← Home

IEC 62443-5 Security Profiles

Security profiles tailor the horizontal ISA/IEC 62443 series to a specific industry, application or environment. The scheme for drafting those profiles is defined in ISA/IEC TS 62443-1-5. Completed profiles are intended to be published as subparts of the ISA/IEC 62443-5 series.

Few Part 5 profile documents are fully published yet. This page orients you to how the scheme works, what a profile may and may not do, who benefits, and an Electric Energy OT example still in progress.

Teaching note: Content paraphrases ISA training material and TS 62443-1-5 themes for learning. Always refer to the published technical specification (and any eventual Part 5 profile) for normative wording.

Reference: ISA/IEC TS 62443-1-5 — Scheme for IEC 62443 security profiles
Related: IACS Cybersecurity Roles | IEC 62443-1-1 Clause 5.10 – Security Levels | IEC 62443-2-1 Security Program | IEC 62443-2-4 Service Providers | IEC 62443-3-3 Foundational Requirements | IEC 62443-4-1 | IEC 62443-4-2

IEC 62443 Standards used by IEC 62443 Security Profiles
Figure – Security profiles use the ISA/IEC 62443 standards. Per TS 62443-1-5 they take a subset of existing requirements, map them to a context, and must not add or rewrite series requirements.

Learning objectives


IEC TS 62443-1-5 — the scheme

ISA/IEC TS 62443-1-5 sets out a framework for developing cybersecurity profiles in the 62443 family. It defines the steps to produce a profile and what a finished profile must contain, so different sectors create profiles with a common structure rather than inventing one-off formats. The result is simpler, more repeatable implementation aligned to sector risk.

Profiles written to that scheme are published under Part 5 (62443-5-x). They guide stakeholders to adopt a defined set of series requirements, reuse standard terminology (including roles), and interpret those requirements for a particular vertical or application area.


Why profiles are needed

ISA/IEC 62443 is intentionally broad so it can apply across many industries. Different sectors still face different threats, risk tolerance, regulation, operational constraints, safety priorities and critical-infrastructure dependencies — for example electric utilities, oil and gas, water treatment, manufacturing, mining, transport, pharma, or food and beverage.

Without a shared sector profile, every organisation reinvents how to apply the series. A profile gives a common implementation approach for that industry: which requirements apply, which are mandatory or optional, which are not applicable, and how wording should be read in that environment.


What a security profile is

A security profile is a structured document that defines how ISA/IEC 62443 should be implemented in a particular domain. It does not replace the series. It:

In short: a practical vertical guide built from the horizontal standards — for example mapping 62443 into electric energy OT systems.

Requirement classification

Classification Meaning
Mandatory Must be implemented for the profile’s intended environment.
Optional Implemented where appropriate based on risk.
Not applicable Excluded because it does not fit the target environment — every exclusion needs a technical justification.

Horizontal vs vertical

Horizontal standards Vertical profiles
Broad requirements that apply across many industries (for example ISA/IEC 62443, ISO/IEC 27001). They define generic cybersecurity expectations, terminology, concepts and roles. Industry-specific applications of those standards (for example electric energy, water, mining, oil and gas, manufacturing). They explain how the horizontal rules apply in that sector.

Scheme constraints — what profiles may and may not do

Profiles must follow the scheme so sectors do not quietly invent divergent requirements:

Standard Role when referenced by a profile
ISA/IEC 62443-2-1 Security Program requirements for asset owners
ISA/IEC 62443-2-4 Security program requirements for IACS service providers
ISA/IEC 62443-3-3 System security requirements and security levels
ISA/IEC 62443-4-1 Secure product development lifecycle
ISA/IEC 62443-4-2 Technical security requirements for components

A profile selects only the requirements relevant to its intended industry or application.


Profile development process

The TS 62443-1-5 scheme typically unfolds as:

  1. Identify the target industry or application.
  2. Determine applicable ISA/IEC 62443 standards.
  3. Select relevant requirements.
  4. Identify requirements that are excluded.
  5. Justify all exclusions.
  6. Add sector-specific interpretation where necessary.
  7. Publish the profile using the standardised format (Part 5).

Who benefits

Stakeholder Typical gains
Asset owners Easier implementation, shared expectations, less one-off interpretation, clearer procurement language.
Product suppliers Clearer customer cybersecurity expectations, more consistent product-target requirements, less customer-by-customer variation.
Integrators / service providers Common practices, better interoperability, fewer project-specific reinterpretations of the series.

Across an industry that also means less interpretation drift, better alignment with operational risk, and more repeatable assessment — without every site rewriting 62443 from scratch.


Example in progress — Electric Energy OT

One of the first major profile-oriented efforts involves the US Department of Energy (DOE) with ISA99 Working Group 14 (WG14). A working group of government, industry and nonprofit representatives (mandated under Sec. 5726 of the 2020 NDAA) began building a defence-in-depth Reference Architecture (RA) for electric energy OT. ISA contributed; WG14 continues the work.

Design intent includes:

From the Electric Energy OT RA, more detailed domain profiles can be derived — for example substation, generation, distributed energy resources (DER), transmission, distribution, and operation / network control centres. The RA is a common foundation: grid operators share a coherent protection-level story; suppliers see which 62443-derived expectations that sector will ask for; procurement and interoperability get simpler.

Work in progress: The RA and substation figure below illustrate direction of travel. They are not a published ISA/IEC 62443-5 profile. Confirm status with ISA99 WG14 / DOE materials before using them in contracts or conformity claims.
Reference architecture for electric energy OT / substation profile
Figure – Example Electric Energy OT / substation reference architecture (DOE / ISA99 WG14 work in progress): Purdue-style levels, DMZs, typical devices, functions, security features and participating parties from process (Level 0) through enterprise and public/cloud (Levels 4–5).

Key takeaways


Standards references