IEC 62443 is written around industrial automation and control systems (IACS), not around specific aerospace products. In practice, most networked shopfloor systems that influence production, test, or validation of aerospace hardware will be in scope to some degree, but the exact boundary must be defined by your own risk assessment, architecture, and classification of OT vs IT.
Core shopfloor systems typically in scope
These are usually considered part of the IACS environment and are directly in scope for IEC 62443 controls and risk assessments:
- Machine and process controllers
- CNC controllers, PLCs, motion controllers, robotic controllers
- Special-process controllers (heat treat, shot peen, plating, coating, bonding, autoclaves)
- Test stand controllers (structural, environmental, NDT, engine and component test rigs)
- Supervisory and control applications
- SCADA and HMI systems for cells, lines, utilities, and special processes
- Distributed control systems where used in aerospace manufacturing or test facilities
- SCADA for facility systems that directly affect product quality or safety (compressed air, process gases, clean rooms, critical HVAC for curing, etc.)
- Data collection and historian platforms
- Process data historians (time-series historians logging parameters used as quality evidence)
- Machine data collection gateways and IIoT platforms when they connect to OT devices
- Custom data loggers integrated with test stands or special-process equipment
- Shopfloor integration middleware
- OPC servers and protocol converters (Modbus, Profibus/Profinet, EtherNet/IP, MTConnect, etc.)
- Edge gateways and data diodes that bridge OT networks to enterprise IT or cloud
- Custom integration services that read/write parameters or recipes to controllers
- OT network and security infrastructure
- Layer 2/3 switches and routers dedicated to production and test networks
- Industrial firewalls and zones/conduits used to segment cells, lines, and labs
- Remote access solutions for vendors and maintenance (VPNs, jump hosts, secure access tools)
- Network monitoring specific to OT (passive asset discovery, anomaly detection)
- Engineering workstations and servers tied to control
- PLC/CNC programming workstations and maintenance laptops
- Recipe management servers that push parameters to special-process equipment
- Configuration servers used to deploy control logic or device firmware
Enterprise systems that are often partially in scope
These systems are usually treated as IT, but interfaces that directly influence control or product realization can fall into IEC 62443 scope as conduits or supporting components:
- MES and electronic traveler systems
- When MES writes recipes, setpoints, or work instructions directly into controllers or HMIs
- When MES is a required path for traceability or process enforcement linked to OT
- Quality and test data systems
- SPC systems that pull raw data directly from machines or testers
- Test data management platforms that control or sequence automated test stands
- PLM and NC/CAM flows
- PLM or DNC systems that distribute NC programs to CNCs and robots
- CAM workstations and DNC servers that are dual-homed between IT and OT zones
- ERP and scheduling
- Typically treated as IT, but interfaces that directly release work or recipes into OT environments may be treated as conduits with specific IEC 62443 controls.
Test, lab, and ground-support systems
In aerospace, many critical systems are not on the main production line but still fall into scope because they influence airworthiness or regulatory evidence:
- Environmental test chambers and vibration rigs with networked controllers
- Engine, APU, and propulsion test cells with integrated control and data acquisition
- Ground support equipment with networked controls (fuel, hydraulics, avionics test benches)
- Calibration stands for instruments and sensors when network-connected
Where these systems are integrated into qualification or certification evidence chains, their integrity is usually treated as an IACS concern in risk assessments aligned to IEC 62443.
What is commonly out of scope or only indirectly in scope
Some shopfloor-adjacent systems are usually outside strict IACS scope but may still be relevant as part of overall cybersecurity and business continuity:
- General office IT on the shopfloor
- Standard office PCs, email, and file servers that are not connected to control networks
- Collaboration tools used for production coordination but not tied to control logic
- Standalone tools with no connectivity
- Isolated measurement devices or manual gauges with no network interfaces
- Truly air-gapped legacy machines without digital control or data transfer
- Facilities systems that do not affect product or safety
- Office HVAC, non-critical lighting, and general building management systems that do not affect special processes, test environments, or worker safety beyond normal building operation.
Even when formally out of IACS scope, these systems can still represent pathways into OT zones if network segmentation is weak, so they should be considered in architecture and zoning decisions.
Brownfield aerospace realities
In aerospace plants, IEC 62443 scoping is constrained by long-lived equipment, vendor diversity, and extensive validation obligations:
- Many legacy CNCs, test stands, and special-process tools cannot be easily patched or reconfigured without requalification risk.
- “Rip-and-replace” of MES, SCADA, or network infrastructure is rarely feasible due to downtime, recertification, and integration complexity.
- Scope decisions often start from existing OT zones and conduits, then incrementally harden the most critical cells and lines.
- Vendor remote access, multi-generation equipment, and partial documentation frequently limit how fully IEC 62443 controls can be applied without a staged remediation plan.
As a result, plants typically prioritize high-criticality areas (flight hardware, engines, critical structures, special processes) and apply IEC 62443 principles first to the systems and interfaces that directly impact those products.
How to define scope in your environment
IEC 62443 does not give a fixed aerospace-specific list of systems. Scoping should be based on:
- A current OT asset inventory and network architecture diagram for production, test, and labs
- Risk assessments that consider safety, product quality, regulatory evidence, and operational continuity
- Zone and conduit definitions that distinguish OT, IT, and boundary systems
- Existing controls, vendor constraints, and what changes can realistically be validated and deployed
In practice, any networked system that can change, execute, or undermine manufacturing or test processes for regulated aerospace hardware is a candidate for IEC 62443 scope, with the depth of controls tailored to its role and risk.
