Request Demo

TAC for NERC CIP and IEC 62443

OT Compliance Alignment Guide

TAC for NERC CIP and IEC 62443

How TAC delivers the technical access control, authentication, monitoring, and audit requirements of NERC CIP and IEC 62443 — for the systems that command your OT environment.

Note: This guide describes how TAC’s technical capabilities map to NERC CIP and IEC 62443 controls for the systems and access paths into your OT environment — HMIs, SCADA servers, engineering workstations, historians, and remote-access tools. Full compliance with either framework requires an end-to-end OT security program including organizational policies, asset inventory, change management, training, and physical security outside the scope of any access control platform. TAC addresses the electronic access control, authentication, monitoring, and audit layer; not the program, asset management, or physical security layers.

Why access control sits at the center of both frameworks

NERC CIP and IEC 62443 use different language and address different industries, but both frameworks reach the same conclusion about OT security: the most consequential controls are at the boundary between IT and OT, not on the OT devices themselves. NERC CIP-005 calls it the Electronic Security Perimeter. IEC 62443 calls it zones and conduits. The principle is identical — define the boundary, control what crosses it, log every crossing.

Both frameworks also expect strong authentication and access management for the humans and systems that reach OT — engineers, vendors, contractors, IT administrators. NERC CIP-007 specifies system security management including account and password controls. IEC 62443 requires identification, authentication, and use control across every level. These are access control problems, not endpoint problems.

TAC is purpose-built for this layer. It sits in the IT/OT DMZ, enforces identity-, posture-, and policy-based access to every system that commands your OT environment, and produces the audit evidence both frameworks expect — without requiring any change to the OT devices themselves.

NERC CIP

Standard Mapping

TAC delivers the technical controls behind CIP-005 (Electronic Security Perimeter) and CIP-007 (System Security Management), with supporting evidence for CIP-004 access management and CIP-010 configuration change monitoring.

Electronic Security Perimeter

CIP-005 — Primary Coverage

Requirement How TAC Delivers
R1 — Electronic Security Perimeter TAC sits in the IT/OT DMZ as a single-port encrypted reverse proxy, defining and enforcing the ESP boundary. All inbound access to systems inside the OT zone passes through TAC. Other inbound ports are closed.
R1.5 — Inbound and outbound access permissions Per-user, per-system, per-protocol policy enforcement at the proxy. Least-privilege access defined and applied to every connection to OT-adjacent systems.
R2 — Interactive Remote Access All interactive remote access to OT-adjacent systems is brokered through TAC. The Intermediate System role required by CIP-005 R2 is fulfilled by TAC’s reverse proxy without requiring a separate jump server.
R2.1 — Encryption of remote access All TAC-brokered sessions are encrypted end-to-end on the single TAC port. No unencrypted remote-access paths into the ESP remain after TAC deployment.
R2.2 — Multi-factor authentication for remote access FIDO2, hardware tokens, SafeLogin MFA, push notifications, OTP, and SMS supported. MFA is enforced on every remote-access session, including vendor and contractor access.
R3 — Vendor remote access Vendor sessions are time-bounded, scoped to specific systems, identity-verified through federation or TAC-managed credentials, and individually logged. Disabling vendor access is immediate and complete.
System Security Management

CIP-007 — Primary Coverage

Requirement How TAC Delivers
R1 — Ports and services By centralizing remote access through one encrypted port, TAC reduces inbound exposure across all OT-adjacent systems. Unused ports and services on the ESP boundary close as a natural byproduct of TAC deployment.
R4 — Security event monitoring Every authentication attempt, allow/deny decision, session establishment, and policy enforcement event is logged with full attribution. Logs are exportable to SIEM for retention and correlation per CIP-007 R4 requirements.
R5 — System access control Individual user accounts authenticated against your IdP. Shared accounts are not required. Account inventory, removal of unnecessary accounts, and password policies are enforced through the upstream identity source TAC consumes.
R5.6 — Authentication failure response Failed authentication attempts are logged and rate-limited at the proxy. Configurable lockout policies prevent brute-force credential attacks against OT-adjacent systems.
Personnel and Access Management

CIP-004 — Supporting Coverage

Requirement How TAC Delivers
R4 — Access management program TAC enforces the access decisions made by your access management program: who can reach which OT-adjacent systems, from what devices, at what times. Quarterly reviews are supported by the TAC audit log.
R5 — Access revocation Disabling a user at the upstream IdP immediately revokes that user’s TAC sessions and prevents future access. CIP-004 R5 same-day revocation timeline is met by default.
Out of Scope

CIP-002, CIP-003, CIP-006, CIP-009, CIP-010, CIP-011, CIP-013, CIP-014

These standards cover BES Cyber System categorization, security management controls, physical security, recovery planning, configuration change management, information protection, supply chain risk management, and physical protection of control centers. These are program-level, physical, and organizational activities outside the scope of an access control platform. TAC produces audit evidence (session logs, access changes, configuration of the ESP boundary) that supports recordkeeping for several of these standards.

IEC 62443

Foundational Requirements Mapping

TAC supports the foundational requirements (FRs) of IEC 62443-3-3 most relevant to access control, authentication, monitoring, and remote-access for industrial systems.

Identification, Authentication, and Use Control

FR 1 & FR 2 — Primary Coverage

Requirement How TAC Delivers
SR 1.1 — Human user identification and authentication Every human user authenticated through your upstream IdP before reaching any system inside the OT zone. No shared accounts. Every session is tied to a verified identity.
SR 1.2 — Software process and device identification Non-human identities (service accounts, software, devices) authenticated through certificates, OAuth, or service mesh identity systems before reaching OT-adjacent systems.
SR 1.5 — Authenticator management TAC consumes authenticators from the upstream IdP; lifecycle management remains in your identity source of truth. TAC can issue session-scoped tokens with no portability outside the proxy.
SR 1.7 — Strength of password-based authentication MFA enforced on every session regardless of upstream password strength. Multiple factor options including FIDO2, hardware tokens, push, and OTP.
SR 2.1 — Authorization enforcement Per-user, per-system, per-protocol policy decisions enforced at the proxy on every request. Authorization is not just an initial check but is continuously evaluated throughout the session.
SR 2.4 — Mobile code TAC’s reverse proxy inspects requests at the application layer and can enforce policy on the content of traffic, not just the source and destination.
System Integrity and Timely Response to Events

FR 3 & FR 6 — Primary Coverage

Requirement How TAC Delivers
SR 3.1 — Communication integrity All TAC-brokered sessions are TLS-encrypted, protecting against tampering and eavesdropping on the access path to OT-adjacent systems.
SR 6.1 — Audit log accessibility Comprehensive audit log accessible through the TAC console and exportable to SIEM. Every authentication, authorization, and session event is recorded with full attribution.
SR 6.2 — Continuous monitoring Continuous evaluation of identity, posture, and policy throughout every session. Compliance lapses or anomalies trigger real-time session revocation.
Restricted Data Flow and Resource Availability

FR 5 & FR 7 — Supporting Coverage

Requirement How TAC Delivers
SR 5.1 — Network segmentation TAC enforces the conduit between IT zones and OT zones. The IT/OT DMZ becomes a defined boundary with one inbound port and policy-based access control rather than a flat network.
SR 5.2 — Zone boundary protection TAC inspects, authenticates, and authorizes every request crossing the IT-to-OT zone boundary. Unauthorized traffic is dropped at the proxy.
SR 7.6 — Network and security configurations Network access configuration for OT-adjacent systems is centralized in the TAC policy engine, simplifying change management and configuration review.
Out of Scope

FR 4 — Data Confidentiality (at rest)

FR 4 addresses data confidentiality at rest within OT systems — including encryption of stored process data, configuration files, and historical records. This is a function of the OT applications and storage themselves, not of the access control layer. TAC protects data in transit on the access path but does not address data confidentiality on OT systems directly.

One platform. Two frameworks. Same evidence.

NERC CIP and IEC 62443 use different vocabulary and apply to different industries, but the technical evidence they require for access control, authentication, and monitoring is largely the same. A registered entity preparing for a NERC CIP audit and a manufacturer pursuing IEC 62443 certification are looking at the same questions: who reached which systems, with what authentication, under what policy, and what was logged.

TAC produces this evidence as a natural byproduct of operation. The same audit log that demonstrates CIP-005 ESP enforcement also demonstrates IEC 62443 SR 5.2 zone boundary protection. The same authentication records that satisfy CIP-007 R5 also satisfy IEC 62443 SR 1.1. The same revocation timeline that satisfies CIP-004 R5 also supports IEC 62443 lifecycle requirements.

For organizations preparing for either audit — or both — this matters operationally. You aren’t running two separate compliance programs for OT access. You’re running one.

Preparing for a NERC CIP or IEC 62443 Audit?

Our team can walk through your OT access architecture and show how TAC delivers the technical access control, authentication, and audit evidence requirements of NERC CIP and IEC 62443.

Talk to a SpecialistBack to Resources

This website uses cookies

We use cookies to personalize content, provide social media features, and analyze our traffic. We also share information about your use of our site with our analytics partners. You can change your preferences at any time. For more information, please see our Privacy Policy and Cookie Policy. Privacy Policy Cookie Policy