verified_user
Standardful
首页chevron_right标准chevron_rightIEC 62443 (ISA/IEC 62443)
有效国际标准update 标准更新:Ongoing seriesfact_check 事实核查:2026年6月28日

IEC 62443 (ISA/IEC 62443)

工业自动化和控制系统 安全(系列标准)

apartment发布组织:国际电工委员会 (IEC)

标准简介

IEC 62443 (ISA/IEC 62443) 是由 国际电工委员会 (IEC) 发布的有效标准,常用于制造业、能源、科技、汽车、电子产品等行业,并适用于全球等市场。

本页汇总了 IEC 62443 (ISA/IEC 62443) 的官方文档、当前状态以及常见相关认证或评估机构,便于快速理解要求与落地路径。

security

Defense in Depth

Promotes a multi-layered security approach with zones and conduits, ensuring no single point of failure can compromise the entire industrial control system.

groups

Stakeholder-Based Framework

Defines distinct requirements for asset owners, system integrators, and product suppliers — ensuring security responsibilities are clear across the supply chain.

shield

Security Levels

Introduces four security levels (SL 1–4) representing increasing protection against casual, intentional, sophisticated, and state-sponsored threats respectively.

list_alt Series Structure

  • Part 1: General concepts, terminology, and models
  • Part 2: Policies, procedures, and security management system
  • Part 3: System-level security requirements and security levels
  • Part 4: Component and product development requirements
  • Zones and conduits model for network segmentation
  • Four security levels (SL 1–4) for risk-based protection
  • Secure product development lifecycle (IEC 62443-4-1)
  • Covers entire IACS lifecycle from design through decommissioning

谁需要合规?

groups

Organizations operating industrial automation and control systems — including manufacturing, energy and utilities, oil and gas, transportation, building automation, water treatment, and any sector with operational technology (OT) environments.

关键要求

1

Security Risk Assessment

Conduct a thorough risk assessment of the IACS environment. Identify threats, vulnerabilities, and consequences. Determine target security levels for each zone based on the risk assessment results.

2

Zones and Conduits

Segment the IACS network into security zones with common security requirements. Define conduits that control communications between zones. Apply appropriate security controls at zone boundaries.

3

Secure Development Lifecycle

Product suppliers must follow a secure development lifecycle (IEC 62443-4-1) including threat modeling, secure coding practices, security testing, and vulnerability management throughout the product lifecycle.

4

Security Management System

Asset owners must implement an IACS security management system covering security policies, organization, staff competence, awareness training, incident response, and business continuity planning.

5

Patch and Change Management

Establish processes for evaluating, testing, and deploying security patches to IACS components. Maintain a formal change management process to prevent unauthorized modifications to the control system.

实施路线图

1
阶段 1schedule 预计周期: 3-6 周

定义工业自动化和控制系统网络安全范围

识别 IEC 62443 覆盖的产品、服务、场所、系统、团队、司法辖区和相关方。确认责任人、边界、适用义务、文件和证据期望,范围包括IACS 安全计划、区域和通道、安全等级、风险评估、安全开发、系统集成、补丁、远程访问、监控和事件响应。

2
阶段 2schedule 预计周期: 4-10 周

评估差距并排列风险优先级

将当前实践与预期的工业自动化和控制系统网络安全方法进行比较。审查资产清单、区域模型、威胁和风险评估、访问控制、网络分段、加固、漏洞处理、备份、恢复、供应商保证和安全维护,并按法律暴露、安全影响、客户承诺、运营依赖以及审核或市场准入准备度排列差距优先级。

3
阶段 3schedule 预计周期: 8-24 周

实施控制和记录

部署所需程序、技术控制、评审关口、培训、供应商流程、报告路径和运行记录。维护IACS 资产登记册、区域图、风险评估、安全要求、安全开发记录、补丁决策、访问评审、事件日志、备份测试和供应商证据作为可追溯证据。

4
阶段 4schedule 预计周期: 持续进行

评审、审核并改进

开展内部评审、管理报告、审核、纠正措施和变更评估。当产品、服务、供应商、技术、法规、事件或相关方期望变化时刷新项目。

合规检查清单

0 / 12

checklist 范围与治理

checklist 控制与证据

checklist 监控与改进

处罚与执行

warning

No direct legal penalties — IEC 62443 is a voluntary standard. However, it is referenced by regulations such as the EU NIS2 Directive and the US NIST Cybersecurity Framework. Non-compliance can result in regulatory findings and increased liability following cyber incidents.

常见问题解答

谁需要 IEC 62443?

expand_more

IEC 62443 最适用于保护 OT 和 IACS 环境的资产所有者、系统集成商、产品供应商和服务提供商。具体范围取决于产品、服务、司法辖区、客户承诺,以及组织是否需要认证、符合性证据、监管准备或内部治理。

IEC 62443 是否可认证?

expand_more

IEC 62443 可根据采用的部分和认证方案支持产品、过程和现场评估。

实施时应先关注什么?

expand_more

先定义范围和义务,再建立当前状态差距评估。早期最重要的工作是确认责任、受影响资产或过程、风险准则、客户或法律驱动因素,以及组织必须能够提供的证据。

IEC 62443 需要哪些证据?

expand_more

有用证据包括IACS 资产登记册、区域图、风险评估、安全要求、安全开发记录、补丁决策、访问评审、事件日志、备份测试和供应商证据。证据应进行版本控制,能够追溯到责任人,并关联风险、义务、控制、决策和纠正措施。

项目应多久评审一次?

expand_more

应按计划周期评审,并在产品、服务、供应商、运行环境、事件、客户承诺或法规变化时评审。高风险领域应采用更频繁的监控和管理报告。

官方文档

查看全部

实施时间线

groups
2002年
ISA99 committee established to secure critical infrastructure
description
2007年
First standards published under ISA-62443 banner
warning
2010年
Stuxnet malware accelerates urgency; formal IEC adoption begins
check_circle
2018年
Key parts published: IEC 62443-4-1 (secure development) and 62443-4-2 (component requirements)
public
2021年
IEC recognizes 62443 as a horizontal standard across all industries
update
2024年
IEC 62443-2-1:2024 published — updated IACS security management system requirements

相关分类