FAQ

How should system integrators document their IEC 62443 activities?

Cybersecurity and Defense Compliance

System integrators should treat IEC 62443 documentation as part of the delivered control system, not an optional add-on. The goal is to make cybersecurity activities traceable, reviewable, and maintainable over the full lifecycle, especially in brownfield, mixed-vendor environments.

Core principles for IEC 62443 documentation

  • Traceability by design: Every security requirement, design decision, and test should be traceable back to a source (standard clause, customer requirement, risk assessment) and forward to implementation and verification.
  • Lifecycle focus: Document with operations, maintenance, upgrades, and incident response in mind, not just project acceptance.
  • Brownfield reality: Explicitly identify interfaces to existing OT/IT systems, legacy devices, and compensating controls where full 62443 conformance is not feasible.
  • Change-controlled: Keep IEC 62443 documentation under the same configuration and change control as code, configurations, and drawings.
  • Evidence, not marketing: Focus on concrete artifacts (configurations, test results, risk analysis) rather than generic “compliant” statements.

Minimum documentation set for IEC 62443 activities

The exact structure will vary by organization and project scope, but integrators should normally produce and maintain at least the following.

1. Scope, context, and assumptions

  • Project security scope document describing:
    • Systems, zones, and conduits in scope vs explicitly out of scope.
    • Assumptions about the customer environment (e.g., corporate SOC, perimeter firewalls, backup regime).
    • Interfaces to existing MES/ERP/PLM/QMS/PCS and external networks.
  • Security level target (SL-T) definition for zones and conduits, aligned with customer risk appetite and applicable IEC 62443 parts.
  • Dependency matrix listing controls expected to be provided by the owner/operator vs the integrator.

2. Requirements and traceability

  • Security requirements specification that consolidates:
    • Customer cybersecurity requirements.
    • IEC 62443-derived technical requirements for the integrator’s scope.
    • Any site or sector norms (e.g., patching cadence, remote access rules).
  • Traceability matrix mapping each requirement to:
    • Design elements (architecture components, configurations).
    • Implementation artifacts (PLC/SCADA configs, firewall rules, user management).
    • Verification activities (tests, inspections, reviews).

This matrix is often where auditors and internal reviewers start. It must be kept current as designs and configurations change.

3. Architecture and design documentation

  • Network and zone/conduit diagrams that clearly show:
    • IEC 62443 zones and conduits.
    • Interfaces to plant OT, corporate IT, cloud services, and vendors.
    • Security devices and functions (firewalls, DMZs, jump hosts, VPNs, allowlists).
  • Security design description explaining:
    • How the design meets the SL-T for each zone/conduit.
    • Choice of technologies and architectures, including legacy/unsupported components.
    • Compensating controls where IEC 62443 intent is met but not the exact control.
  • Identity and access management model covering user roles, group policies, privilege separation, and account lifecycle.
  • Data flow descriptions for critical data paths (e.g., recipe downloads, batch records, quality data to MES/QMS) with security controls noted at each hop.

4. Risk assessment and threat modeling

  • Documented risk assessment aligned with IEC 62443 concepts, including:
    • Asset inventory within scope (logical and relevant physical).
    • Identified threats and vulnerabilities at zone/conduit level.
    • Likelihood and consequence evaluation tailored to the plant context.
    • Risk treatment decisions and residual risk acceptance by the owner.
  • Threat modeling artifacts (where used): data flow diagrams, misuse cases, or similar, showing how attacks could traverse conduits and what mitigations are in place.

Risk and threat documentation should show why particular controls were implemented or consciously not implemented, especially where legacy constraints exist.

5. Configuration and implementation records

  • Hardened configuration baselines for:
    • Servers, HMIs, engineering workstations.
    • Network devices (switches, firewalls, routers, wireless where applicable).
    • PLC/RTU/IPC or DCS devices where security-relevant settings exist.
  • Access control configurations documenting:
    • Roles, groups, and permissions mapping.
    • Authentication mechanisms (local accounts, domain, multi-factor if used).
    • Service accounts, credentials storage, and rotation approach.
  • Network security configurations including:
    • Firewall rule sets and rationale (what is allowed and why).
    • VPN and remote access configurations, including jump hosts and vendor access methods.
    • Segmentation/ACL configurations at key boundaries.
  • Logging and monitoring configuration describing log sources, retention, log forwarding, and alarm thresholds, plus any dependencies on the customer SOC or SIEM.

In regulated plants, these configuration records should be versioned and linked to specific software/firmware versions, since long equipment lifecycles make later reconstruction difficult.

6. Verification, testing, and validation evidence

  • Security test plan specifying what will be tested, how, and at which stage (FAT/SAT/site commissioning/maintenance windows).
  • Test procedures and results for:
    • Account management and privilege tests.
    • Network segregation and firewall rule tests.
    • Remote access and vendor access scenarios.
    • Backup/restore and recovery drills (where in scope).
  • Issue logs and defect tracking showing discovered findings, remediation actions, and retest results.
  • Validation and acceptance records that tie security verification into the broader commissioning/qualification process used at the plant.

The level of rigor and formality will depend on the plant’s validation expectations and regulatory context; integrators should align their artifacts to the owner’s existing qualification and change control processes when possible.

7. Operational and maintenance documentation

  • Security-relevant operating procedures, such as:
    • How to provision, modify, and revoke user access.
    • How and when to apply patches and firmware updates within downtime constraints.
    • Standard process for enabling/disabling remote access and jump hosts.
  • Incident response integration notes describing what logs, alerts, and events are available from the delivered system and how plant teams or SOCs should consume them.
  • Backup and recovery playbooks for critical system components, including tested restore procedures and any dependencies on owner infrastructure.
  • Known limitations and residual risks clearly documented for operations and engineering, especially where legacy constraints prevent full implementation of recommended controls.

8. Change management and lifecycle records

  • Change control records linking security-relevant changes to:
    • Change requests or work orders.
    • Updated risk assessments, if risk posture changes.
    • Re-testing or regression testing as needed.
  • Versioned baselines for:
    • Architectural diagrams and zone/conduit definitions.
    • Configuration baselines and firewall rule sets.
    • Software/firmware versions on key assets.
  • End-of-life and obsolescence notes for components that will fall out of vendor support during the expected lifecycle, including constraints on patching and potential compensating controls.

In long-lifecycle, regulated plants, full replacement strategies are often impractical due to validation and downtime. Documentation must support incremental upgrades and mixed generations of hardware and software coexisting for years.

9. Format and storage considerations

  • Use the customer’s document control where possible: Align structures and identifiers with their existing document management and configuration management systems to avoid parallel, unsynchronized repositories.
  • Machine- and human-readable formats: Where appropriate, store key configurations in both human-readable documentation and source-controlled machine formats (e.g., firewall configs) with clear cross-references.
  • Access control on documentation: Apply role-based access to sensitive details (e.g., network addressing, admin accounts) while still enabling necessary access for maintenance and audits.

10. Common failure modes to avoid

  • Producing a single “IEC 62443 compliance report” without underlying traceable evidence.
  • Documenting a generic reference architecture that does not match the actual installed configuration.
  • Neglecting to update documentation after late-stage changes during commissioning or post-startup fixes.
  • Omitting legacy systems and uncontrolled conduits because they are “out of scope,” while attackers would see no such boundary.
  • Keeping security documentation only in integrator tooling, inaccessible to the plant once the project ends.

Adapting to specific plant and regulatory contexts

The depth and formality of IEC 62443 documentation will depend on sector, regulatory expectations, and the plant’s process maturity. In highly regulated environments, system integrators should align their security documentation structure with existing qualification, validation, and change control frameworks, and expect that their artifacts will be re-used across future audits, revalidations, and incremental upgrades rather than only at initial project acceptance.

Related Blog Articles

What Aircraft Backlog Really Means: Execution Liability in Aerospace Programs

Aircraft backlog is usually celebrated as proof of demand, but in regulated aerospace manufacturing it is also a long-duration execution liability. This article breaks down the risks hidden inside large order books and shows how a connected execution layer changes how OEMs and suppliers experience backlog.

First Article Inspection (FAI) in Aerospace Manufacturing: Complete Operational Guide

A comprehensive guide to First Article Inspection in aerospace manufacturing, including AS9102 requirements, FAIR documentation, traceability, workflow execution, system integration, common failure points, and how digital platforms improve compliance in regulated production environments.

When First Article Inspection Is Required in Aerospace Manufacturing

A practical guide to AS9102 FAI triggers, including full, partial, and delta FAI decisions across aerospace production and supplier change scenarios.

Building the Business Case and Measuring ROI for Digital AS9102 FAI

Learn how to calculate the ROI of AS9102 software by tying FAI cycle time, error reduction, and audit performance to clear financial outcomes, with metrics, examples, and a practical business case framework.

Get Started

Built for Speed, Trusted by Experts

Whether you're managing 1 site or 100, Connect 981 adapts to your environment and scales with your needs—without the complexity of traditional systems.

Talk to an Aerospace Expert
Explore Solutions

product

Shopfloor OperationsSupply Chain & ProcurementMROSolutionsRequest a Demo

Resources

BlogCommunitySecurity & ComplianceAPI & IntegrationsTalk to an Aerospace Expert

About

About UsPrivacy PolicyCookie PolicyTerms of ServiceContact Us

© 2026 Connect 981. All rights reserved.

Get Started

Built for Speed, Trusted by Experts

Whether you're managing 1 site or 100, C-981 adapts to your environment and scales with your needs—without the complexity of traditional systems.

Request a Demo
Explore Solutions