IEC 62443 does not provide AS9100 certification and it does not guarantee positive outcomes with aviation authorities. It is a cybersecurity standard for industrial automation and control systems, not a quality management or aviation regulatory standard. However, a well implemented IEC 62443 program can support AS9100 and aviation authority audits in several indirect but concrete ways.
Where IEC 62443 can help AS9100 audits
AS9100:2016 requires evidence-based risk management, configuration control, and protection of production systems and data. IEC 62443 can help you demonstrate:
- Structured risk management for OT/ICS: Threat and risk assessments, security levels, and zone/conduit models can be mapped to AS9100 requirements on risk-based thinking and operational risk control, especially for manufacturing systems that affect product conformity.
- Configuration management of production assets: IEC 62443 practices around hardening, patching, account management, and backup/restore can be used as objective evidence that critical manufacturing equipment and supporting IT/OT systems are controlled and protected.
- Change control and validation impact assessments: A security program aligned to IEC 62443 usually creates clearer inventories, dependencies, and criticality rankings. That can support AS9100 change control, by making it easier to show that changes to OT/ICS are identified, assessed for risk, and verified/validated before use.
- Business continuity for production systems: Backup, recovery, and incident handling practices required in a mature 62443 implementation can strengthen your demonstration of contingency planning and risk mitigation for loss of data or systems that impact quality or delivery.
- Supplier and outsourced process control: If key suppliers or special process providers operate your tooling, test rigs, or data services, 62443-based requirements can be incorporated into supplier controls. That supports AS9100 clauses on external provider control, as long as the requirements and monitoring are documented.
In practice, auditors often look favorably on a recognized framework like IEC 62443 because it shows you are not treating OT security as ad hoc. But they will still test how it is implemented and whether it ties into your QMS.
Where IEC 62443 does not help (or is irrelevant)
- No substitute for a QMS: IEC 62443 does not address many core AS9100 areas such as design & development, configuration management of product, FAI/PPAP, nonconformance and CAPA, or customer-specific requirements. You cannot claim AS9100 conformity by pointing to 62443.
- Does not remove the need for process validation: Even if a control is recommended by IEC 62443 (for example, application whitelisting on test equipment), you still must validate any change that can affect product quality or compliance and maintain full traceability under your QMS.
- Does not guarantee audit outcomes: Auditors and aviation authorities focus on whether your documented processes are followed, controlled, and effective. Misaligned or partially implemented 62443 controls can actually raise concerns if the gap between policy and practice is large.
How IEC 62443 can support aviation authority expectations
Aviation authorities (e.g., FAA, EASA, national authorities) are primarily interested in product safety, airworthiness, and continued operational safety. For manufacturing operations, they care that:
- Production and test systems that affect airworthiness-related characteristics are controlled and reliable.
- Data that supports design, manufacturing, and continued airworthiness is complete, accurate, and preserved.
- Changes to systems that can affect product conformity or safety are identified, assessed, and controlled.
IEC 62443 can support these expectations when it is:
- Linked to product and process risk: You identify which OT/ICS assets can affect airworthiness-related features and prioritize 62443 controls accordingly. This mapping is key if you want to use 62443 evidence in an audit or regulatory conversation.
- Integrated into existing QMS and SMS processes: Cybersecurity-related risks, incidents, and changes are routed through existing risk, change, CAPA, and safety management system workflows, not handled in a disconnected “IT-only” channel.
- Under formal document and configuration control: Policies, network diagrams, zone/conduit models, and security requirements are version-controlled, reviewed, and approved in the same disciplined way as other controlled documents.
A regulator or delegated oversight team may not ask for IEC 62443 by name, but they can use its artifacts (asset inventories, risk assessments, control matrices, incident records) as corroborating evidence that risks to critical manufacturing systems and data are being actively managed.
Brownfield reality and implementation tradeoffs
In aerospace manufacturing, OT environments are typically brownfield and highly heterogeneous: legacy CNC and special process equipment, multiple MES generations, custom test stands, and tightly validated integrations. This strongly shapes how useful IEC 62443 is in practice.
- Full 62443 “from scratch” is rarely feasible: Re-architecting the entire OT network or replacing legacy systems purely to meet 62443 objectives usually collides with validation cost, extended downtime, and recertification risk. This is often unjustifiable for qualified equipment with long remaining lifecycles.
- Incremental, risk-based adoption works better: Most plants start by using 62443 concepts (asset inventory, zoning, hardened configurations, monitored remote access) around the most critical or exposed systems, then extend coverage over time as maintenance windows and re-validation opportunities arise.
- Coexistence with existing MES/ERP/QMS: IEC 62443 does not replace your existing systems. Instead, controls (for example, authentication, logging, backup) must be layered around them and integrated into existing change control, deviation, and CAPA processes. Misalignment between security changes and QMS workflows is a common failure mode.
- Evidence management overhead: To be useful in AS9100 or authority audits, 62443 controls must produce durable, traceable evidence (logs, approvals, test results, exceptions). This increases documentation and coordination demands across OT, IT, quality, and engineering.
Practical ways to use IEC 62443 as supporting evidence
If you already follow IEC 62443 in your OT environment, you can leverage it to strengthen AS9100 and aviation authority audits by:
- Referencing your OT/ICS cybersecurity policy and zone/conduit model as objective evidence under risk management and infrastructure control clauses.
- Showing that change requests for OT systems (patches, configuration changes, new remote access methods) are evaluated for security impact and processed through the same formal change control as other production changes.
- Providing asset inventories and criticality rankings that link OT systems to specific product lines, special processes, or airworthiness-relevant functions.
- Demonstrating that backup, recovery, and incident response exercises for key OT systems are planned, executed, and documented, and that lessons learned feed CAPA processes.
All of this depends on actual implementation quality. A paper-only or partially implemented 62443 program will not help and can create audit risk once auditors start sampling records and interviewing staff.
Summary
IEC 62443 is not an AS9100 or aviation regulatory standard and does not guarantee certification or specific audit outcomes. It can, however, provide a structured framework for protecting OT/ICS in a way that aligns with AS9100 and aviation authority expectations around risk management, system control, and data integrity. In brownfield aerospace environments, the most effective use of IEC 62443 is incremental and tightly integrated into existing QMS, validation, and change control practices, with realistic expectations about what can be changed on legacy equipment.