River Caudle
OT / ICS security · field research & frameworks

Method · 6 steps · IEC 62443

The SECURE Method

IEC 62443 simplified for industrial networks.

Most industrial cybersecurity frameworks are written by people who have never had to keep a plant running. The SECURE Method is not. It is a six-step program. Segment, Establish, Control, Update, Respond, Evaluate. That takes the IEC 62443 standard and turns it into a sequence an operator can actually follow without breaking production.

Making industrial cybersecurity standards actually usable in the real world.

River Caudle · Riverman · OT/ICS Security Practice

S

Step 01

Segment your networks

IEC 62443-3-2 · Zones & Conduits

What it means

  • Separate networks by risk and function
  • The IT/OT boundary is the minimum requirement
  • Isolate safety systems always
  • Document what can't be segmented and why

Practical implementation

  • Create functional zones. Production, safety, maintenance
  • Use VLANs and firewalls to enforce boundaries
  • Separate critical systems from convenience systems
  • Map data flows between zones and control them
"If everything is on one network, one breach kills everything."
E

Step 02

Establish security levels

IEC 62443-3-3 · Security Level Targets

What it means

  • SL-1 · protection from accidents and human error
  • SL-2 · protection from basic attacks and malware
  • SL-3 · protection from sophisticated, targeted attacks
  • SL-4 · protection from nation-state-level threats

Reality check

  • Most facilities need SL-2 for production, SL-3 for safety systems
  • SL-4 is for nuclear plants and critical infrastructure
  • Don't over-engineer security that breaks operations
  • Start with SL-1 and build up based on actual threats
"Match protection to actual risk, not imaginary threats."
C

Step 03

Control access

IEC 62443 · FR1 · Access Control

What it means

  • Physical security: locks, badges, cameras where they matter
  • Role-based access: operator, engineer, admin with clear boundaries
  • Emergency override: when security can't prevent operations
  • Regular audits: who has access to what, and why

Practical approach

  • Lock network cabinets like you lock control rooms
  • Use existing plant badge systems for network access
  • Create emergency procedures that bypass security safely
  • Audit permissions quarterly, not annually
"The best access control is the one people actually follow."
U

Step 04

Update responsibly

IEC 62443-2-3 · Patch Management

What it means

  • Risk-based schedule: critical security patches fast, everything else planned
  • Test before production: use dev systems or offline testing
  • Document exceptions: what can't be patched and why
  • Compensating controls: extra protection for unpatched systems

Industrial reality

  • Some systems can't be patched during production
  • Test patches on non-critical systems first
  • Use network segmentation to protect unpatchable systems
  • Schedule updates during planned maintenance windows
"Patch management that breaks production isn't security. It's sabotage."
R

Step 05

Respond to incidents

IEC 62443-2-1 · Incident Response

What it means

  • Priority order: safety > production > evidence preservation
  • OT-specific procedures: don't assume IT incident response works
  • Defined response team: operations leads, IT supports
  • Practice scenarios: tabletop exercises with real constraints

Response framework

  • Immediate: stop the threat, maintain safe operations
  • Short-term: isolate affected systems, restore production
  • Long-term: investigate, improve defenses, document lessons
  • Continuous: update procedures based on what you learned
"In OT, safety trumps everything. Including perfect forensics."
E

Step 06

Evaluate continuously

IEC 62443-2-1 · Cybersecurity Management

What it means

  • Monthly health checks: are your defenses still working?
  • Quarterly assessments: what changed, what's broken?
  • Annual program review: strategic evaluation and planning
  • Continuous improvement: fix what's broken, improve what works

Evaluation cycle

  • Daily: monitor alerts and system health
  • Weekly: review security events and false positives
  • Monthly: check access permissions and system updates
  • Quarterly: assess threats and update procedures
  • Annually: strategic review and budget planning
"Security isn't a project. It's an ongoing operational requirement."

§ Implementation Roadmap

Twelve months. Four phases. Built to be followed.

SECURE is a sequence. The phases that follow are how the steps actually land in an operating environment.

Phase 01 Months 1 – 3

Foundation

Focus · Segment & Establish

  • Complete network inventory and mapping
  • Implement basic IT/OT segmentation
  • Define security levels for each zone

Success metric · Clear network boundaries that people understand

Phase 02 Months 4 – 6

Access Control

Focus · Control & Update

  • Deploy role-based access controls
  • Establish patch management procedures
  • Lock down physical access points

Success metric · Only authorized people can access critical systems

Phase 03 Months 7 – 9

Operations

Focus · Respond & Evaluate

  • Create incident response procedures
  • Deploy monitoring and alerting
  • Conduct first tabletop exercise

Success metric · The team knows what to do when something goes wrong

Phase 04 Months 10 +

Maturity

Focus · Continuous improvement

  • Regular security assessments
  • Advanced threat detection
  • Automated response capabilities

Success metric · Security that improves operations instead of hindering them

§ SECURE vs. Traditional IT

Where the model differs from enterprise security.

OT is not late-model IT. It is a different discipline. The SECURE Method is built on that distinction; here it is, line by line.

Aspect Traditional IT SECURE Method
Priority Confidentiality first Availability first
Patching Patch immediately Test, then patch during maintenance
Access Role-based complexity Function-based simplicity
Monitoring Log everything Monitor what matters to operations
Response Preserve evidence Stop the threat, maintain safety
Compliance Checkbox security Risk-based implementation

§ Common Implementation Mistakes

What doesn't work, and what does.

What doesn't work

  • Copying IT security policies directly to OT
  • Implementing security that requires constant IT support
  • Choosing tools based on features instead of operational fit
  • Assuming all OT systems can be patched like IT systems

What does work

  • Security policies written by operations, for operations
  • Simple, reliable security that plant personnel can maintain
  • Tools that integrate with existing operational procedures
  • Risk-based security that matches actual threats

§ Success Metrics

How you know it's working.

Technical metrics

  • Segmentation: clear network boundaries with documented exceptions
  • Access control: regular audits with prompt cleanup
  • Patch management: defined process with measurable compliance
  • Incident response: mean time to containment under 15 minutes

Operational metrics

  • Production impact: security incidents causing zero unplanned downtime
  • User adoption: procedures followed without workarounds
  • Cost effectiveness: security investment showing measurable ROI
  • Continuous improvement: regular updates based on lessons learned

"The best industrial cybersecurity is the kind that makes operations more reliable, not less."

River Caudle · river@riverman.io · Houston, Texas