Manufacturing is the most cyberattacked industry for the fourth consecutive year. Half of OT organizations fell victim to breaches in 2025. Nation-state actors are targeting exposed OT assets and supply chains. And the cost is staggering — a single cyber incident that jumps from office systems to the plant floor can stall production, erode safety margins, and destroy customer trust. Yet most greenfield factories still treat cybersecurity as a post-construction bolt-on — a firewall added after the network is built, an antivirus installed after systems are commissioned. That approach failed in brownfield. It will fail faster in greenfield, where every system is connected from day one by design. IEC 62443 is the global standard built specifically for OT cybersecurity — zones, conduits, security levels, and lifecycle management designed for the realities of pumps, PLCs, and production lines that can't tolerate downtime. This guide shows how to embed IEC 62443 compliance into your greenfield factory architecture from blueprint to commissioning. Book a consultation to assess your OT security architecture.
Why Greenfield Factories Need Security by Design
Brownfield factories inherited insecurity — legacy PLCs with no authentication, flat networks with no segmentation, and decades of "air gap" assumptions that are no longer valid. Greenfield factories have a unique opportunity to build security in from the start — but they also face a unique risk: everything is connected from commissioning day one. There's no gradual digitization. The UNS, edge computing, AI models, digital twins, and agentic systems are all live simultaneously. If the security architecture isn't designed before the network is built, you're building a $200M target.
IT/OT Convergence Increases Exposure
Every UNS topic, every MQTT message, every OPC UA connection between IT and OT systems is a potential attack path. Convergence enables AI and optimization — but without segmentation, it also enables lateral movement from a phishing email to a PLC.
Retrofit Security Costs 3-5x More
Adding segmentation, monitoring, and access controls after construction requires network redesign, downtime for implementation, and compromises that weaken the final architecture. Designing security into the blueprint costs a fraction and delivers stronger protection.
Compliance Is Becoming Mandatory
IEC 62443 compliance is increasingly required in government contracts, defense supply chains (CMMC), EU critical infrastructure (NIS2), and enterprise customer requirements. Building compliant from day one avoids costly retrofits when contracts demand proof.
Agentic AI Needs Secure Data Foundations
Agentic AI systems that autonomously adjust production, schedule maintenance, and optimize energy rely on trusted data. If an attacker can manipulate sensor data or inject false signals, autonomous systems will make decisions based on lies — with physical consequences.
Building a greenfield factory and concerned about OT security? Book a free security architecture review — we'll assess your IT/OT convergence plan and identify compliance gaps before construction begins.
IEC 62443: The Framework Built for OT
Unlike IT frameworks (ISO 27001, NIST CSF) that were adapted for OT, IEC 62443 was designed from the ground up for industrial environments — where uptime is non-negotiable, equipment runs for decades, and a security patch can crash a production line. The framework addresses four categories of stakeholders: general concepts, policies/procedures (asset owners), system-level security (integrators), and component-level security (product developers).
| IEC 62443 Part | Focus | Who It Applies To | Greenfield Relevance |
|---|---|---|---|
| Part 1 (General) | Terms, concepts, reference models (zones, conduits, security levels) | All stakeholders | Foundation — defines your security vocabulary and architecture model |
| Part 2 (Policies) | Cybersecurity management programs, patch management, service provider requirements | Asset owners, service providers | Governance — your security policies, procedures, and vendor requirements |
| Part 3 (System) | Risk assessment, system design, zone/conduit segmentation, security technologies | System integrators | Architecture — the zone/conduit model, network segmentation, access control |
| Part 4 (Component) | Secure development lifecycle, component technical requirements | Product developers | Procurement — require IEC 62443-4-1/4-2 from equipment vendors |
Security Levels: Matching Protection to Risk
IEC 62443 defines four security levels (SL-1 through SL-4) that determine the sophistication of protection required for each zone. Not every system needs SL-4. Most industrial systems target SL-2 or SL-3 based on risk assessment. The greenfield advantage: you can design each zone to its target security level from the start — no compensating controls for inherited weaknesses.
Casual / Accidental
Protection against unintentional misuse. Basic access controls. Appropriate for non-critical monitoring systems and administrative functions.
Low-Skill Intentional
Defense against attackers with low resources and general skills. Authentication, role-based access, basic encryption. Target for most production floor systems.
Skilled / Moderate Resources
Defense against skilled attackers with moderate resources. Multi-factor authentication, encrypted communications, continuous monitoring. Target for safety systems and critical infrastructure.
Sophisticated / Well-Funded
Defense against nation-state level threats. Advanced encryption, hardware security modules, physical isolation where required. Target for defense, energy, and critical national infrastructure.
The 7 Foundational Requirements
IEC 62443 defines seven foundational requirements (FR) that form the technical backbone of OT security. Every zone and system must implement these at the appropriate security level. For greenfield projects, these requirements should be specified during factory design and verified during commissioning.
Every user, device, and software process identified and authenticated before IACS access. SIM-based auth for 5G devices. Certificate-based for OPC UA. No anonymous access.
Role-based access control (RBAC). Authenticated users only get privileges needed for their function. Principle of least privilege enforced across IT and OT.
Systems protected from unauthorized modification. Firmware integrity verification. Configuration change management. Secure boot for edge devices and PLCs.
Sensitive data protected in transit and at rest. TLS 1.3 for all network communication. Encrypted storage for recipes, IP, and production data.
Network segmented into zones with controlled conduits. Data flows only through defined paths. This is where zone/conduit architecture is specified.
Security events detected, logged, and responded to promptly. SIEM integration. Automated alerting. Incident response procedures defined and tested.
Systems remain available despite attack attempts. DDoS protection. Redundancy for critical systems. Graceful degradation for non-critical functions.
Greenfield Implementation: Phase-by-Phase
| Greenfield Phase | Security Activity | IEC 62443 Alignment | Key Deliverable |
|---|---|---|---|
| Factory Design (Step 3) | Define zones, conduits, target security levels per zone. Design network segmentation topology. Specify data diode/firewall placement. | Part 3-2 (Risk Assessment), Part 3-3 (System Security Requirements) | Zone/conduit architecture diagram with SL targets |
| Procurement (Step 4) | Require IEC 62443-4-1 (secure development) and 4-2 (component security) compliance from all equipment vendors. Specify OPC UA with certificates. | Part 4-1, Part 4-2 | Security requirements in equipment specifications |
| Construction (Step 5) | Install segmented network infrastructure. Deploy firewalls, data diodes, and monitoring infrastructure. Configure network slicing for 5G. | Part 3-3 (System Security) | Physical network infrastructure with segmentation |
| Installation (Step 6) | Configure device authentication. Deploy endpoint protection. Enable encrypted communications. Configure SIEM data collection. | Part 2-4 (Service Provider Requirements) | All devices authenticated and monitored |
| Commissioning (Step 7-8) | Security validation testing: penetration testing, zone boundary verification, access control testing, incident response drill. | Part 2-1 (Security Program) | Security commissioning report |
| Operations (Step 10+) | Continuous monitoring, patch management, periodic risk reassessment, threat intelligence integration, security awareness training. | Part 2-1, Part 2-3 (Patch Management) | Ongoing security operations program |
Need help mapping IEC 62443 requirements to your greenfield design? Schedule a security architecture review — we'll define your zone/conduit model, assign security levels, and build the compliance roadmap.
Zero Trust for the Factory Floor
Zero Trust is no longer just a boardroom discussion for manufacturing — it's becoming the operational model that satisfies IEC 62443, NIST CSF, NIS2, and CMMC simultaneously. The core principle: never trust, always verify. Every device, user, and data flow is authenticated, authorized, and continuously monitored — regardless of whether it's inside or outside the network perimeter.
Build Security In — Don't Bolt It On
iFactory implements IEC 62443 zones, zero-trust segmentation, and continuous threat monitoring from blueprint to commissioning — so your greenfield factory is secure from day one.
Frequently Asked Questions
Manufacturing Is the #1 Cyberattack Target. Your Greenfield Doesn't Have to Be.
IEC 62443 compliance, zero-trust segmentation, and continuous monitoring — designed into the blueprint, not bolted on after the breach.
