IEC 62443 SL-2 controls and NIS2 obligations in 3 seconds.
IgeraIndustria gives OT/ICS Cybersecurity Specialists instant access to IEC 62443 Security Level controls, NIS2 obligations for critical infrastructure operators and MITRE ATT&CK for ICS analysis. Cross-reference five frameworks simultaneously in natural language — without opening a single PDF.
OT/ICS cybersecurity: five complex frameworks, one specialist, no time to search
The OT/ICS Cybersecurity Specialist operates across IEC 62443 (the technical standard), NIS2 (the legal obligation), MITRE ATT&CK for ICS (the threat model), the Purdue Model (the architecture reference) and ENISA guidance (the interpretation framework). Answering a single audit question may require cross-referencing all five simultaneously.
SL-2
IEC 62443 Security Level 2: the baseline target for most industrial operators, requiring protection against intentional attacks with simple means — 78 specific System Requirements in IEC 62443-3-3.
FR1-FR7
Seven Foundational Requirements in IEC 62443: Identification & Authentication, Use Control, System Integrity, Data Confidentiality, Restricted Data Flow, Timely Response, Resource Availability.
12
MITRE ATT&CK for ICS tactics, from Initial Access to Impact — including ICS-specific tactics like Inhibit Response Function that have no equivalent in the enterprise ATT&CK framework.
€10M
Maximum NIS2 fine for essential entities (or 2% of annual global turnover if higher) — plus personal management liability. The regulatory stakes have never been higher for OT security.
The OT/ICS Cybersecurity Specialist spent 3 hours last week trying to identify which IEC 62443-3-3 System Requirements apply to SL-2 for their historian server zone, then cross-reference with NIS2 art. 21 to verify compliance. IgeraIndustria answers that in under 30 seconds, with all citations included.
Instant answers to your OT/ICS cybersecurity queries
IgeraIndustria indexes IEC 62443, NIS2, MITRE ATT&CK for ICS, ENISA guidance and your internal OT security policies so every answer is grounded in the specific standard and your actual environment.
IEC 62443 Security Level controls by zone
Identify the specific IEC 62443-3-3 System Requirements (SRs) applicable to each security zone at your target Security Level. Cross-reference FR1-FR7 Foundational Requirements with the SRs for SL-1, SL-2 or SL-3 to build a complete control implementation checklist.
MITRE ATT&CK for ICS threat modelling
Map ATT&CK for ICS techniques to your OT environment. Identify which initial access techniques are relevant given your internet exposure, which lateral movement techniques are enabled by your IT-OT architecture, and which impact techniques target your specific industrial process.
NIS2 compliance gap analysis for OT
Map your current OT security controls to NIS2 art. 21 requirements. Identify gaps, prioritise remediation by risk and timeline. Generate audit-ready documentation showing NIS2 risk management measure implementation status.
OT vulnerability assessment and CVE analysis
Assess CVEs in OT context: CVSS scores require adjustment for OT (exploitability and impact differ in air-gapped, safety-critical environments). Identify vendor advisories applicable to your asset inventory, evaluate patch applicability and design compensating controls for unpatchable systems.
OT zones and conduits design (IEC 62443-3-2)
Zones and conduits methodology for OT network security design: how to define zones based on function and risk, which conduits require firewalls vs data diodes, and how to document the zone model for IEC 62443 and NIS2 compliance audits.
OT security assessment and audit preparation
Prepare for IEC 62443 conformance assessments and NIS2 national authority audits: generate control evidence checklists by security level, identify documentation gaps, and draft the system security plan (SSP) required for IEC 62443-2-4 service provider compliance.
IEC 62443 — complete coverage across all series parts
IgeraIndustria has the complete IEC 62443 series indexed: Policies & Procedures (62443-2), System (62443-3) and Component (62443-4) parts, with the Foundational Requirements and Security Level requirements cross-referenced for instant lookup.
IEC 62443-2-1 — Security management system
Requirements for establishing, operating and maintaining a security management system (CSMS) for IACS. Analogous to ISO 27001 but for OT environments. Covers security policy, risk assessment methodology, security organisation and monitoring programme.
IEC 62443-2-3 — Patch management for IACS
Comprehensive patch management framework for OT environments: asset inventory requirements, patch assessment methodology (applicability, vendor approval, risk assessment), test environment requirements, deployment procedures and documentation for unpatched systems.
IEC 62443-2-4 — Security requirements for IACS service providers
Requirements for OT system integrators and service providers (engineering companies, maintenance vendors) accessing IACS environments: access control, secure remote access, personnel security and handover security documentation.
IEC 62443-3-2 — Security risk assessment and system design
Zone and conduit design methodology: how to partition an IACS into security zones, assign target Security Levels to each zone based on risk assessment, and define conduit security requirements. The foundation for any OT network segmentation project.
IEC 62443-3-3 — System Security Requirements
The most referenced IEC 62443 document: 78 System Requirements (SRs) organised under the 7 Foundational Requirements, with requirements specified for each Security Level (SL-1 to SL-4). The core technical benchmark for OT system security.
IEC 62443-4-2 — Component Security Requirements
Security requirements for individual IACS components: PLCs, RTUs, HMIs, sensors, embedded devices. Defines Component Security Levels (CR 1.x — 7.x) that component vendors must meet. Critical for procurement security evaluation of OT equipment.
4 frameworks every OT/ICS Cybersecurity Specialist must master
IgeraIndustria indexes all four simultaneously, enabling cross-framework queries that would otherwise require hours of manual cross-referencing.
IEC 62443 — The OT security standard
The global technical standard for Industrial Automation and Control System (IACS) security. Structured in four series (General, Policies, System, Component). Introduces the zones and conduits model, Security Levels SL-1 to SL-4, and the seven Foundational Requirements (FR1: Identification & Authentication Control; FR2: Use Control; FR3: System Integrity; FR4: Data Confidentiality; FR5: Restricted Data Flow; FR6: Timely Response to Events; FR7: Resource Availability). IEC 62443-3-3 maps these FRs to 78 System Requirements at each Security Level — the actionable technical control set for OT security design and audit.
NIS2 — The legal obligation
Directive EU 2022/2555 mandates cybersecurity risk management for essential and important entities. For manufacturers and critical infrastructure operators, NIS2 art. 21 specifies ten risk management measure categories: risk analysis, incident handling, business continuity, supply chain security, network security, vulnerability management, cryptography, HR security, access control and asset management. Management bodies are personally accountable (art. 20). Fines up to €10M or 2% of global turnover. IEC 62443 is the de facto technical standard for demonstrating NIS2 OT compliance.
MITRE ATT&CK for ICS — The threat model
Documents the actual tactics, techniques and procedures (TTPs) used in real OT/ICS attacks (Industroyer/CrashOverride, TRITON/TRISIS, BlackEnergy, Stuxnet). Twelve ICS-specific tactics include ICS-unique techniques like “Modify Controller Tasking” (modifying PLC programs during execution) and “Activate Firmware Update Mode” (exploiting firmware update mechanisms). Used for threat modelling, detection engineering (building OT-specific SIEM rules), red team exercises and incident response investigation (mapping observed TTPs to the framework to identify other likely techniques).
Purdue Model / ISA-95 — The architecture reference
The hierarchical reference model for industrial control system architecture, defining six levels from field devices (L0) to enterprise (L5). The IT-OT boundary at L3/L4 is the critical security point requiring mandatory DMZ and firewall controls. Modern industrial environments increasingly deviate from the pure Purdue model (cloud connectivity, remote access, IIoT devices) — creating new security challenges. IEC 62443-3-2 provides the updated zones and conduits model that supersedes strict Purdue hierarchy while preserving its security principles.
How IgeraIndustria works for OT/ICS Cybersecurity
Five steps from uploading your OT security documentation to getting cross-framework answers in seconds.
Index your OT security documentation and standards
Upload your OT security policies, zone and conduit diagrams, asset inventory, risk assessment results and incident response plans. IgeraIndustria processes them alongside the full IEC 62443 series, NIS2, MITRE ATT&CK for ICS and ENISA guidance in under 24 hours.
Connect to your OT security team
Embed in your security team portal or operate as a standalone secure internal tool. Air-gap-friendly deployment options available for environments with strict network separation. Role-based access for different team members.
OT security team queries in natural language
“What are the IEC 62443-3-3 SL-2 requirements for the historian server zone?”, “Which MITRE ATT&CK for ICS techniques are most likely given our OPC-UA historian has internet connectivity?”, “What NIS2 documentation do we need for the competent authority audit?”
IgeraIndustria searches across all indexed frameworks simultaneously
Searches your internal OT documentation first, then cross-references IEC 62443, NIS2, MITRE ATT&CK for ICS and ENISA guidance. Automatically surfaces relevant requirements across multiple frameworks when answering a single question.
Answer with standard citations, control requirements and implementation guidance
The response cites the specific IEC 62443 SR, NIS2 article and MITRE ATT&CK technique ID. Provides the specific control requirements for the applicable Security Level and implementation guidance for your specific OT environment and asset types.
IgeraIndustria in action — IEC 62443-3-3 SL-2 controls
A query about IEC 62443-3-3 SL-2 security controls resolved in under 3 seconds, with FR1-FR7 Foundational Requirements and specific SL-2 System Requirements cited.
OT/ICS Cybersecurity Specialist
What are the IEC 62443-3-3 SL-2 security controls I need to implement? Give me the Foundational Requirements with the specific SL-2 requirements.
IgeraIndustria
IEC 62443-3-3:2013 — Security Level 2 System Requirements
FR1 — Identification & Authentication Control (SL-2):
- • SR 1.1: Human user identification and authentication — MFA required at SL-2
- • SR 1.2: Software process and device identification — unique IDs for all devices
- • SR 1.3: Account management — disable default accounts, enforce password policy
FR5 — Restricted Data Flow (SL-2):
- • SR 5.1: Network segmentation — zones and conduits with access control at each conduit
- • SR 5.2: Zone boundary protection — firewalls or data diodes at zone boundaries
- • SR 5.4: Application partitioning — separate safety from control functions
⚠️ SL-2 adds 34 additional requirements vs SL-1 across FR1-FR7. Full list available — ask for specific FR for detailed SR breakdown.
✓ IEC 62443-3-3:2013 FR1 SR 1.1-1.3, FR5 SR 5.1-5.4 · Confidence: 99.6%
500
employees, energy operator
0
OT incidents in 24 months post IEC 62443
NIS2
compliant — readiness assessment passed
We are a critical infrastructure energy operator with 500 employees and a complex OT environment with assets ranging from 2003 to 2024. Our OT/ICS Cybersecurity Specialist used IgeraIndustria to cross-reference IEC 62443-3-3 SL-2 requirements against our zone architecture and identify the gaps. What previously took weeks of manual work across five frameworks now takes days. We implemented IEC 62443 SL-2 controls across all zones, passed our NIS2 readiness assessment, and have had zero OT security incidents in 24 months since deployment.
*Representative testimonial based on real customer results
Frequently asked questions — OT/ICS Cybersecurity
What are the key differences between IT and OT cybersecurity?
IT and OT cybersecurity share some principles but diverge fundamentally in priorities, constraints and threat models. In IT, the CIA triad (Confidentiality, Integrity, Availability) is typically applied in that order. In OT, availability and safety come first — a SCADA system that goes offline can halt production or create a physical safety hazard. Key differences: (1) Patching: IT systems can be patched regularly with brief downtime; OT systems may run for months or years without maintenance windows, and vendor approval is required before patching. (2) Legacy systems: OT environments frequently contain equipment from the 1990s and 2000s running unsupported operating systems (Windows XP, Windows CE) that cannot be patched. (3) Protocols: OT uses industrial protocols (Modbus, DNP3, Profibus, OPC-UA) not designed with security in mind. (4) Air gaps: historically OT was isolated; IT-OT convergence has eliminated most air gaps, dramatically expanding the attack surface. (5) Impact of attacks: an OT cyberattack can cause physical damage, environmental incidents, safety hazards and production losses measured in millions per day.
What are the IEC 62443 Security Levels (SL)?
IEC 62443 defines four Security Levels that describe the capability of a threat actor and the corresponding countermeasures required: SL-1 (protection against unintentional or accidental violations — human error, casual browsing); SL-2 (protection against intentional violation using simple means with low resources — script kiddies, opportunistic attackers); SL-3 (protection against intentional violation using sophisticated means with moderate resources — organised criminal groups, nation-state-adjacent); SL-4 (protection against state-sponsored actors with extensive resources targeting critical infrastructure). Most industrial operators must achieve SL-2 as the baseline, with critical infrastructure operators targeting SL-2 or SL-3 depending on the zone. IEC 62443-3-3 maps the seven Foundational Requirements (FR1-FR7) to specific System Requirements (SR) for each Security Level, providing the actionable technical controls for each SL.
What are the NIS2 obligations for manufacturing operators?
NIS2 Directive (EU 2022/2555) expanded its scope significantly compared to NIS1, bringing manufacturing companies with revenue over €10M or 50+ employees in certain sub-sectors into scope as “important entities” (and some as “essential entities”). Key obligations for manufacturers: (1) Cybersecurity risk management measures (art. 21): policies on risk analysis, incident handling, business continuity, supply chain security, network security, vulnerability management, cryptography and multi-factor authentication; (2) Incident reporting (art. 23): 24h early warning, 72h full notification, monthly updates for significant incidents; (3) Management body accountability (art. 20): management must approve security measures and can be held personally liable for non-compliance; (4) Fines (art. 34): up to €7M or 1.4% of annual global turnover for important entities, up to €10M or 2% for essential entities. NIS2 was required to be transposed into national law by October 2024.
What is MITRE ATT&CK for ICS and how is it used in OT security?
MITRE ATT&CK for ICS is a knowledge base of adversary tactics, techniques and procedures (TTPs) specifically observed in attacks on Industrial Control Systems. It covers 12 tactics: Initial Access (spear phishing, exploiting internet-facing systems, supply chain compromise), Execution, Persistence (modifying PLC programs, implanting backdoors in firmware), Privilege Escalation, Evasion (masquerading as legitimate OT traffic), Discovery (scanning for OT assets), Lateral Movement (moving from IT to OT network), Collection (historian data theft), Command and Control, Inhibit Response Function (disabling safety systems — the most dangerous ICS tactic), Impair Process Control (modifying setpoints, falsifying sensor readings) and Impact (denial of control, damage to equipment, loss of safety). In practice, OT security teams use ATT&CK for ICS for: threat modelling (which techniques are most likely given our environment?), detection engineering (what logs and alerts would detect technique X?), incident response (what other techniques should we look for after detecting technique Y?), and red team exercises.
How does the Purdue Model apply to OT network segmentation?
The Purdue Model (also called the Purdue Reference Model for CIM — Computer Integrated Manufacturing) defines a hierarchical architecture for industrial control systems: Level 0 (field devices: sensors, actuators, motors), Level 1 (basic control: PLCs, RTUs, DCS), Level 2 (supervisory control: SCADA, HMIs, engineering workstations), Level 3 (site operations: site-level SCADA, historian, batch management), Level 4 (site business: ERP, MES, site IT), Level 5 (enterprise: corporate IT, cloud). Security best practice derived from the Purdue Model requires strict control of traffic flows between levels — particularly between Level 3 and Level 4 (the IT-OT boundary, where a DMZ is mandatory) and no direct connectivity between Level 0-2 and Level 4-5. IEC 62443 formalises this as “zones and conduits”: security zones are groups of assets with similar security requirements, and conduits are the controlled communication paths between zones. NIS2 art. 21(2)(e) mandates network segmentation as a required risk management measure.
What does an OT incident response plan need to cover?
An OT incident response plan must address several aspects that differ from IT incident response: (1) Detection: OT monitoring tools (passive network monitoring to avoid disrupting control traffic), anomaly detection on industrial protocols (Modbus, DNP3, OPC-UA), integration with safety system alarms; (2) Triage and classification: criteria for declaring an OT incident significant under NIS2 art. 23, decision tree for OT-IT isolation (when to disconnect the OT network from IT to prevent lateral movement); (3) Evidence collection: how to capture OT forensic evidence (PLC logs, historian data, network captures) without disrupting production — a fundamental difference from IT forensics where systems can be taken offline; (4) Containment: isolating affected PLCs or network segments while maintaining production safety (safety systems must remain operational); (5) NIS2 notification: 24h early warning content, 72h full notification structure, ongoing updates; (6) Recovery: restoring from OT-specific backups, verifying PLC program integrity, testing before reconnection; (7) Post-incident: root cause analysis, ATT&CK for ICS technique mapping, lessons learned and control improvements.
IgeraIndustria plans — OT/ICS Cybersecurity
No lock-in. Cancel anytime.
Starter
For OT/ICS security teams needing instant access to IEC 62443 and NIS2 requirements for a single-site industrial environment.
- IEC 62443 series pre-indexed
- NIS2 Directive pre-indexed
- Security Level control queries
- 1,000 queries/month
- OT security team widget
- Email support
Professional
For NIS2-scope operators needing full OT security framework coverage: IEC 62443 + NIS2 + MITRE ATT&CK for ICS + ENISA + internal OT documentation.
- IEC 62443 + NIS2 + ATT&CK ICS + ENISA
- Upload internal OT security documentation
- Zone and conduit compliance queries
- 5,000 queries/month
- NIS2 audit preparation checklists
- Priority support
Enterprise
For critical infrastructure operators with complex multi-site OT environments, multiple NIS2 entities and advanced IEC 62443 SL-3 requirements.
- Multi-site and multi-entity
- Full framework library + internal docs
- IEC 62443 SL-3 control mapping
- Unlimited queries
- SLA 99.9% uptime
- Dedicated OT security customer success
IEC 62443, NIS2 and ATT&CK for ICS in one place. Start today.
- Free 14-day trial — no credit card required
- Full IEC 62443 series + NIS2 + MITRE ATT&CK for ICS pre-indexed from day 1
- Upload your OT security documentation for cross-framework queries
- NIS2 audit-ready compliance checklists by risk management measure
