What ISA/IEC 62443 actually is
ISA/IEC 62443 is a series of standards developed by the ISA99 Committee at the International Society of Automation, harmonised with IEC. It defines a security lifecycle for IACS, broken into four parts:
- 1.x, General, terminology, concepts, security lifecycle.
- 2.x, Policies and procedures, asset owners and service providers.
- 3.x, System, security technologies, system security requirements, security levels (SL 1 to 4).
- 4.x, Component, secure development lifecycle for product suppliers, component-level requirements.
The vocabulary that everyone needs to know is zone (a logical grouping of assets with shared security requirements) and conduit (a logical grouping of communication channels between zones). Get those two right and most of the rest follows.
The Purdue model and why it matters
The Purdue Model (PERA) is the reference architecture 62443 implicitly assumes. It segments the plant into hierarchical levels: physical process (Level 0), basic control (Level 1), supervisory control / SCADA (Level 2), site operations (Level 3), business systems (Level 4), and enterprise (Level 5). 62443 zone-and-conduit design typically maps zones to Purdue levels.
The challenge for PQC migration is that Levels 0 to 2 contain devices with 15 to 25-year lifecycles, no remote firmware update, and vendors who may no longer exist. The migration plan that works for Levels 4 to 5 (TLS upgrade) does not work for Levels 0 to 2.
Where post-quantum cryptography fits
The 62443 series does not yet specify PQC algorithms (work is in progress). Current best practice for asset owners:
- At Level 4 to 5, deploy hybrid TLS (classical + Kyber) on enterprise-to-DMZ links today. This is the easy win.
- At Level 3 (site operations), plan HSM replacement, not firmware upgrade. RSA-sized HSMs do not fit Dilithium-2 in working memory.
- At Level 2 (SCADA), target the next major refresh cycle. Specify Kyber + Dilithium support in next RFP.
- At Levels 0 to 1, expect 15+ year migration. Inventory long-lived secrets, treat them as already harvested.
For the constrained-device end of this stack, see my work on IoT PQ-EDHOC and the FIPS 203 / 204 implementation on Arduino-class targets.
Validating defenses on real testbeds
SWaT (Secure Water Treatment, Singapore University of Technology and Design) and HAI (HIL-based Augmented ICS, South Korea's National Security Research Institute) are the two most-used labelled ICS testbeds. They expose the gap between lab-clean and process-realistic anomaly detection.
My IEEE Access 2026 paper validated 8-qubit ZZFeatureMap quantum kernels on both. Results: SWaT was the easier dataset (already AUC near 0.99 for classical), HAI was the harder one (where the quantum kernel showed a statistically significant +10.8 percent AUC gain over RBF SVMs, p = 0.003). See the quantum kernels topic and the research deep-dive for detail.
What I am writing about next
The migration sequencing problem is the next long-form blog post. The summary version is in the why ICS PQC migration is 10x harder than TLS migration piece. The forthcoming post extends that into a 62443-zone-by-zone migration playbook.