Global Quality Services provides end-to-end ISA/IEC 62443 consultancy for SBFZ locators. We cover gap analysis, OT security implementation, internal audit, and certification readiness. Our consultants work directly inside your facility.

ISA/IEC 62443 is the global standard for securing Industrial Automation and Control Systems (IACS) and Operational Technology (OT) environments. It is developed jointly by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). It applies to manufacturers, system integrators, and component suppliers.

Who Needs ISA/IEC 62443 in Subic Bay Freeport Zone

SBFZ is managed by the Subic Bay Metropolitan Authority (SBMA) under Republic Act 7227. It covers more than 67,000 hectares across Zambales and Bataan. As of 2024, the zone hosts more than 1,800 registered entities and supports 164,400 direct jobs.

Key sectors where ISA/IEC 62443 directly applies:

  • Shipbuilding and ship repair, including HD Hyundai’s Agila Subic shipyard
  • Electronics and power supply manufacturing, including Sanyo Denki Philippines
  • Logistics and port terminal operations
  • Defense-related manufacturing and storage facilities
  • Cold chain and food processing operations
  • Petroleum and fuel handling infrastructure

All of these sectors operate IACS and OT environments. PLCs, SCADA systems, automated port equipment, and networked production lines are standard. Unsecured OT systems in these environments are a direct risk to production continuity and supply chain trust.

Why ISA/IEC 62443 Matters Now for SBFZ Locators

Three things are driving demand for ISA/IEC 62443 certification in SBFZ right now.

Buyer requirements are increasing.
US, South Korean, and Taiwanese buyers are the dominant foreign investors in SBFZ. All three originate from countries where OT security requirements from buyers and regulators are well established. Sanyo Denki’s P2.3 billion expansion at Subic Techno Park in 2024 is one example of the scale of Japanese industrial presence in the zone. Japanese parent companies routinely require OT security documentation from Philippine production facilities.

SBFZ is becoming a strategic defense and industrial hub.
The Agila Subic shipyard, operated by HD Hyundai Heavy Industries, reopened in September 2025. The US Marine Corps has established a logistics prepositioning site inside the zone. Defense-linked manufacturing and supply chain operations carry far higher OT security expectations than standard commercial manufacturing.

Philippine cybersecurity regulation is evolving.
The Department of Information and Communications Technology (DICT) published the National Cybersecurity Plan 2023-2028. It covers industrial and critical systems security across all sectors. The Cybercrime Investigation and Coordinating Center (CICC) enforces Republic Act 10175 across all networked organizations in the Philippines. ISA/IEC 62443 is the framework that addresses these requirements for OT environments.

What ISA/IEC 62443 Covers

The ISA/IEC 62443 series is organized into four parts:

  • Part 1 (General): Core concepts, terminology, and the Zones and Conduits model
  • Part 2 (Policies and Procedures): For asset owners. Covers governance, patch management, and cybersecurity management programs
  • Part 3 (System): For system integrators. Covers risk assessment, security levels, and system design
  • Part 4 (Component): For manufacturers. Covers technical security requirements for devices, software, and secure development

The Zones and Conduits model is central to the standard. It divides the IACS environment into security zones based on risk. It defines the communication channels, called conduits, between zones. Each zone gets a Security Level based on its required protection.

Certification Programs Available

Formal certification runs through the ISASecure program, managed by the ISA Security Compliance Institute:

  • Component Security Assurance (CSA): Certifies individual IACS components such as PLCs, embedded devices, and network equipment against ISA/IEC 62443-4-2 and 4-1
  • IIoT Component Security Assurance (ICSA): Enhanced certification for IIoT components with internet connectivity. Includes two assurance tiers.
  • System Security Assurance (SSA): Certifies integrated control systems such as SCADA or DCS platforms against ISA/IEC 62443-3-3
  • Security Development Lifecycle Assurance (SDLA): Certifies a product supplier’s development process against ISA/IEC 62443-4-1 at maturity level 3 or 4

Most SBFZ manufacturers operating as asset owners pursue program alignment under Part 2-1. This establishes a verified IACS cybersecurity management program across defined production zones.

Key Certification Requirements

These requirements apply to all SBFZ organizations pursuing ISA/IEC 62443 certification:

  • Risk Assessment: Map threats, vulnerabilities, and consequences across all IACS zones and conduits. Must follow ISA/IEC 62443-3-2.
  • Security Level Definition: Set Target Security Levels per zone. Verify Achieved Security Levels meet those targets.
  • Zones and Conduits Design: Partition the IACS environment into security zones. Document all inter-zone communication with protective controls.
  • IACS Cybersecurity Management Program: Build documented governance, policies, and assigned responsibilities aligned to ISA/IEC 62443-2-1.
  • Patch Management: Create a repeatable process for identifying, testing, and applying patches. Must protect production availability.
  • Supply Chain Security: Assess all third-party suppliers and service providers connecting to the IACS environment.
  • Incident Response: Document OT-specific detection, containment, response, and recovery procedures.
  • Lifecycle Management: Address cybersecurity from design and procurement through to decommissioning.

Steps to Get Certified at Subic Bay Freeport Zone

In Subic Bay Freeport Zone, OT security is no longer a back-office concern. Shipbuilders, electronics assemblers, power supply manufacturers, and logistics operators all run networked production and control systems. Buyers and regulators are now requiring documented, independently verified OT security from these operations.

Step 1: Scoping and Asset Inventory

Define the certification boundary. Identify all IACS assets. Map communication paths. Separate IT and OT environments clearly inside your SBFZ facility.

Step 2: Gap Analysis

Compare your existing OT security controls against the applicable ISA/IEC 62443 parts. Produce a prioritized remediation plan tied to your certification pathway.

Step 3: Zone and Conduit Mapping

Document all security zones. Assign Security Level targets from risk assessment. Design conduit controls between zones.

Step 4: Formal Risk Assessment

Conduct a structured assessment aligned to ISA/IEC 62443-3-2. Cover threat identification, vulnerability analysis, and consequence evaluation specific to your SBFZ operations.

Step 5: Program Implementation

Develop and deploy policies, technical controls, training, and organizational measures. Achieve the defined Security Levels across all zones.

Step 6: Internal Audit

Audit against the applicable ISA/IEC 62443 parts. Identify gaps. Close all non-conformances before approaching a certification body.

Step 7: Certification Assessment

Engage an accredited ISASecure certification body. Complete the formal evaluation.

Step 8: Post-Certification Maintenance

Sustain certification through monitoring, patch management, reassessments, and program updates as threats evolve.

Industries in SBFZ That Benefit from ISA/IEC 62443

Here are the industries that must file for the certification:

Shipbuilding and Ship Repair

The Agila Subic shipyard operated by HD Hyundai Heavy Industries is the anchor project in this sector. Shipbuilding uses large-scale PLC and SCADA systems for crane control, welding automation, and dry dock management. Defense-linked clients and international shipowners require verifiable OT security from their yard partners.

Electronics and Power Supply Manufacturing

Sanyo Denki Philippines manufactures uninterrupted power supplies, cooling fans, servo amplifiers, and stepping motors at Subic Techno Park. These are OT-intensive products built on OT-intensive production lines. Japanese parent company expectations for OT security compliance are among the highest in the manufacturing world.

Port Terminal and Logistics Operations

The Subic New Container Terminal handles up to 600,000 TEUs annually. Port terminal operations rely on automated crane systems, berth management software, and networked cargo handling equipment. These are IACS environments. A security incident affecting terminal control systems has immediate commercial and safety consequences.

Defense-Related Manufacturing and Storage

The US Marine Corps operates a prepositioning logistics site inside SBFZ. Defense-linked supply chain and storage operations carry strict OT security requirements from both Philippine and US partner requirements. ISA/IEC 62443 is the relevant framework.

Petroleum and Fuel Handling

Multiple petroleum distributors and fuel trading companies operate within SBFZ. Fuel storage and distribution involves automated valve control, flow metering, and tank monitoring systems. The Department of Energy (DOE) and DENR both regulate these operations. Secure control systems are part of responsible compliance.

Food Processing and Cold Chain

Cold storage and food processing locators operate temperature control and automated processing systems. The Food and Drug Administration Philippines (FDA) regulates food safety standards for these operations. Securing the automation systems behind those standards is increasingly expected by export buyers.

Philippine Regulatory Framework

SBFZ locators should track these frameworks:

Why Choose Global Quality Services

GQS has supported certification projects across Philippine manufacturing and economic zones for 26 years. We work inside your facility. We do not apply generic IT checklists to OT environments.

Production availability is non-negotiable for SBFZ operators. Our consultants understand that. Every engagement starts from your actual plant topology, not a template.

With GQS, SBFZ locators receive:

  • Scoping and asset inventory that correctly defines IACS boundaries inside your facility
  • Gap analysis mapped to your pathway, whether asset owner program alignment, SSA, CSA, or ICSA
  • Zones and conduit documentation and Security Level assignment using your actual plant layout
  • Formal risk assessment specific to your SBFZ operations and threat environment
  • Policy, procedure, and technical control development aligned to the applicable standard parts
  • Internal audit against ISA/IEC 62443, not generic IT checklists
  • Certification audit coordination with your chosen ISASecure-accredited body
  • Post-certification support including patch management review and periodic reassessments
  • Scope extension to ISO 27001, ISO 22301, or VAPT for organizations consolidating OT and IT compliance under one engagement

Contact Global Quality Services to start your ISA/IEC 62443 certification engagement in Subic Bay Freeport Zone.

Frequently Asked Questions

What is ISA/IEC 62443 and does it apply to my SBFZ business?

ISA/IEC 62443 applies to any organization that operates, integrates, or supplies IACS and OT environments. In SBFZ, that includes shipbuilders, electronics manufacturers, port terminal operators, petroleum handlers, and food processors. If your facility runs PLCs, SCADA systems, automated production lines, or networked control equipment, the standard applies to you.

Is ISA/IEC 62443 mandatory for SBFZ locators?

No Philippine law currently mandates it for all SBFZ locators. But buyer-driven requirements from US, South Korean, Taiwanese, and Japanese partners are making it a practical requirement for many sectors inside the zone. Defense-linked operations inside SBFZ face even stronger OT security expectations from their partners. Companies that wait for a legal mandate typically face it first in a supplier audit or contract clause.

How long does certification take for an SBFZ facility?

Most facilities with documented OT environments and some existing cybersecurity controls complete gap analysis through certification in six to twelve months. Facilities with limited OT documentation or those pursuing SSA or SDLA certification should plan for longer. GQS provides a detailed timeline during the initial scoping session.

What is the difference between CSA, SSA, and SDLA?

CSA certifies individual IACS components against ISA/IEC 62443-4-2 and 4-1. SSA certifies an integrated control system such as a SCADA or DCS against ISA/IEC 62443-3-3. SDLA certifies a product supplier’s development process against ISA/IEC 62443-4-1. SBFZ asset owners typically focus on program alignment under Part 2-1. Component manufacturers and OEMs pursue CSA or SDLA.

Can GQS combine ISA/IEC 62443 with ISO 27001 or other certifications?

Yes. ISO 27001 covers IT information security. ISA/IEC 62443 is built for OT environments where safety and availability come first. The two are complementary. GQS coordinates combined implementations within a single engagement. SBFZ locators holding ISO 9001, ISO 14001, or ISO 22301 can include those in the same integrated scope.