Discover the IEC 62443 series for industrial cybersecurity, including key concepts, structure and certification for secure automation systems.
Structure of IEC 62443
The following image shows the structure and layout of the IEC 62443 standard for the security of industrial communication networks.
The standard is divided into six main categories:
- General
- Policies & procedures
- System
- Component
- Profiles
- Evaluation
Each category contains several subitems that cover different aspects of network and system security.
The series therefore covers a wide range of topics, from terminology and risk assessment to technical security requirements, and provides a comprehensive framework for securing industrial automation and control systems (IACS).
Status of the individual parts of IEC 62443
The elements marked in red in the image form the foundation of the current standard. They cover essential areas, from basic concepts and terminology to specific technical requirements and evaluation methods. These published standards give companies and organizations concrete guidance and requirements for implementing and maintaining secure industrial automation and control systems.
The elements marked in orange in the image represent future extensions and adjustments to the standard. They show how IEC 62443 is being further developed to account for new technologies, threats and best practices in the field of industrial automation and control systems (IACS).
Existing published standards
The IEC 62443 already comprises a number of established and published standards that provide a robust framework for the security of industrial communication networks.
| Norm | Title | Description |
|---|---|---|
| IEC TS 62443-1-1 (Edition 1, 2009) | Industrial communication networks - Network and system security - Part 1-1: Terminology, concepts and models | Defines terminology, concepts and models for security in industrial automation and control systems (IACS). |
| IEC TS 62443-1-5 (Edition 1, 2023) | Security for industrial automation and control systems - Part 1-5: Scheme for IEC 62443 security profiles | IEC 62443-1-5 establishes a scheme for creating cybersecurity profiles within the IEC 62443 series. These profiles define specific cybersecurity requirements tailored to particular industries or application areas. They simplify the use of standardized terminology and ensure consistent interpretation of cybersecurity measures across different industries. |
| **IEC 62443-2-1 (Edition 2, 2024)** | Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners | Defines the elements necessary to establish an information security management system (ISMS) for IACS. This second edition replaces the first edition from 2010 and includes technical revisions such as restructuring requirements, avoiding duplication of an ISMS and defining a maturity model to assess the requirements. |
| IEC TR 62443-2-3 (Edition 1, 2015) | Security for industrial automation and control systems - Part 2-3: Patch management in the IACS environment | Describes requirements for the patch management program of asset owners and IACS product suppliers. |
| IEC 62443-2-4 (Edition 2, 2023) | Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers | Specifies comprehensive requirements for the security-related processes that IACS service providers can offer asset owners during integration and maintenance of an automation solution. |
| IEC TR 62443-3-1 (Edition 1, 2009) | Industrial communication networks - Network and system security - Part 3-1: Security technologies for industrial automation and control systems | Provides a current assessment of various cybersecurity tools and technologies for industrial automation and control systems. |
| IEC 62443-3-2 (Edition 1, 2020) | Security for industrial automation and control systems - Part 3-2: Security risk assessment for system design | Establishes requirements for defining a System Under Consideration (SUC), assessing risks and setting target security levels for zones and conduits. |
| IEC 62443-3-3 (Edition 1, 2013) | Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels | Provides detailed technical requirements for system security that are linked to the seven foundational requirements. |
| IEC 62443-4-1 (Edition 1, 2018) | Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements | Defines process requirements for the secure development of products used in industrial automation and control systems. |
More information on this standard is available in our article “Cybersecurity from the start - IEC 62443-4-1 explained”. | | IEC 62443-4-2 (Edition 1, 2019) | Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components | Provides detailed technical security requirements for IACS components that are linked to the seven foundational requirements. | | IEC TS 62443-6-1 (Edition 1, 2024) | Security for industrial automation and control systems - Part 6-1: Security evaluation methodology for IEC 62443-2-4 | Specifies the evaluation methodology to support repeatable and reproducible assessment results against the requirements of IEC 62443-2-4. |
Standards under development or revision
IEC 62443 is in continuous development and improvement to keep pace with the ever-changing requirements of industrial cybersecurity. Below we look at parts of the standard that are currently in progress or planned.
| Norm | Title | Description |
|---|---|---|
| IEC 62443-2-2 (new) | IACS Security Program Ratings | IEC 62443-2-2 introduces the Security Program Rating (SPR) to make the security status of industrial automation and control systems (IACS) measurable and to harmonize the requirements of the various parts of the standard. The aim is to provide a uniform structure and categorization of security requirements. This is achieved by introducing nine security objectives that replace the previous foundational requirements. In the long term, all parts of IEC 62443 are intended to be structured around these objectives to enable a consistent maturity assessment. |
| IEC 62443-5-x (new) | Profiles for IEC 62443 | IEC 62443-5-x refers to specific subsections of the IEC 62443-5-x series that integrate the cybersecurity profiles defined in IEC 62443-1-5. These subsections describe detailed cybersecurity requirements relevant to specific industries or application areas. They provide a structured approach to implementing cybersecurity measures based on the standardized profiles according to IEC 62443-1-5. |
| IEC TS 62443-6-2 (new) | Security evaluation methodology for IEC 62443 - Part 4-2: Technical security requirements for IACS Components | This technical specification focuses on the evaluation methodology for the technical security requirements of IACS components according to Part 4-2. |
Key concepts of IEC 62443
IEC 62443 is built on a set of fundamental concepts that form the backbone for securing industrial automation and control systems (IACS). These concepts run through all parts of the standard and provide a holistic approach to addressing cybersecurity challenges in industrial environments. They include aspects such as risk management, defense in depth, zones and conduits, and the lifecycle approach to security.
By understanding and applying these core concepts, organizations can develop a robust security architecture that effectively addresses both current and future threats. In this section we examine these essential concepts in more detail and explain their significance for the practical implementation of IEC 62443.
Division into roles
In industrial automation and control according to IEC 62443, different roles are central to the secure and efficient operation of systems. These roles include the asset owner, the maintenance provider, the integration service provider and the product supplier, whose responsibilities can be clearly defined. Each of these roles contributes to ensuring that systems not only meet current technical requirements but are also future-proof and resilient to disruptions.
Asset owner
The asset owner is responsible for operating the IACS environment. They are accountable for the efficient and secure operation of the system according to defined policies and procedures. This role also includes managing the system lifecycle and monitoring maintenance and integration activities to ensure continuous operation.
Maintenance service provider
This provider is responsible for the ongoing maintenance of the IACS. This includes regular inspections, updates and repairs as required to maintain the integrity and performance of the system. The maintenance provider must follow the specific policies and procedures for system maintenance.
Integration service provider
The integration service provider designs and implements new systems or upgrades for existing systems within the IACS environment. They are responsible for commissioning and validating these systems and must ensure that they meet all operational requirements and standards.
Product supplier
The product supplier develops and supports the components that make up the control systems, including software applications, embedded devices, network devices and host systems. They must ensure that their products can be effectively integrated into the IACS environment and supported throughout their lifecycle.
Coverage of the entire lifecycle
IEC 62443 takes into account the entire lifecycle of an industrial automation system (IACS), from development through integration to operation.
Roles and responsibilities according to IEC 62443
This comprehensive approach ensures that cybersecurity aspects are considered in all phases of the IACS lifecycle, from product development and system integration to long-term operation and maintenance.
Defense in depth
The defense in depth concept plays a key role in the IEC 62443 series by promoting comprehensive protection of industrial control systems against various threats. This approach recognizes that it is often not sufficient to achieve security goals with a single protective measure. Instead, the standard recommends implementing multiple overlapping security measures simultaneously. It therefore requires the establishment of security mechanisms at different levels of the network architecture, including physical security, network security, host security and application security, to address specific vulnerabilities and provide additional protection if one outer layer is breached.
For example, intrusion detection systems can be used to detect a firewall breach and trigger additional protective measures. If certain security requirements cannot be met by a component on its own, IEC 62443 requires that appropriate compensating measures be documented for the component. This ensures that security requirements are met when integrating the component into a larger system.
Maturity levels and security levels
IEC 62443 defines two important concepts for assessing industrial automation and control systems (IACS): maturity levels and security levels.
Maturity levels assess the quality of processes at product manufacturers and range from ML 1 to ML 4:
| Level | Name | Definition |
| ML 1 | Initial | The manufacturer typically carries out product development ad hoc and often without sufficient documentation. This can affect project continuity and process repeatability. |
| ML 2 | Managed | The manufacturer is able to control product development according to documented policies and to demonstrate that personnel are qualified to carry out the process. However, the experience to implement all written policies in product development is lacking. |
| ML 3 | Defined / Practiced | The manufacturer's processes are demonstrably consistent and reproducible within the organization. The processes have been successfully executed and verifiable evidence is available. |
| ML 4 | Continuous improvement | Manufacturers use appropriate metrics (KPIs) to monitor effectiveness and performance and to demonstrate continuous improvement. |
Security levels (SL) assess resistance to threats and range from SL 0 to SL 4:
| Level | Definition |
| SL 0 | Security level 0 is implicitly set and means that no security requirements or protections are necessary. |
| SL 1 | Protection against casual or accidental violation |
| SL 2 | Protection against a deliberate violation with simple means and low effort, general skills and low motivation. |
| SL 3 | Protection against a deliberate violation with sophisticated means and moderate effort, IACS-specific skills and moderate motivation |
| SL 4 | Protection against a deliberate violation with highly advanced means and significant effort, IACS-specific skills and high motivation |
IEC 62443 certifications
IEC 62443 certifications provide a structured approach to ensuring cybersecurity in industrial automation systems (IACS). They cover various areas such as organizational processes, systems and components. Certification helps companies improve cybersecurity, minimize risks and strengthen their reputation.
There are different certification schemes, including schemes accredited testing and certification bodies such as the TÜVs, ISASecure and the IECEE CB-Scheme. Each scheme has specific focus areas and requirements. The certification process typically includes document reviews and on-site audits, followed by regular surveillance.
For detailed information on the different certification options and their significance, see our in-depth article IEC 62443 certifications.
IEC 62443 training
To help companies implement the standard, there are specialized IEC 62443 trainings. These provide the knowledge needed to implement the standard and secure industrial control systems. From basics to advanced topics, the training covers various aspects. More details about available training offerings and their contents can be found in our detailed article “Overview of IEC 62443 trainings”.
Frequently asked questions about IEC 62443
What is the difference between IEC 62443-4-2 and IEC 62443-4-1?
IEC 62443-4-1 and IEC 62443-4-2 complement each other but focus on different aspects of cybersecurity in industrial automation and control systems (IACS).
IEC 62443-4-1 focuses on the secure development process and the entire product lifecycle. It defines requirements for processes, methods and techniques for the secure development of IACS products. This includes aspects such as security management, specification of security requirements, secure design and implementation, verification and validation, defect management, patch management and product end-of-life.
By contrast, IEC 62443-4-2 specifies technical security requirements for IACS components. It divides these into four categories: embedded devices, network components, host systems and software applications. The standard defines common component security constraints that apply to all conformant products. One of these requirements (CCSC 4) explicitly requires a development process compliant with IEC 62443-4-1.
Thus, the two standards complement each other: IEC 62443-4-1 governs the process of secure development, while IEC 62443-4-2 defines the concrete technical security features a product must have.
What is the difference between ISASecure and IEC 62443?
ISASecure and IEC 62443 are closely related but distinct: IEC 62443 is an international series of standards that defines requirements and processes for IT security in industrial automation. ISASecure, on the other hand, is a concrete certification program developed by the ISA Security Compliance Institute (ISCI). It is based on the requirements of IEC 62443 but goes beyond them in some areas.
ISASecure defines specific testing procedures and criteria by which certification bodies can assess the conformity of products and systems with the IEC 62443 standards. ISASecure is therefore comparable to the testing programs of individual certifiers such as the TÜVs.
Should it be ISA 62443 or IEC 62443?
The question of the correct designation - ISA 62443 or IEC 62443 - reflects the international collaboration and development history of this series of standards.
The International Society of Automation (ISA) from the USA played a central role in developing these standards. It works closely with the International Electrotechnical Commission (IEC), which is responsible for international standardization in electrical engineering and electronics.
The designation ISA/IEC 62443 is particularly common in the Anglo-American region and emphasizes the contribution of both organizations. It corresponds in full to the German notation DIN EN IEC 62443-4-1 VDE 0802-4-1, where DIN stands for the German Institute for Standardization, EN for European Standard and VDE for the Association for Electrical, Electronic & Information Technologies.
Internationally, however, the short form IEC 62443 has become established. This designation is used in most countries and in global industry because the IEC acts as the overarching international standardization organization. Using IEC 62443 ensures a uniform reference and recognition of the standards worldwide, regardless of national or regional particularities.
What is the relationship between ISO 27001 and IEC 62443?
ISO 27001 and IEC 62443 complement each other regarding information security but have different focuses and application areas.
ISO 27001 is a standard for an information security management system (ISMS) and focuses primarily on the operational aspects of information security in organizations of all kinds.
IEC 62443, by contrast, is specifically aimed at cybersecurity in industrial automation and control systems (IACS) and covers various roles in the lifecycle of these systems.
IEC 62443-2-1 (Edition 2) extends the principles of ISO 27001 for the specific context of operating automation solutions.
Manufacturers and system integrators can use ISO 27001 complementarily with standards such as IEC 62443-4-1 (for secure product development) and IEC 62443-2-4 (for system integration) to secure their development environments and ensure comprehensive information security management.
What is the relationship between IEC 62443-3-3 and IEC 62443-4-2? Which do I need?
IEC 62443-3-3 and IEC 62443-4-2 are closely linked but address different levels of cybersecurity in industrial automation and control systems.
IEC 62443-3-3 defines security requirements at the system level and specifies which security functions an IACS as a whole must meet. It provides an overarching framework for system security.
IEC 62443-4-2, on the other hand, specifies these requirements at the component level. It sets out detailed security requirements for different types of IACS components such as embedded devices, network components, host systems and software applications.
Which standard you need depends on your specific use case. If you are designing or evaluating an entire IACS, IEC 62443-3-3 may be more relevant. If you are developing or selecting individual components, IEC 62443-4-2 provides the more detailed specifications.
In many cases it makes sense to consider both standards, as they complement each other and enable a comprehensive security assessment. In practice the distinction is often fluid because IEC 62443-4-2 concretizes the requirements of IEC 62443-3-3 at the component level, enabling a more detailed implementation of system requirements.
Support for implementing IEC 62443
IEC 62443 is the central international standard for cybersecurity in industrial automation. It places comprehensive requirements on organizations, processes and technical systems and has therefore become a binding basis for many companies, especially in the context of increasing regulation.
Secuvi supports companies in implementing these requirements in a practical and goal-oriented manner - both as part of internal improvements and in preparation for possible certification. Our team understands the challenges associated with introducing IEC 62443 and helps find suitable solutions for organization, development and technology.
If you are wondering how to implement IEC 62443 concretely in your company, we can assist you with experience, technical expertise and pragmatic advice.
More about this at: secuvi.com