Security profiles tailor the horizontal ISA/IEC 62443 series to a specific industry, application or environment. The scheme for drafting those profiles is defined in ISA/IEC TS 62443-1-5. Completed profiles are intended to be published as subparts of the ISA/IEC 62443-5 series.
Few Part 5 profile documents are fully published yet. This page orients you to how the scheme works, what a profile may and may not do, who benefits, and an Electric Energy OT example still in progress.
Reference: ISA/IEC TS 62443-1-5 — Scheme for IEC 62443 security profiles
Related:
IACS Cybersecurity Roles
|
IEC 62443-1-1 Clause 5.10 – Security Levels
|
IEC 62443-2-1 Security Program
|
IEC 62443-2-4 Service Providers
|
IEC 62443-3-3 Foundational Requirements
|
IEC 62443-4-1
|
IEC 62443-4-2
ISA/IEC TS 62443-1-5 sets out a framework for developing cybersecurity profiles in the 62443 family. It defines the steps to produce a profile and what a finished profile must contain, so different sectors create profiles with a common structure rather than inventing one-off formats. The result is simpler, more repeatable implementation aligned to sector risk.
Profiles written to that scheme are published under Part 5 (62443-5-x). They guide stakeholders to adopt a defined set of series requirements, reuse standard terminology (including roles), and interpret those requirements for a particular vertical or application area.
ISA/IEC 62443 is intentionally broad so it can apply across many industries. Different sectors still face different threats, risk tolerance, regulation, operational constraints, safety priorities and critical-infrastructure dependencies — for example electric utilities, oil and gas, water treatment, manufacturing, mining, transport, pharma, or food and beverage.
Without a shared sector profile, every organisation reinvents how to apply the series. A profile gives a common implementation approach for that industry: which requirements apply, which are mandatory or optional, which are not applicable, and how wording should be read in that environment.
A security profile is a structured document that defines how ISA/IEC 62443 should be implemented in a particular domain. It does not replace the series. It:
In short: a practical vertical guide built from the horizontal standards — for example mapping 62443 into electric energy OT systems.
| Classification | Meaning |
|---|---|
| Mandatory | Must be implemented for the profile’s intended environment. |
| Optional | Implemented where appropriate based on risk. |
| Not applicable | Excluded because it does not fit the target environment — every exclusion needs a technical justification. |
| Horizontal standards | Vertical profiles |
|---|---|
| Broad requirements that apply across many industries (for example ISA/IEC 62443, ISO/IEC 27001). They define generic cybersecurity expectations, terminology, concepts and roles. | Industry-specific applications of those standards (for example electric energy, water, mining, oil and gas, manufacturing). They explain how the horizontal rules apply in that sector. |
Profiles must follow the scheme so sectors do not quietly invent divergent requirements:
| Standard | Role when referenced by a profile |
|---|---|
| ISA/IEC 62443-2-1 | Security Program requirements for asset owners |
| ISA/IEC 62443-2-4 | Security program requirements for IACS service providers |
| ISA/IEC 62443-3-3 | System security requirements and security levels |
| ISA/IEC 62443-4-1 | Secure product development lifecycle |
| ISA/IEC 62443-4-2 | Technical security requirements for components |
A profile selects only the requirements relevant to its intended industry or application.
The TS 62443-1-5 scheme typically unfolds as:
| Stakeholder | Typical gains |
|---|---|
| Asset owners | Easier implementation, shared expectations, less one-off interpretation, clearer procurement language. |
| Product suppliers | Clearer customer cybersecurity expectations, more consistent product-target requirements, less customer-by-customer variation. |
| Integrators / service providers | Common practices, better interoperability, fewer project-specific reinterpretations of the series. |
Across an industry that also means less interpretation drift, better alignment with operational risk, and more repeatable assessment — without every site rewriting 62443 from scratch.
One of the first major profile-oriented efforts involves the US Department of Energy (DOE) with ISA99 Working Group 14 (WG14). A working group of government, industry and nonprofit representatives (mandated under Sec. 5726 of the 2020 NDAA) began building a defence-in-depth Reference Architecture (RA) for electric energy OT. ISA contributed; WG14 continues the work.
Design intent includes:
From the Electric Energy OT RA, more detailed domain profiles can be derived — for example substation, generation, distributed energy resources (DER), transmission, distribution, and operation / network control centres. The RA is a common foundation: grid operators share a coherent protection-level story; suppliers see which 62443-derived expectations that sector will ask for; procurement and interoperability get simpler.