Asset owners should usually prioritize the IEC 62443 parts that establish governance, risk assessment, and high-level requirements before going deep into detailed technical controls. The exact sequence depends on your current maturity, installed base, and regulatory constraints, but a practical order for most regulated, brownfield environments is:
IEC 62443-2-1 defines the requirements for an industrial automation and control systems (IACS) cybersecurity management system. For asset owners this is usually the highest priority because it frames everything else:
Without this program layer, technical implementations are hard to sustain, difficult to audit, and often conflict with established manufacturing and validation processes.
IEC 62443-3-2 focuses on risk assessment and the definition of zones and conduits. For asset owners running mixed-vendor and legacy infrastructure, this is usually the next critical step:
Because most regulated plants cannot easily re-architect entire networks or replace legacy controllers, 3-2 helps you find realistic, high-leverage changes (for example, segmenting OEM skids or hardening remote access) rather than chasing idealized target architectures.
IEC 62443-3-3 defines system-level security requirements and security levels (SLs). Once you have a program (2-1) and risk-based zoning (3-2), 3-3 lets you:
In brownfield environments, you will rarely achieve uniform SLs across all zones. 3-3 helps document the rationale, compensating controls, and residual risk in a structured way, which is valuable for internal governance and external scrutiny.
After the program and system layers are in place, product-level standards become more useful for asset owners, especially in procurement and vendor management:
Trying to drive strict 4-1/4-2 conformance on an existing, heterogeneous installed base usually fails or causes significant disruption and revalidation work. These parts are most effective when applied to new projects, major retrofits, or asset refresh cycles.
Other parts in the 2.x family can be helpful, but usually after 2-1, 3-2, and 3-3 are in motion:
The practical value of these depends heavily on your outsourcing model and on how much leverage you have over suppliers and integrators.
In aerospace, pharma, medical devices, and similar sectors, aggressive “start with product conformance” or “rip-and-replace” strategies often underperform because:
Prioritizing 2-1, 3-2, and 3-3 first allows you to improve cybersecurity posture within these constraints, using zoning, network controls, procedural safeguards, and controlled change instead of wholesale system replacement.
The recommended priority (2-1, 3-2, 3-3, then 4-x) is a strong pattern, but you should still confirm it against your local context:
Whichever part you start with, integration with existing change control, validation, and documentation practices is critical. Treat 62443 adoption as an evolution of your operational and quality systems, not a parallel cybersecurity track.
Whether you're managing 1 site or 100, Connect 981 adapts to your environment and scales with your needs—without the complexity of traditional systems.
Whether you're managing 1 site or 100, C-981 adapts to your environment and scales with your needs—without the complexity of traditional systems.