IEC 62443 (ISA/IEC 62443)
Industrial automation and control systems — Security
Standard Introduction
IEC 62443 (ISA/IEC 62443) is an active standard published by International Electrotechnical Commission (IEC). It is commonly used across Manufacturing, Energy, Technology, Automotive, Electronics and applies in Global.
Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with IEC 62443 (ISA/IEC 62443).
Defense in Depth
Promotes a multi-layered security approach with zones and conduits, ensuring no single point of failure can compromise the entire industrial control system.
Stakeholder-Based Framework
Defines distinct requirements for asset owners, system integrators, and product suppliers — ensuring security responsibilities are clear across the supply chain.
Security Levels
Introduces four security levels (SL 1–4) representing increasing protection against casual, intentional, sophisticated, and state-sponsored threats respectively.
list_alt Series Structure
- Part 1: General concepts, terminology, and models
- Part 2: Policies, procedures, and security management system
- Part 3: System-level security requirements and security levels
- Part 4: Component and product development requirements
- Zones and conduits model for network segmentation
- Four security levels (SL 1–4) for risk-based protection
- Secure product development lifecycle (IEC 62443-4-1)
- Covers entire IACS lifecycle from design through decommissioning
Who Needs to Comply?
Organizations operating industrial automation and control systems — including manufacturing, energy and utilities, oil and gas, transportation, building automation, water treatment, and any sector with operational technology (OT) environments.
Key Requirements
Security Risk Assessment
Conduct a thorough risk assessment of the IACS environment. Identify threats, vulnerabilities, and consequences. Determine target security levels for each zone based on the risk assessment results.
Zones and Conduits
Segment the IACS network into security zones with common security requirements. Define conduits that control communications between zones. Apply appropriate security controls at zone boundaries.
Secure Development Lifecycle
Product suppliers must follow a secure development lifecycle (IEC 62443-4-1) including threat modeling, secure coding practices, security testing, and vulnerability management throughout the product lifecycle.
Security Management System
Asset owners must implement an IACS security management system covering security policies, organization, staff competence, awareness training, incident response, and business continuity planning.
Patch and Change Management
Establish processes for evaluating, testing, and deploying security patches to IACS components. Maintain a formal change management process to prevent unauthorized modifications to the control system.
Penalties & Enforcement
No direct legal penalties — IEC 62443 is a voluntary standard. However, it is referenced by regulations such as the EU NIS2 Directive and the US NIST Cybersecurity Framework. Non-compliance can result in regulatory findings and increased liability following cyber incidents.
Official Documentation
Official PDF for IEC 62443 (ISA/IEC 62443)
Official publication or summary for IEC 62443 (ISA/IEC 62443)
Official online resource
International Electrotechnical Commission (IEC) guidance and reference material
Implementation toolkit
Templates, guidance, or companion resources for IEC 62443 (ISA/IEC 62443)