IEC 62443 is the dominant cybersecurity framework for industrial automation and control systems — manufacturing, oil and gas, water, and similar OT environments. The access control requirements (FR 1 in IEC 62443-3-3 and the related controls in IEC 62443-2-4) are where most asset owners and integrators put real engineering work. Innovexus aligns to those specific controls. We are not a full IEC 62443 compliance platform. We are the privileged access piece for the IT/OT boundary, done in a way that produces audit-ready evidence.
The standard names specific control objectives — FR 1 (Identification and Authentication Control), FR 2 (Use Control), FR 3 (System Integrity), and others. These translate to engineering requirements that most ICS environments handle inconsistently across zones, especially at the IT/OT boundary where most privileged access happens.
Operator HMI stations frequently use shared accounts ("operator", "supervisor", "admin"). FR 1.1 (human user identification) and FR 1.5 (authenticator management) are violated by default. The plant has been running this way for 15 years; changing it during production is hard.
Engineering workstations connect to PLCs, DCS controllers, and historian databases with high-privilege credentials. There's rarely session recording, attribution beyond a Windows username, or evidence of which controller program was modified by which engineer. FR 2 (Use Control) is paper-only.
IEC 62443 expects zones and conduits with controlled traffic between them. In practice, vendor maintenance laptops plug directly into Level 2 networks, contractor RDP sessions span the IT/OT DMZ without consistent controls, and the "zone" structure exists on paper but not on the wire during real maintenance windows.
When the asset owner audits its integrators or the certifying body audits the asset owner, the evidence collection for "show me every privileged session into Zone 2 for the past 90 days" takes weeks. Most ICS environments don't have the centralised log infrastructure to answer the question quickly.
Innovexus sits at the conduit between IT and OT zones (typically the DMZ between Levels 3 and 2 of the Purdue Reference Model). Every privileged session into the OT zone goes through the per-tenant pod; the pod enforces hardware-rooted authentication, role-based access, full session recording, and credential brokering. The result is auditable evidence for the FR 1 and FR 2 controls aligned to IEC 62443-3-3.
The Innovexus pod is the only authorised path from IT (Level 3+) into OT (Levels 0–2) for interactive privileged sessions. FR 1.1 (human identification) is satisfied by FIDO2 hardware-rooted login at the pod. FR 1.5 (authenticator management) is the vault's rotation policy on OT credentials. FR 2.1 (authorization enforcement) is the role-based device discovery — engineers see only what they're permitted to access.
Each customer's pod is dedicated infrastructure. For ICS environments, this maps cleanly to the "controlled access from a specific source" requirement. The pod's outbound IP is allowlisted at the conduit firewall as the only source authorised to connect to the OT zone for interactive sessions.
FR 2.10 (Auditable events) requires recording of authentication and access control events, with sufficient detail to reconstruct what happened. Innovexus records the full session — every keystroke and every device response — signed and timestamped. This is materially stronger evidence than command-level accounting alone.
Time-bounded vendor sessions for OEM support: vendor authenticates at the pod with their hardware key (or via an OEM-issued time-limited certificate), is restricted to the specific assets under contract, session is fully recorded. The OEM never receives long-lived credentials to your OT environment.
IEC 62443-2-4 distinguishes asset owner and integrator responsibilities. Innovexus supports per-role attribution that maps to that distinction: integrator engineers log in with their own hardware keys, are scoped to assets they're commissioning, and the asset owner retains the audit trail when the integrator engagement ends.
Most ICS environments have brokered access running at the IT/OT conduit within 2–3 weeks. The cadence is slower than IT-only deployments because of change-window discipline and OT validation. Here's the actual sequence.
With your ICS security architect, identify the conduits Innovexus will mediate. Typical placement: the IT/OT DMZ between Purdue Levels 3 and 2. Document which assets are in scope per zone. This documentation is itself an IEC 62443 artefact.
Per-tenant pod provisions in your region. Pod IP is allowlisted at the conduit firewall as the only authorised IRA source from IT to OT. Existing zone segmentation, ICS-aware firewalls (Tofino, Belden, Bayshore, etc.), and DPI inspection are unchanged — Innovexus is an additive control, not a replacement.
Inventory privileged assets per zone — HMIs, engineering workstations, PLCs, DCS controllers, historian databases. Credentials for those assets go into the vault. For shared HMI logins that can't be changed during production, the vault holds the current credential and rotates it during the next planned maintenance window.
FIDO2 hardware keys (YubiKey or equivalent) issued to all engineering personnel. Vendor and contractor access provisioned with time-bounded scoped credentials. Identity provider integration via SAML or OIDC.
Cut over one zone at a time, with OT engineers validating that brokered access does not introduce latency or compatibility issues for time-sensitive protocols. Most ICS environments run a 2–4 week parallel period before fully restricting direct access.
ICS PAM has a few standard approaches. Honest read on each.
These OT security platforms address asset visibility, threat detection, and ICS-aware network monitoring. They are complementary to Innovexus, not substitutes. Most large ICS environments run one of these alongside a PAM solution. We integrate via syslog and webhook for cross-platform correlation.
CyberArk has an OT-specific deployment pattern used at large industrial operators. Capability parity is real for the controls we both cover. Trade-offs: enterprise pricing, partner-led deployment over 3–6 months, organisational maturity required. Best fit at large industrial operators with dedicated OT cybersecurity teams.
ICS-aware firewalls handle the network-layer access control well. They do not address human authentication, credential rotation, or session recording. Most asset owners with these in place still need a privileged-access layer above them — Innovexus is one option for that layer.
Many ICS environments still rely on physical access control plus operational discipline rather than automated PAM tooling. Audits increasingly find this insufficient — IEC 62443 explicitly expects auditable identity and use control. Air-gapped environments still need PAM evidence; Innovexus on-prem (Professional tier and above) supports air-gapped deployment.
Direct answers — written so each passage stands alone for AI-engine citation.
No. IEC 62443 is a comprehensive framework covering security management (62443-2-1), patch management (62443-2-3), security technologies (62443-3-1), system security requirements (62443-3-3), and component security (62443-4-2). Innovexus aligns specifically to the access-control-related foundational requirements: FR 1 (Identification and Authentication Control) and FR 2 (Use Control) in 62443-3-3, and the access-related provisions in 62443-2-4 for service providers. For full IEC 62443 alignment you still need patch management tooling, asset inventory, network segmentation enforcement, secure development lifecycle for components, and the rest.
Yes, at the Professional tier ($499/mo) and above. On-prem deployment puts the pod inside customer-controlled infrastructure, which is required by some asset owners for the IT/OT conduit role. Operations tier ($199/mo) is cloud-only and is typically unsuitable for ICS environments where the conduit must be customer-controlled. Air-gapped deployments are supported on Enterprise tier with the hardware-rooted identity provider running on-premises rather than via cloud SAML/OIDC.
Brokered interactive sessions add typically 5–20 ms of latency at the pod for the protocol layer (SSH, RDP, console). This is acceptable for human-driven engineering and operator sessions. For real-time control protocols (Modbus, OPC, EtherNet/IP, PROFINET), Innovexus does not sit in the data path — those protocols run over the existing network segmentation, not through the pod. The pod mediates only privileged human and vendor access; control-plane traffic is untouched.
IEC 62443-2-4 imposes requirements on integrators and maintenance service providers (SPs). Innovexus supports the SP role with: per-engineer FIDO2 hardware authentication, time-bounded scoped credentials for specific engagements, full session recording, and audit trail handover to the asset owner at engagement end. The asset owner can review every SP session retroactively. SPs benefit because they don't carry long-lived credentials between asset owners; asset owners benefit because they retain the evidence regardless of SP staff turnover.
ICS environments often have credential constraints — PLC passwords with character limits, HMI shared accounts that can't be replaced during production. Innovexus accommodates this: the vault holds the current credential as-is (no character mutation), rotation cadence is configurable per asset class (some PLCs only safely accept rotation during planned maintenance, sometimes annually), and per-session attribution at the pod survives even when the device-side credential is shared. The auditable identity is the engineer's hardware key, not the device login.
Cyber Vision is Cisco's OT visibility and threat-detection platform — closer to Claroty/Nozomi than to Innovexus. It does asset discovery, anomaly detection, and ICS-aware monitoring on the network. Innovexus addresses privileged human and vendor access, credential lifecycle, and session evidence. The two are complementary; many ICS environments run both.
Start with your ICS security architect. We'll review the conduit architecture under NDA, scope a phased rollout, and run a 5-day trial against a representative zone before any production deployment.