ISA/IEC 62443-1-5 provides a standardised scheme for creating cybersecurity profiles that
tailor the ISA/IEC 62443 requirements to specific industries, sectors, technologies, or application
domains. Rather than creating new cybersecurity requirements, security profiles define how existing
ISA/IEC 62443 requirements should be applied in a particular operational context.
Figure – Overview of the IEC 62443-1-5 security profile scheme: tailoring horizontal ISA/IEC 62443
requirements into vertical, industry-specific implementation guidance.
Learning Objectives
Understand the purpose of ISA/IEC 62443-1-5 and security profiles.
Explain how security profiles tailor horizontal ISA/IEC 62443 requirements for specific industries.
Recognise the profile development process and requirement classification approach.
Distinguish between horizontal standards and vertical security profiles.
Identify the benefits of security profiles for asset owners, suppliers and integrators.
The objective of ISA/IEC 62443-1-5 is to ensure profiles are created consistently, making
implementation simpler, more repeatable, and better aligned with sector-specific risks.
Future cybersecurity profiles developed using this methodology are published within the
ISA/IEC 62443-5 series.
Purpose of Security Profiles
Security profiles bridge the gap between generic ISA/IEC 62443 requirements and industry-specific
cybersecurity needs. They help organisations determine:
Which requirements apply.
Which requirements are mandatory.
Which are optional.
Which are not applicable.
How requirements should be interpreted for their environment.
Instead of every organisation independently deciding how to apply ISA/IEC 62443, a security profile
provides a common implementation approach for an entire industry.
Why Security Profiles are Needed
The ISA/IEC 62443 standards are intentionally broad so they can be applied across many industries.
Different sectors have different:
Threats.
Risk tolerance.
Regulatory obligations.
Operational requirements.
Safety considerations.
Critical infrastructure dependencies.
Examples include:
Electric utilities.
Oil & Gas.
Water treatment.
Manufacturing.
Mining.
Transportation.
Pharmaceutical.
Food & Beverage.
Security profiles tailor the horizontal ISA/IEC 62443 framework into vertical-specific guidance.
What is a Security Profile?
A security profile is a structured document that defines how ISA/IEC 62443 should be implemented within
a particular domain. It does not replace ISA/IEC 62443.
Instead, it:
Selects applicable requirements.
Prioritises requirements.
Clarifies implementation.
Documents exclusions.
Provides sector-specific interpretation.
Defines consistent security expectations.
The result is a practical implementation guide for a specific industry.
Benefits
Security profiles improve consistency across an industry by:
Reducing interpretation differences.
Simplifying implementation.
Aligning cybersecurity with operational risk.
Improving interoperability.
Supporting consistent procurement requirements.
Helping vendors understand customer expectations.
Increasing implementation efficiency.
Supporting repeatable compliance assessments.
Security Profile Framework
ISA/IEC 62443-1-5 defines a common framework for developing cybersecurity profiles. Every profile should:
Follow a consistent structure.
Reference applicable ISA/IEC 62443 standards.
Clearly identify included requirements.
Justify excluded requirements.
Avoid unnecessary modification of existing requirements.
Maintain consistency with the ISA/IEC 62443 terminology and concepts.
This ensures profiles produced by different industries remain compatible.
Standards That May Be Referenced
A cybersecurity profile may reference one or more existing ISA/IEC 62443 standards, including:
Standard
Purpose
ISA/IEC 62443-2-1
IACS Security Program Requirements for Asset Owners
ISA/IEC 62443-2-4
Security Requirements for IACS Service Providers
ISA/IEC 62443-3-3
System Security Requirements and Security Levels
ISA/IEC 62443-4-1
Secure Product Development Lifecycle Requirements
ISA/IEC 62443-4-2
Technical Security Requirements for Components
A profile selects only the requirements relevant to its intended industry or application.
Profile Development Process
The scheme defined in ISA/IEC 62443-1-5 includes:
Identify the target industry or application.
Determine applicable ISA/IEC 62443 standards.
Select relevant requirements.
Identify requirements that are excluded.
Justify all exclusions.
Add sector-specific interpretation where necessary.
Publish the profile using the standardised format.
Tailoring Requirements
A security profile typically classifies requirements as:
Mandatory
Must be implemented.
Optional
Implemented where appropriate based on risk.
Not Applicable
Excluded because they do not apply to the target environment.
Every exclusion should be technically justified.
Horizontal vs Vertical Standards
Horizontal Standards
Broad standards that apply across many industries. Examples:
ISA/IEC 62443.
ISO/IEC 27001.
They define generic cybersecurity requirements.
Vertical Profiles
Industry-specific implementations of those standards. Examples:
Electric Energy.
Water Utilities.
Mining.
Oil & Gas.
Manufacturing.
They explain how the horizontal standard should be applied within that sector.
Industry Benefits
For Asset Owners
Easier implementation.
Consistent security expectations.
Reduced interpretation effort.
Improved procurement requirements.
For Product Suppliers
Clear understanding of customer cybersecurity expectations.
Consistent product development requirements.
Reduced variation between customers.
For Integrators and Service Providers
Common implementation practices.
Improved interoperability.
Reduced project-specific interpretation.
Example — Electric Energy OT Reference Architecture
One of the first major profile development efforts is being undertaken by the
US Department of Energy (DOE) together with ISA99 Working Group 14 (WG14).
The goal is to create a cybersecurity reference architecture for the electric energy sector.
Objectives include:
Electric energy sector focus.
Defence-in-depth architecture.
Information-centric security.
Technology-neutral design.
Support future technologies.
Consistent cybersecurity across the electricity industry.
Electric Energy OT Reference Architecture
The Reference Architecture serves as a common foundation from which more detailed profiles can be derived.
Potential derived profiles include:
Substations.
Power generation.
Distributed Energy Resources (DER).
Transmission.
Distribution.
Operations / Network Control Centres.
This creates a consistent security baseline across the electrical industry.