модерnize lines/plants, IEC 62443 is ideal for:
- Security requirements engineering
- FAT/SAT security testing
- Acceptance criteria and documentation handover
- Maintaining a security case across the lifecycle
C) Product and component security
For vendors and product teams, IEC 62443 is a roadmap for:
- Secure by design practices
- Patch/vulnerability disclosure processes
- Security testing and maintenance expectations
Certification and assurance: what it means in practice
While IEC 62443 itself is a standard family (and certification schemes may vary by program/region), it is commonly used as the basis for:
- Demonstrating that a system meets stated security requirements
- Differentiating vendors and integrators in the OT market
- Creating audit-ready evidence (policies, designs, test results, lifecycle procedures)
For asset owners, the big win is repeatability: once you standardize “how we design and operate OT securely,” scaling across sites becomes manageable.
Deep dive: NIS2 — legal requirements and accountability
NIS2 is different because it’s not trying to teach you how to configure an industrial firewall. It’s trying to ensure organizations achieve minimum cybersecurity hygiene and governance outcomes, including:
- Accountability at management level
- Risk management measures
- Incident reporting within mandated timelines
- Business continuity and crisis management expectations
- Supply chain and supplier security considerations
Who should care about NIS2 (especially in OT)?
If your organization is:
- An operator in critical or important sectors (often including energy, transport, health, digital infrastructure, manufacturing and more depending on national implementation), and/or
- Operating in the EU or providing certain services there,
…then NIS2 likely drives board-level requirements that cascade down into OT security expectations, because OT incidents can impact service continuity and safety.
NIS2’s practical impact on OT/ICS programs
1) Governance becomes mandatory, not optional
NIS2 pushes organizations to demonstrate:
- Clear ownership and accountability
- Policies approved and enforced
- Training and awareness for relevant staff (including operational teams)
- Measurable risk management
For OT, this often forces a long-overdue decision: who owns OT security—and how IT and Engineering share responsibility.
2) Incident reporting timelines force better detection and triage
NIS2 incident reporting expectations (as implemented in national law) typically require organizations to:
- Detect and assess incidents quickly
- Provide initial notifications within relatively short timeframes
- Maintain documentation and reporting discipline
OT implication: you need monitoring and IR workflows that can answer, fast:
- Is production impacted?
- Is safety impacted?
- Is it contained to IT, or has it crossed into OT?
- Which sites, lines, or zones are affected?
3) Supply chain security becomes non-negotiable
OT supply chains are complex:
- OEMs
- System integrators
- Managed service providers
- Remote support vendors
- Firmware and software dependencies
NIS2 increases pressure to formalize:
- Supplier due diligence
- Contractual security requirements
- Access control for vendors
- Vulnerability and patch coordination expectations
Important note (compliance reality)
NIS2 is an EU directive implemented via national laws. Details (scope thresholds, enforcement posture, reporting portals, and guidance) can vary by country. Treat NIS2 as the obligation, and then align your program to the applicable national implementation and regulator guidance.
(This article is informational and not legal advice.)
How to combine them into one OT security program (practical roadmap)
Here’s a workable approach used by mature organizations: NIS2 defines “what outcomes are required,” IEC 62443 defines “how to structure and assure the OT security lifecycle,” and NIST 800-82 defines “how to implement technical controls safely in ICS.”
Step 1: Start with scope and consequences (NIS2-driven)
- Identify if you’re an in-scope entity and which services are regulated.
- Define critical services and the OT assets that support them.
- Establish governance: OT security owner(s), risk acceptance authority, escalation paths.
Deliverables:
- Scope statement (services, sites, OT domains)
- Roles and responsibilities (RACI)
- Risk register seeded with OT-specific scenarios
Step 2: Build an OT security baseline architecture (IEC 62443 + NIST 800-82)
- Create zones and conduits diagrams (IEC 62443 concept)
- Implement segmentation and IDMZ (NIST 800-82 style)
- Define standard remote access patterns, logging, and endpoint hardening baselines
Deliverables:
- Zones/conduits design package
- Standard “site reference architecture”
- Remote access standard + vendor access policy
Step 3: Turn architecture into requirements (IEC 62443 strength)
- Define security requirements for:
- New projects (capex)
- Retrofits (brownfield)
- Vendors and integrators
- Set target security levels by zone (where practical)
Deliverables:
- OT security requirements catalog
- Procurement language and RFP templates
- FAT/SAT security test checklists
Step 4: Implement controls with OT-safe tactics (NIST 800-82 strength)
- Passive monitoring first where possible
- Carefully staged patching + compensating controls
- Controlled portable media
- Application allowlisting for Windows-based HMIs/servers
- Backup/restore tested for OT workloads (including engineering workstation projects)
Deliverables:
- Hardening baselines
- Patch/vulnerability management procedure tailored to OT
- OT backup and recovery playbooks
Step 5: Prepare incident response and reporting (NIS2 outcome + OT reality)
- Define incident severity categories that map to regulatory reporting thresholds
- Build OT-specific playbooks (ransomware, unauthorized logic changes, remote access compromise)
- Train on cross-functional drills (IT + OT + safety + legal + comms)
Deliverables:
- OT incident response plan
- Reporting workflow and evidence retention checklist
- Tabletop exercise schedule and results
Step 6: Measure, audit, and continuously improve (IEC 62443 program mindset)
- Internal audits of key controls
- Supplier assessments
- Lessons learned after incidents and exercises
- Roadmap updates based on changing threat and operational needs
Deliverables:
- KPI dashboard
- Audit reports and remediation plans
- Updated risk posture per site/zone
Control mapping: NIS2 outcomes → IEC 62443 requirements → NIST 800-82 implementation
This mapping is intentionally practical: it shows how to translate “legal obligations” into “engineering requirements” and then into “technical action.”
| NIS2 outcome area | IEC 62443 program translation | NIST 800-82 implementation examples |
|---|---|---|
| Risk management measures | Define OT security program requirements; formal risk assessments per zone | Asset inventory; threat modeling; segmentation plan; vulnerability triage with OT constraints |
| Incident handling & reporting | OT IR roles, playbooks, evidence requirements | OT-safe monitoring; centralized logging where feasible; jump host session logs; incident containment procedures |
| Business continuity & crisis mgmt | Availability requirements, recovery objectives, tested procedures | Offline backups; tested restore of HMIs/historians; “gold images” for OT endpoints; spare parts strategy |
| Supply chain security | Procurement requirements, vendor lifecycle expectations | Vendor access controls; signed firmware policies; third-party remote access through IDMZ; supplier risk scoring |
| Policies & access control | Roles, least privilege, authentication requirements by zone | MFA on remote access; unique accounts; engineering workstation privilege separation; firewall rules by conduit |
| Security testing and assurance | FAT/SAT security tests; acceptance criteria; periodic assessments | Network segmentation validation; restore tests; vulnerability scanning in safe windows; passive discovery tools |
Reference architectures: segmentation, remote access, and monitoring
Below are three “golden patterns” that align well with the intent of IEC 62443 zones/conduits and the practical guidance of NIST SP 800-82, while supporting NIS2 governance outcomes.
1) Segmentation pattern: Enterprise → IDMZ → OT zones
Goal: Prevent threats in enterprise IT from directly reaching OT control networks and limit lateral movement inside OT.
Core components:
- Industrial DMZ (IDMZ) with tightly controlled services:
- Patch management relay (when needed)
- Historian replication endpoints
- Remote access jump hosts
- Update repositories (curated)
- Firewalls enforcing allowlist rules between:
- IT ↔ IDMZ
- IDMZ ↔ OT zones
- OT zones segmented by process area/cell where feasible
Evidence you should be able to produce:
- Zone/conduit diagrams
- Firewall rule review records
- “Allowed flows” documentation and approvals
2) Remote access pattern: vendor access without “keys to the kingdom”
Goal: Enable maintenance and support while controlling risk.
Recommended features:
- MFA and named accounts (no shared vendor logins)
- Approval workflow (change ticket / maintenance window)
- Jump host in IDMZ (no direct inbound to OT zone)
- Session recording and logs retained
- Time-boxed access and rapid revocation
Evidence:
- Remote access policy
- Access logs + session records
- Vendor agreements requiring security behavior
3) Monitoring pattern: passive-first OT detection
Goal: Improve detection without disrupting deterministic control traffic.
Recommended approach:
- Passive network sensors (TAP/SPAN)
- OT protocol decoding where possible
- Baselining for normal operations
- Alert triage that involves OT engineers
Evidence:
- Alert handling runbooks
- Tuning history (showing maturity, not just noise)
- Incident metrics (MTTD/MTTR adapted to OT)
Common pitfalls and how to avoid them
Pitfall 1: Treating NIS2 like a technical checklist
What happens: You comply on paper but remain operationally vulnerable.
Fix: Use NIS2 to define governance and outcomes; implement technical depth via NIST 800-82 and engineering rigor via IEC 62443.
Pitfall 2: “Flat OT network” persists because segmentation is hard
What happens: One compromise spreads across lines and sites.
Fix: Start with a pragmatic segmentation plan:
- isolate remote access first,
- create an IDMZ,
- then segment by highest consequence zones.
Pitfall 3: Vendor remote access becomes the hidden backdoor
What happens: Third-party compromise becomes your incident.
Fix: Standardize a single remote access pattern with MFA, jump hosts, approvals, and logging—then enforce it contractually.
Pitfall 4: Patch management is abandoned entirely in OT
What happens: Known vulnerabilities accumulate until a major incident occurs.
Fix: Implement OT-appropriate vulnerability management:
- risk-based triage,
- compensating controls,
- scheduled maintenance windows,
- vendor coordination.
Pitfall 5: No one can answer “what changed?” in the control environment
What happens: Troubleshooting and incident response fail.
Fix: Implement change management that includes:
- network changes,
- firewall rules,
- PLC logic changes,
- engineering workstation project changes.
KPIs and evidence: what auditors and leadership will ask for
If you need to satisfy executives, regulators, customers, or internal audit, track metrics that demonstrate outcomes—especially those aligned with NIS2 expectations.
Suggested OT security KPIs
- Asset coverage: % of OT assets inventoried (and classified by criticality)
- Segmentation progress: % of sites using IDMZ; % of OT networks zoned
- Remote access control: % of vendor access using MFA + jump host; % sessions recorded
- Vulnerability management: # of critical OT vulnerabilities past due, with documented compensating controls
- Backup readiness: % of critical OT servers with tested restores in last 90/180 days
- Detection and response: OT MTTD/MTTR; # of confirmed incidents; exercise outcomes
- Supplier posture: % of critical suppliers assessed; contract clauses adopted
Evidence pack (what “good” looks like)
- OT security policy set + governance minutes
- Architecture diagrams (zones/conduits) and firewall rule reviews
- IR plan + incident reporting workflow + tabletop results
- Vendor remote access logs, approvals, and session records
- Patch/vulnerability triage records with risk decisions
- Backup/restore test reports
FAQs
Is NIST SP 800-82 a replacement for IEC 62443?
No. NIST SP 800-82 is strongest as technical and operational guidance for ICS environments. IEC 62443 is a lifecycle requirements and assurance framework that is especially powerful for standardizing OT security across projects, vendors, and sites.
Do we “need” IEC 62443 certification to be secure?
Not strictly—but IEC 62443-oriented practices often make programs more consistent, auditable, and scalable. Certification (where pursued) can also help with customer requirements and supplier governance.
Does NIS2 tell me exactly how to segment my OT network?
Not in technical detail. NIS2 is about required risk management outcomes and reporting. Use IEC 62443 to design segmentation via zones/conduits and NIST 800-82 for practical architecture patterns like IDMZ and OT-safe monitoring.
If we follow IEC 62443 and NIST 800-82, are we automatically compliant with NIS2?
Not automatically. You still need NIS2-aligned governance, reporting workflows, management accountability, and evidence mapped to your country’s implementing law. But strong IEC 62443 + NIST 800-82 execution usually makes NIS2 compliance much easier.
Which should I start with if I have limited budget?
Start with:
- Remote access control (especially vendors)
- Network segmentation + IDMZ
- Asset inventory + monitoring
- Incident response + reporting workflow
Then formalize lifecycle requirements (IEC 62443) and compliance evidence (NIS2).
Conclusion: choosing the right “north star” for your OT environment
Use this simple decision rule:
- If you need to harden ICS and operate securely day-to-day, lean on NIST SP 800-82.
- If you need to design, build, standardize, and certify OT security across lifecycle and suppliers, adopt IEC 62443.
- If you need to meet legal requirements and prove governance, reporting, and accountability, align with NIS2 (and your national implementation).
The most resilient OT programs don’t pick one—they stack them:
NIS2 defines the required outcomes, IEC 62443 makes the program engineering-grade and auditable, and NIST 800-82 makes the technical implementation safe and practical for real ICS environments.
