Updated: May 28, 2026
OT cyberattacks on Indian manufacturers have moved from rare to routine. Industry reporting and CERT-In annual incident summaries indicate OT and IoT-targeted incidents have risen materially in recent years, and the convergence of IT and OT under Industry 4.0 has removed the air gap that used to protect plant floors. ISA/IEC 62443 is the international standard that defines how to secure an industrial automation and control system, and it has quietly become the de facto reference for OT cybersecurity in India. This is the roadmap for getting there in twelve to eighteen months, not three years.
ISA/IEC 62443 is the international standard family for industrial automation and control systems (IACS) cybersecurity. It was developed by the International Society of Automation as ISA-99 and adopted by IEC as the harmonised IEC 62443 series. Parts address four audiences: asset owners (the manufacturer operating the plant), product suppliers (the OEMs building the equipment), integrators (the SIs deploying it), and service providers (those running and maintaining it).
The headline parts most Indian manufacturers will touch are 62443-2-1 (establishing the IACS security programme), 62443-3-2 (risk assessment and zone design), 62443-3-3 (system security requirements) and 62443-4-x (secure development and component requirements). India's Bureau of Indian Standards has adopted the series as IS 16335, the form referenced in domestic sector guidelines. Three forces are pushing it onto Indian boardroom agendas now.
First, customer pressure. European and US buyers increasingly require IEC 62443 compliance from their Indian suppliers, particularly in automotive, pharma and aerospace.
Second, regulatory pressure. CERT-In's 2022 direction requires reporting of specified cyber incidents within six hours where the manufacturer is a body corporate, and the incident matches the categories listed. NCIIPC's Conformity Assessment Framework integrates IEC 62443 alongside ISO 27000, NIST and CIS as reference standards, and the CEA Cyber Security in Power Sector Guidelines 2021 explicitly reference IEC 62443 / IS 16335.
Third, attack pressure. Ransomware groups are now actively targeting Indian OT estates because the air gap is gone and the impact is high.
The Four Security Levels: What SL-1 to SL-4 Actually Mean
| Security Level | Threat Defended Against | Typical Indian Application |
|---|---|---|
| SL-1 | Casual or accidental misuse | Office estate adjacent to the plant; low-risk monitoring systems |
| SL-2 | Intentional violation by someone with simple means and low resources | Standard manufacturing plants for non-critical production |
| SL-3 | Intentional violation with sophisticated means and moderate resources | Pharma, automotive, semiconductor fabs, regulated process plants |
| SL-4 | Intentional violation with sophisticated means, high motivation and extended resources | Critical national infrastructure: power, water, defence, large refineries |
The security level is not chosen for the plant. It is chosen per zone. A single Indian factory typically operates at SL-2 in the general production area and SL-3 in a quality-critical or batch-record area.
A zone is a grouping of systems that share the same security requirements. A conduit is the controlled communication path between two zones. On a real plant floor: the press line is one zone, the PLC and HMI cluster running it is another, the MES taking production data is another, and the corporate ERP is another. Each zone has a security level. Each conduit has allowed protocols, allowed directions and inspection points.
The first concrete output of an IEC 62443 programme is the zone-and-conduit drawing of the plant. Not a firewall purchase, not an antivirus rollout. The drawing. Everything else flows from it.
IEC 62443-3-3 organises its system security requirements under seven foundational requirements (FRs).
FR-1 Identification and authentication control. Every human, every device, every software process touching the OT estate must be identified.
FR-2 Use control. Authorisation, role-based access and least privilege enforced on what each identity can do.
FR-3 System integrity. Protection of OT communications and stored data, including detection of unauthorised changes to PLC logic.
FR-4 Data confidentiality. Encryption of OT data at rest and in transit where sensitivity requires.
FR-5 Restricted data flow. The zone-and-conduit architecture, with inspection and allow-listing.
FR-6 Timely response to events. Logging, monitoring and the ability to detect and respond to incidents inside an OT-appropriate timeframe.
FR-7 Resource availability. Continuity of essential industrial processes, including defence against denial of service.
The Purdue Reference Model defines logical levels in a plant network. Level 0 is the physical process. Level 1 is the control logic (PLCs, RTUs). Level 2 is local supervisory control (HMIs, SCADA). Level 3 is plant operations and MES. Level 3.5 is the industrial DMZ. Level 4 is business systems. Level 5 is the enterprise WAN and internet. Most Indian plants discover during their first 62443 risk assessment that Levels 2 and 3 are heavily flat, with the HMI, MES and corporate IT systems sitting on the same broadcast domain. Fixing that, with a real industrial DMZ at Level 3.5 and proper segmentation below it, is where most of the early investment goes.
The single most common entry path into Indian OT estates is unmanaged engineer or OEM remote access. Shared accounts, persistent VPN tunnels, jump hosts with no MFA, vendor laptops connecting directly to PLCs. Every OT incident response we run starts with this list. Secure remote access (named identities via Cisco Duo, brokered access through Cisco Secure Access, time-bound sessions for OEMs, recording of every privileged session) sits in IEC 62443 under FR-1 and FR-2 and pays back faster than any other control. Get it right in the first ninety days.
The Cisco OT Stack Mapped to IEC 62443
| IEC 62443 Requirement | Cisco Capability |
|---|---|
| Asset visibility (FR-1, FR-3) | Cisco Cyber Vision, running as an embedded sensor on Cisco Industrial Ethernet rugged platforms including IE3300 10G, IE3400, IE3500 and IE9300, and on Catalyst 9300 and 9400 with the network module. Auto-discovers OT assets, maps protocols and flows. |
| Zone and conduit design (FR-5) | Cyber Vision auto-generates the zone-and-conduit map from observed traffic. Cisco ISE and Cisco Secure Firewall enforce the resulting policy. See our Cisco ISE for OT and IoT Segmentation guide for the identity-enforcement layer. |
| Identity and access (FR-1, FR-2) | Cisco ISE for OT-aware NAC, with profiling that recognises PLCs, drives and HMIs. Cisco Duo for engineer and OEM remote access with named identities and MFA. |
| Industrial DMZ (FR-5) | Cisco Secure Firewall at Level 3.5, with industrial protocol inspection (Modbus, OPC, EtherNet/IP, DNP3, IEC 61850, S7). |
| Anomaly and threat detection (FR-6) | Cyber Vision behavioural detection plus Cisco XDR for cross-domain correlation. Talos threat intelligence on OT-specific TTPs. Pair the IEC 62443 architecture with MITRE ATT&CK for ICS as the threat-tactic framework; Cyber Vision detections map directly to ATT&CK for ICS techniques. |
| Resilience (FR-7) | Cisco Industrial Ethernet ring topologies (REP, MRP) for plant-floor availability. Backup and recovery for engineering workstations. |
The practical advantage of a Cisco-led network here is that the visibility, zone discovery and enforcement layers are already integrated, which removes the integration overhead most multi-vendor stacks carry.
Dragos, Nozomi Networks, Claroty and Tenable OT are the named alternatives in the OT visibility category, with Microsoft Defender for IoT for Microsoft-heavy estates. The IEC 62443 architecture in this piece travels for any platform; Cyber Vision's distinct advantage is native embedding in Cisco Industrial Ethernet switches, which removes the SPAN-port and out-of-band-network problem most competing platforms still create.
A Twelve-to-Eighteen-Month India Roadmap with Indicative Budget
| Month | Phase | Activity | Indicative INR Range |
|---|---|---|---|
| 1 | Govern | Appoint IACS security owner and steering committee. Choose standard parts in scope. | ₹5-10 lakh |
| 2 | Discover | Deploy Cyber Vision sensors on existing IE switches. Build asset and protocol inventory. | ₹35-80 lakh |
| 3 | Risk-assess | Conduct 62443-3-2 risk assessment per process area. Declare a security level per zone. | ₹10-20 lakh |
| 4 | Design | Produce zone-and-conduit drawing. Identify conduits requiring inspection at Level 3.5. | Included in design |
| 5 | Quick wins | Disable default credentials, remove rogue Wi-Fi, patch obvious legacy exposures. | ₹10-25 lakh |
| 6 | Industrial DMZ | Stand up Level 3.5 Secure Firewall with industrial protocol inspection. | ₹40 lakh - ₹1.2 cr |
| 7-8 | Segmentation wave 1 | Apply zone enforcement to the highest-risk areas first. | ₹50 lakh - ₹1.5 cr |
| 9 | Identity and remote access | Roll out Cisco Duo. Replace shared engineering accounts with named identities. | ₹20-50 lakh |
| 10 | Detection | Tune Cyber Vision behavioural detection. Integrate to the SOC via Cisco XDR. | ₹15-40 lakh |
| 11 | Response and resilience | Update IR playbook for OT scenarios. Test backup and recovery for engineering workstations. | ₹10-25 lakh |
| 12-18 | Audit readiness and waves 2+ | Compile evidence against the seven FRs. Roll the same play to remaining zones and sites. | Per-site repeat |
Indicative total band for a single-site twelve-month programme on a mid-complexity Indian plant: ₹2 to ₹5 crore. Multi-site rollouts run the same play, one plant a quarter at materially lower marginal cost per plant. Brownfield estates with heavy multi-OEM legacy typically push into eighteen to twenty-four months.
Automotive paint shops typically target SL-3 with strict downtime tolerance. Pharma batch areas target SL-3, driven by 21 CFR Part 11 and the revised Schedule M obligations.
Semiconductor cleanrooms target SL-3 with FR-3 (system integrity) leading. Heavy-process plants (refineries, cement, steel) target SL-3 with FR-7 (resource availability) leading. Discrete manufacturing often runs SL-2 across the floor with selected SL-3 zones around quality-critical lines.
The compliance ladder is straightforward. IEC 62443 (and its Indian-Standard form IS 16335) is the engineering and architecture standard. CERT-In, NCIIPC and DPDP are the regulatory reporting and accountability obligations on top. DPDP covers personal data only, but where OT systems hold operator names, biometric access records or HR-linked logs, DPDP obligations attach. A plant built to IEC 62443 typically satisfies the operational substance of the regulatory requirements.
62443-4-1 covers secure product development for industrial component suppliers. 62443-4-2 covers component-level technical requirements. Indian manufacturers buying new automation equipment in 2026 should require both as RFP clauses. The cost of retrofitting security into a non-compliant component over a 15-year asset life is materially higher than buying a compliant component on day one.
Proactive Data Systems is a Preferred Partner under the Cisco 360 Partner Program across Networking, Security, Collaboration, Cloud & AI, and Services. We design, deploy and run OT security programmes built on Cisco Cyber Vision, Cisco Industrial Ethernet, Cisco Secure Firewall and Cisco ISE, for Indian manufacturers in automotive, pharma, FMCG and heavy engineering. Book an IEC 62443 Readiness Workshop. Two days on site at one of your plants. A documented asset inventory, a zone-and-conduit draft, a security-level recommendation per zone and a costed twelve-to-eighteen-month plan, in your hands within ten working days.
We'll get back to you shortly.
