OT Security Frameworks

This post features some operational technology (OT) security frameworks and standards.

List of OT Security Frameworks and Standards

OT Security frameworks and standards that are featured on this post:

  • ISA/IEC 62443
  • NIST 800-82
  • CCI’s ICMS Guide
  • ISA-95
  • Purdue Reference Model (PRM)
  • Home office’s of Spain Guide on Security Controls on OT Systems

ISA/IEC 62443

ISA/IEC 62443, sometimes referred as ISA 62443 or IEC 62443, is an international series of standards that address cybersecurity for operational technology in automation and control systems (IACS). The standard describes both technical and process-related aspects of automation and control systems cybersecurity.

It is issued by the International Electrotechnical Commission (IEC).

It was developed over the American ANSI/ISA-99 or ISA99 and German VDI/VDE 2182.

IEC 62443-4-2 is certifiable.

You can find more information about ISA/IEC 62443 on this external link.

Please note that while ISO/IEC 27001 explains how to get a ISMS (Information Security Management System), ISA/IEC 62443 explains about a ICMS (Industrial Cybersecurity Management System).

NIST 800-82

NIST SP 800-82 or NIST 800-82 has the title “Guide to Industrial Control Systems (ICS) Security”. It is issued by the National Institute of Standards and Technology (NIST), that is an agency of the United States Department of Commerce.

The publication has been reviewed over its history. NIIST 800-82 v3 was published in September 2023.

CCI’s ICMS Guide

CCI (from the Spanish Centro de Seguridad Industrial) is a non-profit association of enterprises from Spain and Latin America that was created in march 2023.

Aiming Spanish speakers from Spain and Hispanic America, CCI in collaboration with the ISA Spain section issues the “Guía SGCI para el responsable de construir un Sistema de Gestión de la Ciberseguridad Industrial”. You can purchase it from this external link.

SGCI comes from the Spanish “Sistema de Gestión de Ciberseguridad Industrial”, that means ICMS (Industrial Cybersecurity Management System).

There is an annex called “ICMS (Industrial Cybersecurity Management System) requirements” that links controls from the guide to ISO/IEC 27002. You can download it from this external link.

According to the abstract, the controls from CCI’s guide standards are ISA/IEC 62443 controls, but personally I could not verify that.


ANSI/ISA-95, more generally known as ISA-95, is an international standard for developing an automatic interface between enterprise and control systems.

ISA-95 does not address cybersecurity, unlike IEC 62443.

It is developed by the non-profit organization International Society of Automation (ISA), formerly known as the Instrument Society of America.

ISA-95 extended the work done for Purdue Reference Model, that is also featured on this post.

You can find more information about ISA 95 on this external link.

Purdue Reference Model (PRM)

The Purdue Reference Model (PRM) or Purdue Model is a reference data flow model for Computer-Integrated Manufacturing (CIM).

It is part of Purdue Enterprise Reference Architecture (PERA). It was developed in the late 1980s and early 1990s, and because of this some professionals discuss about its timeliness. It was created at the Purdue University at Indiana, USA.

According to the sources below, PRM was adopted by ANSI/ISA99 and ISA 95.

You can find more information on this external link and this external link.

Home Office of Spain’s Guide on Security Controls on OT Systems

The Oficina de Seguridad Cibernética (OCC), that belongs to the Home Office of Spain (Ministerio de Interior), issues a guide on security controls in OT systems entitled “Guide on Security Controls on OT Systems”. You can download it from this external link., and it is available in English and Spanish.


Análisis de Riesgos Ligero de Seguridad Industrial (ARLI-SI) is developed by Spanish public organization INCIBE.

Official web

You might also be interested in…

External References

Leave a Reply

Your email address will not be published. Required fields are marked *