← Home

Security Profiles (IEC 62443-1-5)

ISA/IEC 62443-1-5 provides a standardised scheme for creating cybersecurity profiles that tailor the ISA/IEC 62443 requirements to specific industries, sectors, technologies, or application domains. Rather than creating new cybersecurity requirements, security profiles define how existing ISA/IEC 62443 requirements should be applied in a particular operational context.

IEC 62443 Security Profiles
Figure – Overview of the IEC 62443-1-5 security profile scheme: tailoring horizontal ISA/IEC 62443 requirements into vertical, industry-specific implementation guidance.

Learning Objectives

Refer to: ISA/IEC 62443-1-5
Refer to: IEC 62443 Security Levels
Refer to: IEC 62443 Developing Secure Products and Systems


Overview

The objective of ISA/IEC 62443-1-5 is to ensure profiles are created consistently, making implementation simpler, more repeatable, and better aligned with sector-specific risks.

Future cybersecurity profiles developed using this methodology are published within the ISA/IEC 62443-5 series.


Purpose of Security Profiles

Security profiles bridge the gap between generic ISA/IEC 62443 requirements and industry-specific cybersecurity needs. They help organisations determine:

Instead of every organisation independently deciding how to apply ISA/IEC 62443, a security profile provides a common implementation approach for an entire industry.


Why Security Profiles are Needed

The ISA/IEC 62443 standards are intentionally broad so they can be applied across many industries. Different sectors have different:

Examples include:

Security profiles tailor the horizontal ISA/IEC 62443 framework into vertical-specific guidance.


What is a Security Profile?

A security profile is a structured document that defines how ISA/IEC 62443 should be implemented within a particular domain. It does not replace ISA/IEC 62443.

Instead, it:

The result is a practical implementation guide for a specific industry.


Benefits

Security profiles improve consistency across an industry by:


Security Profile Framework

ISA/IEC 62443-1-5 defines a common framework for developing cybersecurity profiles. Every profile should:

This ensures profiles produced by different industries remain compatible.


Standards That May Be Referenced

A cybersecurity profile may reference one or more existing ISA/IEC 62443 standards, including:

Standard Purpose
ISA/IEC 62443-2-1 IACS Security Program Requirements for Asset Owners
ISA/IEC 62443-2-4 Security Requirements for IACS Service Providers
ISA/IEC 62443-3-3 System Security Requirements and Security Levels
ISA/IEC 62443-4-1 Secure Product Development Lifecycle Requirements
ISA/IEC 62443-4-2 Technical Security Requirements for Components

A profile selects only the requirements relevant to its intended industry or application.


Profile Development Process

The scheme defined in ISA/IEC 62443-1-5 includes:

  1. Identify the target industry or application.
  2. Determine applicable ISA/IEC 62443 standards.
  3. Select relevant requirements.
  4. Identify requirements that are excluded.
  5. Justify all exclusions.
  6. Add sector-specific interpretation where necessary.
  7. Publish the profile using the standardised format.

Tailoring Requirements

A security profile typically classifies requirements as:

Mandatory

Must be implemented.

Optional

Implemented where appropriate based on risk.

Not Applicable

Excluded because they do not apply to the target environment.

Every exclusion should be technically justified.


Horizontal vs Vertical Standards

Horizontal Standards

Broad standards that apply across many industries. Examples:

They define generic cybersecurity requirements.

Vertical Profiles

Industry-specific implementations of those standards. Examples:

They explain how the horizontal standard should be applied within that sector.


Industry Benefits

For Asset Owners

For Product Suppliers

For Integrators and Service Providers


Example — Electric Energy OT Reference Architecture

One of the first major profile development efforts is being undertaken by the US Department of Energy (DOE) together with ISA99 Working Group 14 (WG14). The goal is to create a cybersecurity reference architecture for the electric energy sector.

Objectives include:

Electric Energy OT Reference Architecture

The Reference Architecture serves as a common foundation from which more detailed profiles can be derived. Potential derived profiles include:

This creates a consistent security baseline across the electrical industry.

Why the Reference Architecture Matters

Benefits include:


Relationship to the ISA/IEC 62443 Series

ISA/IEC 62443 Standards
        │
        ▼
62443-1-5 Profile Scheme
        │
        ▼
Industry Security Profile
        │
        ▼
Select Applicable Requirements
        │
        ▼
Tailored Implementation
        │
        ▼
Consistent Sector-wide Cybersecurity

Key Principles


Key Takeaways


Standards References