Understanding common myths surrounding the ISA/IEC 62443 cybersecurity standard can help put chemical manufacturers on a path to safer, more resilient operations
Picture a petrochemical plant running steady in the dead of night — pipes humming, reactors holding pressure, safety systems standing watch over exothermic reactions that could release toxic clouds or trigger runaway events if anything was to go wrong. Then a digital intruder slips in, not through the property fence, but the vendor’s or integrator’s remote access to the engineering workstation or application server. This remote access may have been understood to be “just for diagnostics purposes.”
Safety systems start to blink. Pressures climb. Critical alarms that should be screaming are suddenly suppressed or inhibited, then buried in an overwhelming alarm flood. What should have been another routine shift suddenly edges toward potential disaster.
This is not a movie script. In 2017, the TRITON (or TRISIS) malware hit a petrochemical facility in Saudi Arabia and went straight for the Schneider Electric Triconex safety instrumented system (SIS). The attackers — later tied by agents within the U.S. Treasury Department to a Russian government research institute — reverse-engineered the proprietary TriStation protocol, exploited a zero-day cyberattack, and tried to reprogram the very controllers that keep explosions and toxic releases from happening. Only a coding slip that tripped the SIS into safe shutdown saved the day.
Years earlier, the Stuxnet computer virus — part of the U.S.-Israeli covert cyber-sabotage campaign known as Operation Olympic Games — had already shown the world that cyber payloads could physically destroy industrial equipment. In chemical manufacturing — where the materials are hazardous, the processes are continuous, and the consequences are measured in lives, environmental impact and multi-million-dollar restarts — cybersecurity stopped being an “IT thing” a long time ago. Cybersecurity is process safety, plain and simple.
Yet myths about how to protect these environments refuse to die. These myths are damaging because they slow down real progress and keep creating dangerous gaps between the cybersecurity team and the personnel who actually run the units day after day. ISA/IEC 62443, the leading international series of standards for industrial and automation and control system cybersecurity, was written precisely for this world. Developed by the International Society of Automation’s (ISA; Durham, N.C.; www.isa.org) ISA 99 committee as an American National Standard Institute (ANSI; Washington, D.C.; www.ansi.org) product, and later adopted by the International Electrotechnical Commission (IEC; Geneva, Switzerland; www.iec.ch), the standard provides a risk-based, practical framework that respects equipment lifecycles ranging from 20 to more than 30-years, real-time demands and clearly acknowledges the fact that a cybersecurity incident here can cause physical harm on a scale most IT professionals never have to consider (Figure 1).
FIGURE 1. ISA/IEC 62443 is a risk-based cybersecurity standard that acknowledges the fact that cyberincidents can cause real physical harm in process facilities (this diagram comes from the International Society of Automation Industrial Cybersecurity Course IC32, animation by M. Ayala)
I’ve been applying these standards — or their early drafts — since the ISA technical report that came out in 2004, well before the first published version of ISA/IEC 62443 in October 2007. That means two decades of working them out in the field at plant sites, mentoring teams through the real developments we’ve faced as industry and technology have shifted. And for the past decade, I’ve been teaching the standards in classrooms around the world, tailoring the material to the specific challenges each group of students brings from their own facilities. The myths discussed here are the ones I still hear on almost every assessment I perform. This article aims to clear them up once and for all.
Digital opportunities and perils
Digital tools have sharpened what chemical manufacturers have already been doing — real-time optimization of distillation columns, predictive maintenance on rotating equipment, tighter supply-chain visibility for raw materials and finished products. But every new connection widens the potential cyberattack surface. Ransomware has already frozen chemical production lines for days. Espionage crews chase proprietary formulations that represent years of research and development investment. Manufacturing, especially of chemicals, sits near the top of every threat list year after year.
The outdated idea that chemical process plants are somehow isolated is gone. Plant data historians talk to corporate networks. Vendors dial in remotely. Wireless instruments and portable media move data in and out. A breach here doesn’t just result in stolen files — it means a risk of tampering with a controller to turn a stable reaction into something far worse, perhaps even forcing the plant to initiate an emergency shutdown that takes a week to safely restart.
That’s why the ISA/IEC 62443 series matters. It’s modular and risk-based, built to be adopted in phases, the same way process safety programs have been built over the years. ISA/IEC 62443-1-1 lays out the core concepts and models that hold the whole series together. ISA/IEC 62443-2-1 spells out the asset-owner security program (especially useful now with the 2024 maturity model), 62443-3-2 offers practical steps for security risk assessment and for designing the zones and conduits that are actually needed on the plant floor, 62443-3-3 defines the system security requirements and the four security levels for scaling to real threats and 62443-2-4 makes sure service providers and integrators are held to the same standard, so the whole supply chain pulls its weight. The recent updates, outlined in the bullet points here, make it even more user-friendly.
• ANSI/ISA-62443-2-1-2024 (January 2025) refreshed the asset-owner security program requirements for the first time since 2009. It added a maturity model for incremental progress, cleaned out overlap with IT-centric standards and reorganized everything into clear security program elements.
• ISA-TR62443-2-2-2025 (December 2025) delivers practical day-to-day guidance on security operations and maintenance.
Far from being an academic exercise, this standard series is a roadmap written for the plant floor by people who understand that a controller reboot is not just an IT ticket — it can affect product quality, environmental compliance and the safety of everyone on shift.
Dispelling the myths
The following are not harmless old stories. Adhering to them creates complacency in an industry where one missed layer can cascade into a very bad day, a near-miss or worse (Table 1).
Myth 1: “Our control networks are air-gapped — we’re safe.” I wish this were still true. The idea of an “air-gap” in which operational technology (OT) computer networks are physically isolated from unsecure networks persists. Modern plants have dozens of connections — historian replication, vendor diagnostics, wireless instruments, USB/portable media transfers. The malware TRITON didn’t “jump” the gap between IT and OT systems; it pivoted laterally from an engineering workstation that sat on both sides. In my assessments, I routinely find hidden pathways that even the most experienced automation teams had forgotten about.
ISA/IEC 62443’s zones-and-conduits model (Part 3-2) assumes those connections exist. It forces users of the standard to map every asset and every pathway, then put safety systems, business IT, wireless devices and temporary laptops in separate zones with controlled boundaries. Believing that a plant’s network is air-gapped just means the plant operators are flying blind.
Myth 2: “Proprietary protocols and firewalls make us bulletproof.” Obscurity is not security. TRITON’s authors reverse-engineered the undocumented TriStation protocol. Stuxnet did the same with Siemens S7. Firewalls are useful, but they stop at the perimeter. Phishing, insiders, compromised vendor laptops and supply-chain attacks walk right past them. I’ve seen a single undocumented cellular modem located in the field bypass what everyone thought was an impenetrable perimeter, and a single infected vendor portable drive infect an entire control system.
The ISA/IEC 62443 series of standards answers with defense-in-depth — seven foundational requirements across four security levels (Part 3-3). No single technology carries the whole security load.
Myth 3: “Our safety instrumented systems handle cyber threats too.” Safety instrumented systems (SIS), governed by ISA/IEC 61511 — the functional safety standard that grew out of the ISA 84 working group and is further supported by technical report ISA-TR84.00.09 on cybersecurity related to the safety lifecycle — are built for equipment failures and operator errors, not for intelligent adversaries who study the exact configuration of a unit. TRITON went straight for the SIS because that’s the last line of defense. I’ve sat in process hazards analysis (PHA) review meetings where teams realized too late that their safety layer was sharing the same network as the basic process control system (BPCS, or distributed control system (DCS)).
ISA/IEC 62443 treats cyber and process safety as complementary, but distinct. It puts safety systems in their own dedicated zones and provides additional rigor beyond ISA/IEC 61511 requirements. Conflating the two creates a single point of failure.
Myth 4: “Cybersecurity is the IT department’s problem.” This myth is particularly upsetting, and I hear it constantly. The people who truly own the cybersecurity risk are the automation engineers, instrument technicians, process engineers, operators and plant leaders. Patching a controller means understanding what a reboot does to the reaction. Segmenting networks requires knowing which control loops communicate with each other.
The 2024 update to ISA/IEC 62443 Part 2-1 makes it clear: this is the asset owner’s responsibility, and the risk assessment (Part 3-2) demands cross-functional input. Insider threats — which are implicated in 20–40% of manufacturing breaches — can’t be fixed with firewalls alone.
Myth 5: “Standards are too complex and burdensome.” Most chemical engineers already are well-versed in the Occupational Safety and Health Administration’s (OSHA; Washington, D.C.; www.osha.gov) Process Safety Management (PSM) requirements, the Environmental Protection Agency’s (EPA; Washington, D.C.; www.epa.gov) Risk Management Program (RMP), ISA/IEC 61511, and layer-of-protection analysis (LOPA). ISA/IEC 62443 is an extension of that same mindset — consequence-based, layered, continuous improvement.
Finally, there is a common gripe about the standard’s complexity — “It’s too much, with hundreds of pages, endless rules.” This usually stems from partial reads or outdated views. A bit of hands-on ISA cyber training often changes that perspective quickly. Standard users don’t swallow the whole series on day one. Start with risk assessment and zone mapping, then scale controls to actual threats using the four security levels. The new maturity model lets plant personnel begin with the plant’s current situation and climb from there. Legacy systems are addressed. Compensating measures (data diodes, application control, allow-listing/whitelisting, enhanced monitoring) are explicitly allowed. The 2024 update even removed redundant ISO 27001 overlap. The standard series is leaner than it used to be, and I can attest that plants can implement it without adding any new capital projects.
Myths cause damage
When these myths linger, the damage shows up in three places: process safety, reliability and regulatory readiness (Table 2).
An attacker who manipulates BPCS readings while the SIS sits in the same unsegmented network can collapse every protection layer at once. TRITON showed exactly that path. The human and financial cost of even a near-miss in the chemical process industries (CPI) can be staggering.
Ransomware on input-output (I/O) tag servers, a human-machine interface (HMI) or a data historian doesn’t just slow production — it can stop operations entirely, and in continuous chemical processes, the restart can take days. Legacy systems (15-to over 30-year lifecycles) are the norm. ISA/IEC 62443 gives practical ways to manage them without a full rip-and-replace. One prolonged outage can easily result in millions of dollars in lost production, plus the ripple effects through customers who depend on the intermediates produced in these processes.
The Chemical Facility Anti-Terrorism Standards (CFATS) expired in July 2023, but the pressure hasn’t gone away. NIS2, reinterpretations of OSHA PSM and EPA RMP and global regulators increasingly point to ISA/IEC 62443 as the consensus standard. Building a plant cybersecurity program on it keeps that facility ready, no matter which rule lands next. It also demonstrates to auditors and company leadership that the organization understands process safety and cybersecurity to be two sides of the same coin.
Defenses for real operations
Cybersecurity is a process safety enabler, not a tax. Here’s a four-step path that the author has used successfully with chemical sites around the world (Table 3).
Step 1: Map the environment and assess risk. Define the full system under consideration — every asset, every overlooked connection. Pull in automation engineers, instrument technicians, process engineers, safety professionals, IT personnel and operations staff. Use your existing PHA and LOPA data; don’t reinvent the wheel. Consequence categories should be safety, environmental, operational and regulatory — similar to what is likely already being done. In practice, I always ask teams to walk the unit and physically verify what’s connected; paper diagrams rarely tell the whole story.
As a tip for chemical-manufacturing operations, consider that existing PHA and LOPA studies already contain the exact consequence data that are needed for ISA/IEC 62443 cybersecurity risk assessments. The standard’s consequence-based approach fits seamlessly with the hazard analysis work chemical engineers already perform every day. Don’t start from scratch – build on what is already in place.
Step 2: Segment wisely — zones, conduits and security levels. Put safety systems in their own zone, separate from BPCS. Keep enterprise IT out with a proper DMZ. DMZ refers to a “demilitarized zone,” an analogy to a secure buffer between internal and external networks. Treat vendor remote access and wireless devices as controlled conduits. Assign target security levels based on real risk — SIS usually needs the highest; a historian may not. The Purdue model (ISA-95) is a great starting scaffold; ISA/IEC 62443 simply adds the security lens. I’ve found that starting zone mapping with the most hazardous reaction or storage areas yields the largest degree of risk reduction quickly.
Step 3: Layer controls and build the culture. Implement the seven foundational requirements scaled to each zone’s target level. Eliminate shared passwords, enforce least privilege and multi-factor authentication (MFA), deploy application whitelisting, use deny-all/permit-by-exception rules and monitor with OT-aware tools. For legacy gear, compensating measures work.
Bake cybersecurity into the processes a plant already owns: add a security impact check to management of change (MOC), include cybersecurity scenarios in operator drills, require Software Bills of Materials (SBOMs) from suppliers. On one recent project, we added a simple “cyber what-if” question to every MOC form, and it caught several risky vendor changes before they reached the plant floor.
Step 4: Monitor, measure and adapt. Track meaningful KPIs — mean time to detect/respond, zone coverage, patch/compensation status, MOC review completion. Reassess when the plant changes or threats shift. Align audits with your PSM/RMP cadence. Use the 2024 maturity model honestly; it’s a ladder, not a club. The plants that treat this as a living program, reviewed quarterly with the same discipline as their safety metrics, are the ones that stay ahead.
Stewards of a critical industry
Chemicals products from this industry sector feed the world, protect the water, build devices and keep patients alive. Most people never think about that supply chain until it breaks. Fertilizers that grow the food on our tables, polymers in the medical devices that save lives, specialty gases that keep semiconductor fabs running, water-treatment chemicals that keep communities healthy — all of it flows from the plants operated by CPI companies.
That makes every one of us a steward of something irreplaceable. In an era of escalating threats, stewardship means facing the truth: air gaps are illusions, firewalls are not fortresses, safety systems are not cyber shields, and this responsibility belongs to all of us.
ISA/IEC 62443 provides the shared language and practical tools that are already familiar and understand — consequence analysis, layers of protection, continuous improvement. The 2024–2025 standard updates have made the standard even more accessible for the real-world plants that are operated every day.
The future doesn’t require perfection on day one. It asks for steady, honest progress — starting where the risk is highest, building defenses that fit our operations and sustaining the program with the same discipline routinely brought to process safety. CPI professionals owe it to the communities that surround our facilities, to colleagues on shift, and to the global supply chain that depends on their products.
The process safety and industrial cybersecurity lifecycles are very well aligned — analyze and assess; design and Implement; operate and maintain. Let’s get to work.
Edited by Scott Jenkins
Author
Marco Ayala (Email: marayala@absconsulting.com) is an ISA Fellow, bringing three decades of expertise in designing, implementing and maintaining process instrumentation, automation systems, safety systems and process-control networks. Ayala drives innovation by developing robust strategies to secure critical systems, ensuring resilience and alignment with national security priorities. With more than two decades dedicated to industrial cybersecurity, he has spearheaded initiatives to safeguard the oil-and-gas (upstream, midstream, downstream), maritime port, offshore facilities and chemical sectors. His leadership supports federal, state and local entities in securing private-sector critical infrastructure. A 22-year senior member of the ISA, Ayala is a certified ISA/IEC 62443 cybersecurity instructor and an active volunteer. He serves as Chair of Threat Intelligence and Cybersecurity for the AMSC Gulf of Mexico/America (GOM/GOA) cybersecurity committee, a sworn role with the U.S. Coast Guard overseeing the Outer Continental Shelf (OCS). Since 2014, he has been an InfraGard member and currently holds the position of President for the Houston Members Alliance. He is also technical director, Cybersecurity Center of Excellence, Global Energy, Oil & Gas, Chemicals and Specialty Gases.