Most operators do not get to pick one OT cybersecurity framework. They navigate three or four at once. The executive question is not “which one” — it is “how do these fit together into one program?”

The three frameworks at a glance

NERC CIP is a regulatory standard for the bulk electric system in North America. It is mandatory for registered entities, audited, and enforceable with civil penalties. It is the most mature OT cybersecurity regulatory regime in the world. See NERC CIP keynote.

IEC 62443 is a global voluntary standard for industrial automation and control systems. It is structured around system security levels, zones and conduits, and the lifecycle security of industrial systems. It is the closest thing the OT world has to a common technical language. See IEC 62443 keynote.

NIST 800-82 Revision 3 is a federal reference document that integrates with the NIST Cybersecurity Framework (CSF) 2.0. It is voluntary at the federal-government layer but operationally authoritative across the US OT cybersecurity vocabulary. See NIST 800-82 keynote.

What each was designed for

NERC CIP was designed to set a baseline of cyber and physical security for the bulk electric system after a series of grid-disturbance events made it clear that voluntary controls were insufficient. The design philosophy is enforceable minimum standards across a population of registered entities.

IEC 62443 was designed by the international standards community to give industrial vendors and operators a common framework for designing, building, integrating, and operating secure industrial control systems. The design philosophy is technical specificity that can be applied across sectors and across geographies.

NIST 800-82 was designed to give US federal stakeholders and the broader US industrial community a common reference document. The design philosophy is alignment with NIST CSF 2.0 and integration with the rest of the NIST publication universe.

Where they overlap

Substantially. The control objectives in NERC CIP, the system security levels in IEC 62443, and the practice areas in NIST 800-82 cover much of the same ground using different vocabulary. A program designed against IEC 62443 satisfies most of NERC CIP technically; a program documented against NIST CSF 2.0 (with 800-82 as the OT overlay) satisfies most of IEC 62443 conceptually.

The overlap is not a bug. It reflects a converging consensus on what good OT cybersecurity actually looks like.

Where they diverge

NERC CIP is more prescriptive about specific control language and timelines. IEC 62443 is more prescriptive about architecture (security levels, zones and conduits). NIST 800-82 is more prescriptive about integration with the broader NIST framework universe and risk-management vocabulary.

For operators that fall under multiple regimes — for example, electric utilities that also operate gas pipelines — the divergences matter. The TSA pipeline directives push toward CISA CPGs and 800-82; the NERC CIP regime pushes toward CIP-specific evidence; the IEC 62443 community emphasizes the architectural backbone.

How to build one program that satisfies all three

The pattern that works in the operators I advise is structured as follows:

  1. Use NIST CSF 2.0 + 800-82 as the program backbone. The vocabulary is the most portable, and the audit committee already speaks it.
  2. Use IEC 62443 as the architecture layer. Security levels, zones and conduits, and lifecycle security give the technical structure.
  3. Use NERC CIP (or the relevant sector regulator) as the evidence layer. Where applicable, the CIP standards drive specific evidence and reporting expectations.
  4. Add the CISA Cross-Sector Cybersecurity Performance Goals as a board-level scoring system. The CPGs are the cleanest cross-sector translation and the easiest one to brief upward.

This is a layered program: vocabulary, architecture, evidence, scoring. It satisfies all three (or four, with CISA CPGs) without forcing the operator to maintain three (or four) parallel programs.

What this means for the board

The board does not need to know any of these acronyms in detail. They need to know that the program is layered, that the vocabulary is the NIST one (most boards already know it), that the architecture passes IEC 62443, that the evidence satisfies the relevant sector regulator, and that the score on CISA CPGs is moving in the right direction.

That is a 20-minute board briefing. The detail underneath it is the program team’s problem.