FreelancePM
← Back to blog
project-managementmanufacturingdigital

IACS Cybersecurity: why industrial OT systems demand a dedicated approach

19 May 2026 · FreelancePM · 5 min read
IACS Cybersecurity: why industrial OT systems demand a dedicated approach

IACS cybersecurity is no longer a niche topic for plant engineers — it is a board-level concern for every industrial organisation in Belgium and beyond. Industrial Automation and Control Systems (IACS) sit at the heart of production lines, water treatment, energy distribution and pharmaceutical batch control. When they fail, products do not ship, regulators get involved, and safety incidents are one human error away.

Yet too many organisations still treat their operational technology (OT) network as "just another part of IT". It is not. Below we explain why industrial cybersecurity demands a dedicated approach, how the IEC 62443 framework structures that approach, and what a pragmatic implementation looks like for a Flemish industrial SME.

Why IACS is fundamentally different from IT security

Classic IT security optimises for the CIA triad: Confidentiality, Integrity, Availability — in that order. In an industrial control environment the order flips. Availability and safety come first; a PLC that reboots in the middle of a batch can ruin a million euros of product or injure an operator.

The technology stack is also different. You are dealing with:

  • Decade-old SCADA systems running unsupported Windows versions
  • PLCs from Siemens, Rockwell or Schneider that cannot be patched on a Tuesday night
  • Serial buses, Modbus, Profinet — protocols designed without authentication
  • Vendors who void warranties the moment you install an EDR agent

This is the world of ICS security, and it is governed by IEC 62443 — not ISO 27001 alone.

The IEC 62443 framework in plain language

IEC 62443 is a multi-part standard published by the IEC and ISA. It splits responsibilities across three roles:

  • Asset owners — the plant operator who runs the production
  • System integrators — those who design and commission the control system
  • Product suppliers — the OEMs building PLCs, HMIs and engineering software

The most useful part for project managers is IEC 62443-3-3, which defines seven Foundational Requirements (FR) and the concept of Security Levels (SL). SLs run from SL1 (protection against casual or coincidental violation) to SL4 (protection against intentional violation using sophisticated means with extended resources). Most Flemish manufacturing sites realistically target SL2.

Security zones and conduits: the core design pattern

The single most important concept in iacs cybersecurity is zones and conduits. You segment the plant into logical zones — each zone groups assets with the same security requirements — and you define conduits as the only allowed communication paths between zones.

A typical Purdue-model segmentation looks like:

  • Level 0–1 — physical process, sensors, actuators, PLCs
  • Level 2 — local SCADA / HMI
  • Level 3 — site manufacturing operations, historians, batch servers
  • Level 3.5 — industrial DMZ, the only bridge to enterprise IT
  • Level 4–5 — enterprise IT and cloud

Each conduit between these zones gets its own risk assessment, firewall rules, monitoring and review cycle. Done well, this single design choice eliminates 70–80% of realistic attack paths.

Need help designing your zones and conduits?

RGI bv guides Flemish industrial SMEs through IEC 62443 implementations and IACS security assessments — pragmatic, vendor-neutral, no jargon.

Plan a no-obligation call with RGI →

Top 5 risks for production environments

1. Legacy SCADA and unsupported Windows

Windows XP, Windows 7, Server 2008 are still operating critical HMIs across Flanders. Patching is often impossible without vendor recertification. Compensating controls (network isolation, application allow-listing, virtual patching) are mandatory, not optional.

2. IT/OT convergence done badly

Flat networks where the office laptops can ping the PLCs are still the rule, not the exception. A single phishing click in finance can become a production stop. This is exactly why segmentation and an industrial DMZ are the first technical wins of any IEC 62443 programme.

3. Ransomware reaching the PLC layer

Modern ransomware crews specifically search for engineering workstations and SCADA servers. They know plant downtime is paid faster than encrypted finance shares. Backups of engineering projects, recipes and PLC programs — stored offline — are now non-negotiable.

4. Supply-chain risk via integrators and vendors

The remote-maintenance VPN your panel builder set up in 2014 is still active. The USB stick your service technician brings is connected to twelve other plants. OT security must extend to every contract and every remote access path.

5. NIS2 for essential and important entities

Belgium has transposed NIS2 via the CCB. Manufacturing, food production, chemicals, pharmaceuticals, energy and water are explicitly in scope. Boards now carry personal liability for cyber risk management. IEC 62443 is the de-facto control framework auditors will look for.

Why an IACS implementation is not "just another ISMS"

If you have led an ISO 27001 project before, you already know 60% of what is needed. The remaining 40% is what makes industriële cybersecurity hard:

  • Production-stop risk. Every change touches OEE. A firewall rule deployed at the wrong moment can stop a packaging line. Change windows are negotiated in weeks, not in days.
  • Vendor coordination. Siemens, Rockwell, Schneider, ABB — every OEM has its own hardening guide, its own patch policy, its own warranty conditions. Implementations are multi-vendor by definition.
  • Safety interlocks. Cybersecurity measures must never compromise functional safety (SIL ratings, ATEX zones). Joint risk assessments with HSE are mandatory.
  • Operator acceptance. If your two-factor authentication adds 30 seconds to a shift handover, operators will share badges. Usability is a security control.

Practical steps for a Flemish industrial SME

  1. Asset inventory. You cannot protect what you have not mapped. Passive discovery (Claroty, Nozomi, Armis) is preferred over active scans that may crash legacy devices.
  2. Risk-based zoning. Workshop with production and engineering to draw the Purdue model on the actual plant.
  3. Conduit hardening. Industrial DMZ, deny-by-default firewall rules, jump servers for remote vendors.
  4. Monitoring. An OT-aware sensor that understands Modbus and S7, not a generic IT SIEM.
  5. Backup and recovery. Tested restore of PLC programs and SCADA images — at least annually.
  6. Governance. Document policies, train operators, run tabletop exercises with the production manager, not only the IT team.
  7. NIS2 reporting. Define the 24h / 72h / 1-month CCB notification path before you need it.

None of this is exotic technology. It is project management discipline applied to an environment where the cost of getting it wrong is measured in pallets and people, not in spreadsheets.

Ready to start your IEC 62443 journey?

RGI bv supports Flemish industrial SMEs with IEC 62443 implementations and IACS security assessments. Pragmatic, hands-on, no marketing fluff.

Plan a no-obligation call →

FreelancePM delivers experienced project management for IEC 62443, NIS2 and ISO 27001 programmes across Belgium.

Related articles

19 May 2026

OT Security Consultant: why industrial organisations need both a specialist and a project manager

15 May 2025

Why every project manager should know IEC 62443

15 May 2025

Why every project manager should consider ISO 42001

Know where you stand. Schedule a call.

A 30-minute call. No commitment. We'll tell you straight whether we can help.

Schedule a no-strings call