
Global Quality Services provides end-to-end ISA/IEC 62443 consultancy for SBFZ locators. We cover gap analysis, OT security implementation, internal audit, and certification readiness. Our consultants work directly inside your facility.
ISA/IEC 62443 is the global standard for securing Industrial Automation and Control Systems (IACS) and Operational Technology (OT) environments. It is developed jointly by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). It applies to manufacturers, system integrators, and component suppliers.
Who Needs ISA/IEC 62443 in Subic Bay Freeport Zone
SBFZ is managed by the Subic Bay Metropolitan Authority (SBMA) under Republic Act 7227. It covers more than 67,000 hectares across Zambales and Bataan. As of 2024, the zone hosts more than 1,800 registered entities and supports 164,400 direct jobs.
Key sectors where ISA/IEC 62443 directly applies:
- Shipbuilding and ship repair, including HD Hyundai’s Agila Subic shipyard
- Electronics and power supply manufacturing, including Sanyo Denki Philippines
- Logistics and port terminal operations
- Defense-related manufacturing and storage facilities
- Cold chain and food processing operations
- Petroleum and fuel handling infrastructure
All of these sectors operate IACS and OT environments. PLCs, SCADA systems, automated port equipment, and networked production lines are standard. Unsecured OT systems in these environments are a direct risk to production continuity and supply chain trust.
Why ISA/IEC 62443 Matters Now for SBFZ Locators
Three things are driving demand for ISA/IEC 62443 certification in SBFZ right now.
Buyer requirements are increasing.
US, South Korean, and Taiwanese buyers are the dominant foreign investors in SBFZ. All three originate from countries where OT security requirements from buyers and regulators are well established. Sanyo Denki’s P2.3 billion expansion at Subic Techno Park in 2024 is one example of the scale of Japanese industrial presence in the zone. Japanese parent companies routinely require OT security documentation from Philippine production facilities.
SBFZ is becoming a strategic defense and industrial hub.
The Agila Subic shipyard, operated by HD Hyundai Heavy Industries, reopened in September 2025. The US Marine Corps has established a logistics prepositioning site inside the zone. Defense-linked manufacturing and supply chain operations carry far higher OT security expectations than standard commercial manufacturing.
Philippine cybersecurity regulation is evolving.
The Department of Information and Communications Technology (DICT) published the National Cybersecurity Plan 2023-2028. It covers industrial and critical systems security across all sectors. The Cybercrime Investigation and Coordinating Center (CICC) enforces Republic Act 10175 across all networked organizations in the Philippines. ISA/IEC 62443 is the framework that addresses these requirements for OT environments.
What ISA/IEC 62443 Covers
The ISA/IEC 62443 series is organized into four parts:
- Part 1 (General): Core concepts, terminology, and the Zones and Conduits model
- Part 2 (Policies and Procedures): For asset owners. Covers governance, patch management, and cybersecurity management programs
- Part 3 (System): For system integrators. Covers risk assessment, security levels, and system design
- Part 4 (Component): For manufacturers. Covers technical security requirements for devices, software, and secure development
The Zones and Conduits model is central to the standard. It divides the IACS environment into security zones based on risk. It defines the communication channels, called conduits, between zones. Each zone gets a Security Level based on its required protection.
Certification Programs Available
Formal certification runs through the ISASecure program, managed by the ISA Security Compliance Institute:
- Component Security Assurance (CSA): Certifies individual IACS components such as PLCs, embedded devices, and network equipment against ISA/IEC 62443-4-2 and 4-1
- IIoT Component Security Assurance (ICSA): Enhanced certification for IIoT components with internet connectivity. Includes two assurance tiers.
- System Security Assurance (SSA): Certifies integrated control systems such as SCADA or DCS platforms against ISA/IEC 62443-3-3
- Security Development Lifecycle Assurance (SDLA): Certifies a product supplier’s development process against ISA/IEC 62443-4-1 at maturity level 3 or 4
Most SBFZ manufacturers operating as asset owners pursue program alignment under Part 2-1. This establishes a verified IACS cybersecurity management program across defined production zones.
Key Certification Requirements
These requirements apply to all SBFZ organizations pursuing ISA/IEC 62443 certification:
- Risk Assessment: Map threats, vulnerabilities, and consequences across all IACS zones and conduits. Must follow ISA/IEC 62443-3-2.
- Security Level Definition: Set Target Security Levels per zone. Verify Achieved Security Levels meet those targets.
- Zones and Conduits Design: Partition the IACS environment into security zones. Document all inter-zone communication with protective controls.
- IACS Cybersecurity Management Program: Build documented governance, policies, and assigned responsibilities aligned to ISA/IEC 62443-2-1.
- Patch Management: Create a repeatable process for identifying, testing, and applying patches. Must protect production availability.
- Supply Chain Security: Assess all third-party suppliers and service providers connecting to the IACS environment.
- Incident Response: Document OT-specific detection, containment, response, and recovery procedures.
- Lifecycle Management: Address cybersecurity from design and procurement through to decommissioning.
Steps to Get Certified at Subic Bay Freeport Zone
In Subic Bay Freeport Zone, OT security is no longer a back-office concern. Shipbuilders, electronics assemblers, power supply manufacturers, and logistics operators all run networked production and control systems. Buyers and regulators are now requiring documented, independently verified OT security from these operations.
Step 1: Scoping and Asset Inventory
Define the certification boundary. Identify all IACS assets. Map communication paths. Separate IT and OT environments clearly inside your SBFZ facility.
Step 2: Gap Analysis
Compare your existing OT security controls against the applicable ISA/IEC 62443 parts. Produce a prioritized remediation plan tied to your certification pathway.
Step 3: Zone and Conduit Mapping
Document all security zones. Assign Security Level targets from risk assessment. Design conduit controls between zones.
Step 4: Formal Risk Assessment
Conduct a structured assessment aligned to ISA/IEC 62443-3-2. Cover threat identification, vulnerability analysis, and consequence evaluation specific to your SBFZ operations.
Step 5: Program Implementation
Develop and deploy policies, technical controls, training, and organizational measures. Achieve the defined Security Levels across all zones.
Step 6: Internal Audit
Audit against the applicable ISA/IEC 62443 parts. Identify gaps. Close all non-conformances before approaching a certification body.
Step 7: Certification Assessment
Engage an accredited ISASecure certification body. Complete the formal evaluation.
Step 8: Post-Certification Maintenance
Sustain certification through monitoring, patch management, reassessments, and program updates as threats evolve.
Industries in SBFZ That Benefit from ISA/IEC 62443
Here are the industries that must file for the certification:
Shipbuilding and Ship Repair
The Agila Subic shipyard operated by HD Hyundai Heavy Industries is the anchor project in this sector. Shipbuilding uses large-scale PLC and SCADA systems for crane control, welding automation, and dry dock management. Defense-linked clients and international shipowners require verifiable OT security from their yard partners.
Electronics and Power Supply Manufacturing
Sanyo Denki Philippines manufactures uninterrupted power supplies, cooling fans, servo amplifiers, and stepping motors at Subic Techno Park. These are OT-intensive products built on OT-intensive production lines. Japanese parent company expectations for OT security compliance are among the highest in the manufacturing world.
Port Terminal and Logistics Operations
The Subic New Container Terminal handles up to 600,000 TEUs annually. Port terminal operations rely on automated crane systems, berth management software, and networked cargo handling equipment. These are IACS environments. A security incident affecting terminal control systems has immediate commercial and safety consequences.
Defense-Related Manufacturing and Storage
The US Marine Corps operates a prepositioning logistics site inside SBFZ. Defense-linked supply chain and storage operations carry strict OT security requirements from both Philippine and US partner requirements. ISA/IEC 62443 is the relevant framework.
Petroleum and Fuel Handling
Multiple petroleum distributors and fuel trading companies operate within SBFZ. Fuel storage and distribution involves automated valve control, flow metering, and tank monitoring systems. The Department of Energy (DOE) and DENR both regulate these operations. Secure control systems are part of responsible compliance.
Food Processing and Cold Chain
Cold storage and food processing locators operate temperature control and automated processing systems. The Food and Drug Administration Philippines (FDA) regulates food safety standards for these operations. Securing the automation systems behind those standards is increasingly expected by export buyers.
Philippine Regulatory Framework
SBFZ locators should track these frameworks:
- Republic Act 7227 (Bases Conversion and Development Act of 1992): Established SBFZ and the SBMA. Governs operating obligations for all SBFZ locators including standards and compliance requirements.
- Republic Act 10175 (Cybercrime Prevention Act of 2012): Applies to all Philippine organizations operating networked systems. Enforced by DICT and CICC.
- National Cybersecurity Plan 2023-2028: DICT’s national roadmap covering industrial and critical systems security.
- Data Privacy Act of 2012: Enforced by the National Privacy Commission (NPC). Applies to SBFZ locators processing personal data alongside OT systems.
- Board of Investments (BOI): BOI and SBMA are actively collaborating to promote sustainable and compliant industrial operations inside SBFZ, including energy and cybersecurity standards.
Why Choose Global Quality Services
GQS has supported certification projects across Philippine manufacturing and economic zones for 26 years. We work inside your facility. We do not apply generic IT checklists to OT environments.
Production availability is non-negotiable for SBFZ operators. Our consultants understand that. Every engagement starts from your actual plant topology, not a template.
With GQS, SBFZ locators receive:
- Scoping and asset inventory that correctly defines IACS boundaries inside your facility
- Gap analysis mapped to your pathway, whether asset owner program alignment, SSA, CSA, or ICSA
- Zones and conduit documentation and Security Level assignment using your actual plant layout
- Formal risk assessment specific to your SBFZ operations and threat environment
- Policy, procedure, and technical control development aligned to the applicable standard parts
- Internal audit against ISA/IEC 62443, not generic IT checklists
- Certification audit coordination with your chosen ISASecure-accredited body
- Post-certification support including patch management review and periodic reassessments
- Scope extension to ISO 27001, ISO 22301, or VAPT for organizations consolidating OT and IT compliance under one engagement
Contact Global Quality Services to start your ISA/IEC 62443 certification engagement in Subic Bay Freeport Zone.
Frequently Asked Questions
What is ISA/IEC 62443 and does it apply to my SBFZ business?
ISA/IEC 62443 applies to any organization that operates, integrates, or supplies IACS and OT environments. In SBFZ, that includes shipbuilders, electronics manufacturers, port terminal operators, petroleum handlers, and food processors. If your facility runs PLCs, SCADA systems, automated production lines, or networked control equipment, the standard applies to you.
Is ISA/IEC 62443 mandatory for SBFZ locators?
No Philippine law currently mandates it for all SBFZ locators. But buyer-driven requirements from US, South Korean, Taiwanese, and Japanese partners are making it a practical requirement for many sectors inside the zone. Defense-linked operations inside SBFZ face even stronger OT security expectations from their partners. Companies that wait for a legal mandate typically face it first in a supplier audit or contract clause.
How long does certification take for an SBFZ facility?
Most facilities with documented OT environments and some existing cybersecurity controls complete gap analysis through certification in six to twelve months. Facilities with limited OT documentation or those pursuing SSA or SDLA certification should plan for longer. GQS provides a detailed timeline during the initial scoping session.
What is the difference between CSA, SSA, and SDLA?
CSA certifies individual IACS components against ISA/IEC 62443-4-2 and 4-1. SSA certifies an integrated control system such as a SCADA or DCS against ISA/IEC 62443-3-3. SDLA certifies a product supplier’s development process against ISA/IEC 62443-4-1. SBFZ asset owners typically focus on program alignment under Part 2-1. Component manufacturers and OEMs pursue CSA or SDLA.
Can GQS combine ISA/IEC 62443 with ISO 27001 or other certifications?
Yes. ISO 27001 covers IT information security. ISA/IEC 62443 is built for OT environments where safety and availability come first. The two are complementary. GQS coordinates combined implementations within a single engagement. SBFZ locators holding ISO 9001, ISO 14001, or ISO 22301 can include those in the same integrated scope.