IEC 62443 (ISA/IEC 62443)
Industrial automation and control systems — Security
Standard Introduction
IEC 62443 (ISA/IEC 62443) is an active standard published by International Electrotechnical Commission (IEC). It is commonly used across Manufacturing, Energy, Technology, Automotive, Electronics and applies in Global.
Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with IEC 62443 (ISA/IEC 62443).
Defense in Depth
Promotes a multi-layered security approach with zones and conduits, ensuring no single point of failure can compromise the entire industrial control system.
Stakeholder-Based Framework
Defines distinct requirements for asset owners, system integrators, and product suppliers — ensuring security responsibilities are clear across the supply chain.
Security Levels
Introduces four security levels (SL 1–4) representing increasing protection against casual, intentional, sophisticated, and state-sponsored threats respectively.
list_alt Series Structure
- Part 1: General concepts, terminology, and models
- Part 2: Policies, procedures, and security management system
- Part 3: System-level security requirements and security levels
- Part 4: Component and product development requirements
- Zones and conduits model for network segmentation
- Four security levels (SL 1–4) for risk-based protection
- Secure product development lifecycle (IEC 62443-4-1)
- Covers entire IACS lifecycle from design through decommissioning
Who Needs to Comply?
Organizations operating industrial automation and control systems — including manufacturing, energy and utilities, oil and gas, transportation, building automation, water treatment, and any sector with operational technology (OT) environments.
Key Requirements
Security Risk Assessment
Conduct a thorough risk assessment of the IACS environment. Identify threats, vulnerabilities, and consequences. Determine target security levels for each zone based on the risk assessment results.
Zones and Conduits
Segment the IACS network into security zones with common security requirements. Define conduits that control communications between zones. Apply appropriate security controls at zone boundaries.
Secure Development Lifecycle
Product suppliers must follow a secure development lifecycle (IEC 62443-4-1) including threat modeling, secure coding practices, security testing, and vulnerability management throughout the product lifecycle.
Security Management System
Asset owners must implement an IACS security management system covering security policies, organization, staff competence, awareness training, incident response, and business continuity planning.
Patch and Change Management
Establish processes for evaluating, testing, and deploying security patches to IACS components. Maintain a formal change management process to prevent unauthorized modifications to the control system.
Implementation Roadmap
Define industrial automation and control system cybersecurity scope
Identify the products, services, sites, systems, teams, jurisdictions, and stakeholders covered by IEC 62443. Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for IACS security programs, zones and conduits, security levels, risk assessment, secure development, system integration, patching, remote access, monitoring, and incident response.
Assess gaps and prioritize risks
Compare current practices with the expected industrial automation and control system cybersecurity approach. Review asset inventory, zone models, threat and risk assessment, access control, network segmentation, hardening, vulnerability handling, backup, recovery, supplier assurance, and security maintenance, then prioritize gaps by legal exposure, safety impact, customer commitments, operational dependency, and audit or market-access readiness.
Implement controls and records
Deploy the required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain IACS asset registers, zone diagrams, risk assessments, security requirements, secure development records, patch decisions, access reviews, incident logs, backup tests, and supplier evidence as traceable evidence.
Review, audit, and improve
Run internal reviews, management reporting, audits, corrective actions, and change assessments. Refresh the program when products, services, suppliers, technology, regulations, incidents, or stakeholder expectations change.
Compliance Checklist
checklist Scope and governance
checklist Controls and evidence
checklist Monitoring and improvement
Penalties & Enforcement
No direct legal penalties — IEC 62443 is a voluntary standard. However, it is referenced by regulations such as the EU NIS2 Directive and the US NIST Cybersecurity Framework. Non-compliance can result in regulatory findings and increased liability following cyber incidents.
Frequently Asked Questions
Who needs IEC 62443?
expand_more
IEC 62443 is most relevant to asset owners, system integrators, product suppliers, and service providers securing OT and IACS environments. The exact scope depends on products, services, jurisdictions, customer commitments, and whether the organization needs certification, conformity evidence, regulatory readiness, or internal governance.
Is IEC 62443 certifiable?
expand_more
IEC 62443 can support product, process, and site assessments depending on the part used and the certification scheme.
What should the implementation focus on first?
expand_more
Start by defining scope and obligations, then build a current-state gap assessment. The most important early work is to confirm ownership, affected assets or processes, risk criteria, customer or legal drivers, and the evidence the organization must be able to produce.
What evidence is useful for IEC 62443?
expand_more
Useful evidence includes IACS asset registers, zone diagrams, risk assessments, security requirements, secure development records, patch decisions, access reviews, incident logs, backup tests, and supplier evidence. The evidence should be version-controlled, attributable to owners, and linked to risks, obligations, controls, decisions, and corrective actions.
How often should the program be reviewed?
expand_more
Review it at planned intervals and whenever products, services, suppliers, operating environments, incidents, customer commitments, or regulations change. High-risk domains should use more frequent monitoring and management reporting.
Official Documentation
Official PDF for IEC 62443 (ISA/IEC 62443)
Official publication or summary for IEC 62443 (ISA/IEC 62443)
Official online resource
International Electrotechnical Commission (IEC) guidance and reference material
Implementation toolkit
Templates, guidance, or companion resources for IEC 62443 (ISA/IEC 62443)