Learn everything about IEC 62443 certifications: benefits, arguments for certification, costs, procedures, requirements and schemes. This article explains the available programs and the typical certification process.
Reasons for an IEC 62443 certification
A certification without a regulatory requirement is primarily a marketing and sales instrument that companies can use to differentiate themselves from competitors and for promotional purposes.
In certain industries (e.g., the rail industry), many operators of automation systems are starting to require certified suppliers, components and systems. In these cases, a certification enables market access.
Moreover, implementing and complying with the requirements of internationally recognized standards, and verifying that compliance through certification, helps minimize many cybersecurity risks.
The individual reasons for certification vary widely and often depend on a company’s specific circumstances. The following is a selection of additional points in favor of certification.
Improve cybersecurity - Meet security requirements: IEC 62443 defines specific security requirements for different areas, from organizational processes to technical components. Certification confirms that these requirements are met. - Minimize cybersecurity risks: By implementing the security measures specified in the standard, companies can identify and remediate potential vulnerabilities before they can be exploited. - Continuous improvement: Certification promotes a culture of continuous improvement in security processes and technologies.
Improve reputation, trust and credibility - Attract and retain customers: An IEC 62443 certification signals to customers that a company adheres to high security standards, which can strengthen customer retention and acquisition. - Brand reputation: An IEC 62443 certification enhances brand reputation and demonstrates that the company can operate securely and reliably. - Global recognition: Companies certified to IEC 62443 enjoy worldwide recognition for their security standards, facilitating market access in different regions. - Market advantage: Certified companies can differentiate themselves from competitors and strengthen their market position.
Avoid legal and financial consequences - Regulatory compliance: An IEC 62443 certification helps companies meet the requirements of the Cyber Resilience Act and other regulatory frameworks. This can protect companies from legal consequences and heavy fines. - Legal protection: By fulfilling IEC 62443 requirements, many aspects of the Cyber Resilience Act and other regulatory requirements are implemented, helping companies avoid legal consequences and potential fines. - Financial protection: Avoid costs resulting from security incidents, including data loss, production outages and reputational damage.
The different IEC 62443 certification programs
There are a variety of certification programs (certification schemes) for IEC 62443. The IEC 62443 series itself does not define specific certification programs but provides a framework that testing organizations can use to develop their own programs. These programs align with the different parts of IEC 62443.
Proprietary certification programs from certification bodies
Various testing organizations such as the TÜVs in Germany have developed their own IEC 62443 certification programs and had them accredited. These programs each offer their own certifications for the individual parts of the IEC 62443 standards and demonstrate that companies and products meet the standard requirements.
Some of the best-known testing and certification organizations include the following:
- TÜV Nord (https://www.tuev-nord.de/de/unternehmen/zertifizierung/produktzertifizierung/funktionale-sicherheit/sicherheit-fuer-die-industrie-40/zertifizierung-nach-iec-62443/)
- TÜV Rheinland (https://www.tuv.com/germany/de/iec-62443-zertifizierung.html)
- TÜV SÜD (https://www.tuvsud.com/de-de/dienstleistungen/produktpruefung-und-produktzertifizierung/zertifizierung-nach-iec62443)
- Bureau Veritas (https://www.bureauveritas.de/unsere-services/iec-62443-zertifizierung-bureau-veritas)
- UL (https://www.ul.com/services/isaiec-62443-services)
These organizations are typically accredited and therefore subject to strict quality controls that ensure the integrity and reliability of the certifications.
ISASecure certification
ISASecure (https://isasecure.org/) is a certification program developed by the ISA Security Compliance Institute (ISCI) and is based on IEC 62443. ISASecure’s main goals are to reduce security risks and increase trust in industrial automation systems through rigorous testing and certification procedures.
ISASecure certifications are recognized worldwide and provide an additional level of security and trust for companies and their customers. The certifications are designed to demonstrate compliance with the relevant parts of the IEC 62443 standards:
- Component Security Assurance (CSA)
This certification is based on IEC 62443-4-2 and assesses the security of components used in industrial automation and control systems. - System Security Assurance (SSA)
This certification is based on IEC 62443-3-3 and focuses on the security of complete automation systems. It ensures that the entire system, including all components and communication paths, meets IEC 62443 requirements. - Security Development Lifecycle Assurance (SDLA)
This certification is based on IEC 62443-4-1 and audits the security-related processes and practices manufacturers apply when developing automation products. The goal is to ensure that security considerations are taken into account throughout the development lifecycle.
By testing the IEC 62443 requirements, ISASecure ensures that products and systems are robust against cyberattacks and that security risks are minimized.
IECEE CB Scheme
The IECEE CB Scheme (https://www.iecee.org/who-we-are/cb-scheme) is an international system for mutual recognition of test reports and certificates for electrical devices and components. Its aim is to facilitate international trade by simplifying national certification and approval.
An Industrial Cyber Security Program has been developed for the CB Scheme (https://www.iecee.org/dyn/www/f?p=107:558:::::P558_DOCUMENT_FILE_ID:3146912). This program provides a framework to be assessed against IEC 62443 and to obtain an IECEE conformity certificate for industrial cyber security capabilities.
IEC 62443 supplies the requirements and processes as well as the technical capabilities. Based on the Industrial Cyber Security Program, the applicant’s capabilities are then assessed.
Within the Industrial Cyber Security Program, the security capabilities of an applicant are evaluated - capabilities they use for the development, integration and/or maintenance of certain products or solutions.
By integrating IEC 62443 into the established CB Scheme, a globally recognized assessment and certification of industrial cyber security capabilities is enabled.
Comparison of IEC 62443 certification programs
| Certification subject | IECEE CB-Scheme | ISASecure | TÜV SÜD Mark |
|---|---|---|---|
| Management system for operation <br>(IEC 62443-2-1 / ISO 27001) | No | No 2) | Yes |
| Integration processes <br>(IEC 62443-2-4) | Yes | No 2) | Yes |
| Reference architectures / blueprints <br>(IEC 62443-2-4 & -3-3) | Yes 1) | No 2) | Yes |
| Development processes <br>(IEC 62443-4-1) | Yes | Yes <br>(ISASecure SDLA) | Yes |
| (Control) systems <br>(IEC 62443-4-1 & -3-3) | Yes 1) | Yes <br>(ISASecure SSA) | Yes |
| Products / components <br>(IEC 62443-4-1 & -4-2) | Yes | Yes <br>(ISASecure CSA) | Yes |
- Both standards can be certified individually, but combining them with processes is not mandatory)
- ISASecure currently does not offer certifications of operation or of integration and maintenance processes. Under the name ISASecure IACSSA (https://isasecure.org/isasecure-isa/iec-62443-site-assessment-acssa-program-industry-perspectives-updates) a certification program for operators and the automation and control systems used there is currently being designed, which will consolidate requirements from various IEC 62443 parts.
Possible IEC 62443 certifications
The common offered certifications can be grouped according to the underlying parts of the standard. Depending on the certification program, there are interdependencies (e.g., most programs require conformity with IEC 62443-4-1 for an IEC 62443-4-2 certification).
Each certification within the IEC 62443 series has specific requirements and objectives:
Management systems for OT (IEC 62443-2-1) - Focus on implementing a comprehensive information security management system (ISMS) for industrial automation and control systems (IACS). - Assessment of an organization’s ability to establish and maintain an effective ISMS. - Review of risk management processes and security policies. - This certification is particularly relevant for operators of IACS and organizations that manage critical infrastructures.
Integration and maintenance processes (IEC 62443-2-4) - Focus on organizational security processes. - Examination of the implementation and maintenance of security management systems. - This certification is aimed at organizations that design, develop, implement and maintain industrial automation and control systems (IACS). - It assesses the organization’s security processes and practices, including patch management, configuration management and incident response. - Particularly relevant for system integrators and service providers in industrial automation.
Systems and reference architectures (IEC 62443-3-3) - Assessment of systems against security requirements. - Consideration of the whole system, including the integration of security measures. - This certification targets complete systems and checks whether they meet the security requirements. - It is especially relevant for operators when selecting secure automation solutions. - Consideration of aspects such as zoning, conditioning and system hardening.
Development processes (IEC 62443-4-1) - Covers the development process of security-relevant components. - Evaluates security practices throughout the product lifecycle, including design, development, testing and maintenance. - Focus on integrating security aspects into the software development process (secure development lifecycle). - Review of practices such as threat modeling, secure design, secure coding and vulnerability management. - Particularly relevant for manufacturers of IACS components and software.
Components (IEC 62443-4-2) - Evaluates the security features of individual components. - This certification is aimed at individual components such as controllers, network devices and software. - It assesses whether components meet specific security requirements, including features like authentication, encryption and logging. - Differentiation between types of components: software applications, embedded devices, host devices and network devices. - Particularly relevant for manufacturers of IACS components and end users selecting secure products.
Meaning of the individual IEC 62443 certifications
There is often uncertainty about what each certification actually states. For better understanding, it helps to compare the concrete certification statements of the individual certifications.
Certification statements are declarations that confirm conformity with the specific requirements of the IEC 62443 standards. Their precise meanings can typically be derived from the certification programs, but they often differ in detail.
A simplified overview of what each certification means can be found in the following table:
| Certification subject | Standards | Simplified meaning |
|---|---|---|
| Development process | IEC 62443-4-1 with Maturity Level 2 | “we can develop securely” <br>The company is capable of developing secure components and systems. |
| Development process | IEC 62443-4-1 with Maturity Level 3 or 4 | “we develop securely” <br>The company develops components / systems securely. |
| Component / product | IEC 62443-4-2 <br>(requires IEC 62443-4-1 at Maturity Level 3 or 4) | “our product is secure / was developed securely” <br>The component was developed securely and provides certain security functions. |
| System | IEC 62443-3-3 with IEC 62443-4-1 at Maturity Level 3 or 4 | “our system is secure / was developed securely” <br>The system was designed securely and provides certain security functions. |
| System | IEC 62443-3-3 (without process) | “our system has security features” <br>The system provides certain security functions. |
| Integration processes | IEC 62443-2-4 with Maturity Level 2 | “we can integrate securely“ <br>The company can integrate / maintain automation solutions securely. |
| Integration processes | IEC 62443-2-4 with Maturity Level 3 or 4 | “we integrated securely” <br>The company integrates / maintains automation solutions securely. |
| Reference architectures | IEC 62443-2-4 with IEC 62443-3-3 | “our solution is secure and we can integrate it securely” <br>The system provides certain security functions and the company can securely integrate / build it. |
| Management system | IEC 62443-2-1 | “we manage our security risks” <br>The organization has appropriate responsibilities and processes to manage security risks in OT. |
For process certifications, care should be taken to ensure that all departments and locations involved in service delivery (e.g., development, integration) are within the scope of the certification.
In particular, certifications of security functions (i.e., IEC 62443-3-3 and IEC 62443-4-2) without a connection to processes (e.g., IEC 62443-4-1 or IEC 62443-2-4) are limited in their significance and meaningfulness. Without verification of the processes, these certificates only confirm that certain security functions exist - not, as is often mistakenly assumed, that the product is secure or that the functions are sensibly implemented.
The IEC 62443 certification process
The course of an IEC 62443 certification is a multi-stage process that typically begins with an inquiry or an order from the interested company. This is followed by a comprehensive preparation phase, which usually includes a pre-assessment or pre-audit to determine the company’s current status and whether it is ready for the various certification levels (ML 2, ML 3).
Based on the results of this analysis, certifications according to IEC 62443-4-1 for ML 2 or ML 3 can be pursued. If the company does not yet meet the requirements, necessary policies and processes are defined and implemented. This is done either in-house or with the support of suitable consultants. An essential component is also the examination of product conformity to ensure the product meets the requirements. If necessary, additional security features must be implemented before certification can take place.
The actual certification process typically consists of a document review followed by an on-site audit. Based on these assessments, a detailed report is prepared and submitted to the responsible certification body, which then decides whether to issue the certificate. Upon successful certification, an official certificate and a comprehensive report are issued.
The following image illustrates the path to product certification according to IEC 62443-4-1 and IEC 62443-4-2.
Overview of the path to product certification according to IEC 62443
To maintain the validity of the certification, regular surveillance audits take place as part of the recertification cycle. This structured process ensures continuous compliance with security standards and promotes ongoing improvement of cybersecurity in industrial automation and control systems.
The role of surveillance in IEC 62443 certifications
After a certification is granted, it is crucial that the certified organization or the certified system continues to meet the requirements. Regular surveillances are carried out for this purpose.
The frequency of these checks varies depending on the certification program but usually occurs annually. Typically, annual surveillances take place during the validity period of the certificate. After this period expires, the certificate is renewed or extended, which requires a full re-certification.
As part of these regular checks, the certifier ensures that the implemented security measures continue to be in place and effective. This guarantees continuous compliance with IEC 62443 standards and the maintenance of a high security level.
Costs of an IEC 62443 certification
The costs of an IEC 62443 certification vary significantly and depend on a variety of factors. The most important influencing factors include the specific standards to be certified, the chosen certification program (such as TÜV, ISASecure or CB-Scheme), the targeted maturity level of the processes, and the size and complexity of the company or product to be certified. Company structure, especially the number of sites and employees, also plays a role, as does the complexity of the development processes - for example, whether they are globally distributed or local at one site. The type of product or system to be certified also significantly affects costs: a simple sensor requires less effort than a complex distributed control system (DCS) or SCADA system. Optional certifier services such as workshops or pre-assessments can further increase the total costs.
Based on experience, rough cost estimates can be made:
- For process certifications (i.e., IEC 62443-4-1 or IEC 62443-2-4) at Maturity Level 2, costs can range between €15,000 and €35,000. For higher maturity levels (3 or 4), costs increase accordingly, although the effort is lower if an ML 2 certification already exists.
- Product certifications to IEC 62443-4-2, based on an already certified IEC 62443-4-1 process, typically range from €25,000 to €50,000.
- For certification of a system or blueprint to IEC 62443-2-4 or -3-3, expect costs between €30,000 and €50,000.
It is important to understand that these figures are only rough estimates and can vary significantly in individual cases.
In addition to the initial certification costs, there are further costs for annual surveillances and re-certifications in subsequent years while the certificate remains valid. The costs depend heavily on the certification program used, the scope of the certificate (e.g., sites), the certificate validity period and the certifier. In practice, these costs range from a few thousand euros per year for simple surveillances up to nearly the full amount of the initial certification.
If you are pursuing an IEC 62443 certification and are unsure about expected costs, required budgets or the selection of an appropriate certifier, helfen wir Ihnen gerne mit unseren Erfahrungen weiter.
Certified companies, products and systems
Transparency around issued certifications varies significantly between different certification programs and testing organizations. Both testing organizations and certificate holders often consider information about issued certifications to be competitively sensitive and therefore frequently publish results (i.e., certificates) only to a limited extent.
Nevertheless, most testing companies provide a way to verify individual certificates, typically via an online interface or database.
The following resources are available for certificate verification:
- TÜV SÜD: https://www.tuvsud.com/de-de/dienstleistungen/produktpruefung-und-produktzertifizierung/zertifikatsdatenbank
- TÜV Rheinland: https://www.certipedia.com/?locale=de
When using these databases, it is necessary to search for the specific standard (e.g., IEC 62443-4-1).
Certificates under the CB Scheme can be viewed in the IECEE database: https://certificates.iecee.org/#/search
ISASecure provides an overview of their certificates sorted by certificate types (SDLA, CSA and SSA): https://isasecure.org/end-users/iec-62443-4-1-certified-development-organizations
These resources allow interested parties to verify the validity and authenticity of certifications and to obtain information about certified companies, products and systems. It is advisable, for specific inquiries or doubts, to contact the certification bodies or the certified companies directly to obtain more detailed information.
Frequently asked questions (FAQ) about IEC 62443 certifications
What role do the TÜVs play in certifications?
The various TÜV organizations (TÜV SÜD, TÜV Rheinland, TÜV Nord, SGS TÜV-Saar, TÜV Hessen, TÜV Thüringen, TÜV Austria) play a central role in the certification process for IEC 62443. Although they compete with each other, they share the renowned brand “TÜV” (Technischer Überwachungsverein). As independent testing and certification organizations, they are responsible for verifying and confirming compliance of the process or product to be certified with IEC 62443 requirements.
Each TÜV organization develops its own certification programs, which are accredited by accreditation bodies such as the German Accreditation Body (DAkkS). This ensures the competence and independence of the testing organizations. Some TÜVs have also obtained recognitions from specialized organizations such as ISASecure or the IECEE. These recognitions enable them to issue certificates under specific programs, increasing international recognition and comparability of the certifications.
The TÜVs not only provide the actual certification but often also offer accompanying services such as training, pre-audits or consultancy to prepare for certification. Their role thus ranges from neutral assessment to supportive guidance of companies throughout the certification process, while preserving the independence and integrity of the audit.
Why do some certificates have security levels and others do not?
The question of security levels in IEC 62443 certificates is complex and reflects the different application areas and intents of the various parts of the standard. Security levels indicate resistance to threats and primarily relate to systems. Therefore, certifications to IEC 62443-3-3, which pertains to the system level, usually specify a security level.
For product certifications under IEC 62443-4-2, the situation is more nuanced. Blanket security levels for individual components can distort the actual intent of IEC 62443, because the security of a complete system is not determined solely by the security properties of individual components. The standard allows missing component-level security requirements to be compensated by so-called compensating countermeasures at the system level.
Nevertheless, product management and marketing often desire easily comparable levels for their components, similar to Safety Integrity Levels (SIL) in functional safety. Although such levels are not directly provided for in IEC 62443-4-2, many test houses offer the option to state a security level for a component if all applicable requirements for a certain level have been met.
This practice is controversial because it may oversimplify system security complexity. However, it can serve as an orientation aid for users to estimate a component’s potential suitability for a system with certain security requirements. It is important to emphasize that any such component security level must always be considered in the context of the entire system and does not guarantee the security of the end product.
Is certification with maturity level 1 possible?
Certification at Maturity Level 1 (ML 1) is not possible within the scope of IEC 62443 and also not meaningful. ML 1 describes a state in which product development is ad hoc and lacks adequate documentation. At this stage, structured, repeatable processes - which are essential for certification - are absent. Development workflows and decisions at ML 1 are not documented in a way that external certifiers can objectively review and assess.
Certifications generally start at ML 2, where defined and documented processes exist that enable consistent application of security practices. ML 2 ensures that basic management practices are established and that processes are performed in a planned, traceable and repeatable manner. This forms the minimum prerequisite for a credible and meaningful certification in the context of IEC 62443.
How can IEC 62443 certificates be compared?
Comparing IEC 62443 certificates from different certifiers and programs is complex and requires a careful analysis of the underlying details. Without additional explanations and documentation, certificates are often not directly comparable.
To perform a sound assessment, it is essential to request and review all available annexes, appendices and, where applicable, the test reports underlying the certifications. Crucial is that the certified scope (scope of application) is clearly defined and visible.
Equally important is a detailed overview of which specific requirements have been met at which level. Only when both the scope and the fulfilled Foundational Requirements or Component Requirements are known can a meaningful comparison between certificates be made.
If these essential pieces of information are missing, the seriousness of the certificate or the certifier should be questioned. Transparent and detailed evidence of fulfilled requirements is an indicator of the quality and trustworthiness of the certification process.
Which certification program (ISASecure, TÜV, CB-Scheme) do I need?
The choice of the appropriate certification program depends on various factors, especially the target market and the specific industry.
In Europe and large parts of Asia, the various TÜV certificates enjoy the highest acceptance and recognition. They are widely known and regarded as a quality standard in many industries.
The CB Scheme has a certain acceptance and recognition in Asia but is less common in Europe. It can be useful if a product is intended for several Asian markets, as it facilitates mutual recognition of test results between participating countries.
ISASecure has established itself primarily in the process industry, driven in particular by the oil and gas industry, which was instrumental in ISASecure’s development and implementation. If your company mainly operates in this sector or serves customers in the process industry, ISASecure might be the preferred choice.
Ultimately, the decision for a certification program should be based on a careful analysis of target market requirements, specific industry standards and long-term business goals. In some cases, a combination of different programs may also make sense to achieve broad market coverage and acceptance.
Support for IEC 62443 certification
The IEC 62443 not only provides a framework for cybersecurity in industrial automation - it is also the basis for formal certifications of processes, components and systems. Preparing for such a certification requires technical understanding, organizational clarity and a structured approach.
Secuvi supports companies in implementing the relevant parts of the standard - in particular IEC 62443-4-1 for secure development processes as well as IEC 62443-4-2 or 3-3 for products and systems. This includes analyzing existing structures, introducing appropriate security measures and accompanying the entire certification process - including documentation, communication with testing bodies and audit preparation.
If you are pursuing an IEC 62443 certification or preparing to go down that path, we can support you with experience and a practice-oriented approach.
More information: secuvi.com