verified_user
Standardful
首頁chevron_right標準chevron_rightIEC 62443 (ISA/IEC 62443)
現行有效國際標準update 標準更新:Ongoing seriesfact_check 事實核查:2026年6月28日

IEC 62443 (ISA/IEC 62443)

工業自動化和控制系統 安全(系列標準)

apartment發布組織:國際電工委員會 (IEC)

標準簡介

IEC 62443 (ISA/IEC 62443) 是由 國際電工委員會 (IEC) 發布的現行有效標準,常用於製造業、能源、科技、汽車、電子產品等產業,並適用於全球等市場。

本頁整理了 IEC 62443 (ISA/IEC 62443) 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。

security

Defense in Depth

Promotes a multi-layered security approach with zones and conduits, ensuring no single point of failure can compromise the entire industrial control system.

groups

Stakeholder-Based Framework

Defines distinct requirements for asset owners, system integrators, and product suppliers — ensuring security responsibilities are clear across the supply chain.

shield

Security Levels

Introduces four security levels (SL 1–4) representing increasing protection against casual, intentional, sophisticated, and state-sponsored threats respectively.

list_alt Series Structure

  • Part 1: General concepts, terminology, and models
  • Part 2: Policies, procedures, and security management system
  • Part 3: System-level security requirements and security levels
  • Part 4: Component and product development requirements
  • Zones and conduits model for network segmentation
  • Four security levels (SL 1–4) for risk-based protection
  • Secure product development lifecycle (IEC 62443-4-1)
  • Covers entire IACS lifecycle from design through decommissioning

誰需要合規?

groups

Organizations operating industrial automation and control systems — including manufacturing, energy and utilities, oil and gas, transportation, building automation, water treatment, and any sector with operational technology (OT) environments.

關鍵要求

1

Security Risk Assessment

Conduct a thorough risk assessment of the IACS environment. Identify threats, vulnerabilities, and consequences. Determine target security levels for each zone based on the risk assessment results.

2

Zones and Conduits

Segment the IACS network into security zones with common security requirements. Define conduits that control communications between zones. Apply appropriate security controls at zone boundaries.

3

Secure Development Lifecycle

Product suppliers must follow a secure development lifecycle (IEC 62443-4-1) including threat modeling, secure coding practices, security testing, and vulnerability management throughout the product lifecycle.

4

Security Management System

Asset owners must implement an IACS security management system covering security policies, organization, staff competence, awareness training, incident response, and business continuity planning.

5

Patch and Change Management

Establish processes for evaluating, testing, and deploying security patches to IACS components. Maintain a formal change management process to prevent unauthorized modifications to the control system.

實施路線圖

1
階段 1schedule 預計週期: 3-6 周

定義工業自動化和控制系統網絡安全範圍

識別 IEC 62443 覆蓋的產品、服務、場所、系統、團隊、司法轄區和相關方。確認責任人、邊界、適用義務、文件和證據期望,範圍包括IACS 安全計劃、區域和通道、安全等級、風險評估、安全開發、系統集成、補丁、遠程訪問、監控和事件響應。

2
階段 2schedule 預計週期: 4-10 周

評估差距並排列風險優先級

將當前實踐與預期的工業自動化和控制系統網絡安全方法進行比較。審查資產清單、區域模型、威脅和風險評估、訪問控制、網絡分段、加固、漏洞處理、備份、恢復、供應商保證和安全維護,並按法律暴露、安全影響、客戶承諾、運營依賴以及審覈或市場準入準備度排列差距優先級。

3
階段 3schedule 預計週期: 8-24 周

實施控制和記錄

部署所需程序、技術控制、評審關口、培訓、供應商流程、報告路徑和運行記錄。維護IACS 資產登記冊、區域圖、風險評估、安全要求、安全開發記錄、補丁決策、訪問評審、事件日誌、備份測試和供應商證據作爲可追溯證據。

4
階段 4schedule 預計週期: 持續進行

評審、審覈並改進

開展內部評審、管理報告、審覈、糾正措施和變更評估。當產品、服務、供應商、技術、法規、事件或相關方期望變化時刷新項目。

合規檢查清單

0 / 12

checklist 範圍與治理

checklist 控制與證據

checklist 監控與改進

處罰與執行

warning

No direct legal penalties — IEC 62443 is a voluntary standard. However, it is referenced by regulations such as the EU NIS2 Directive and the US NIST Cybersecurity Framework. Non-compliance can result in regulatory findings and increased liability following cyber incidents.

常見問題解答

誰需要 IEC 62443?

expand_more

IEC 62443 最適用於保護 OT 和 IACS 環境的資產所有者、系統集成商、產品供應商和服務提供商。具體範圍取決於產品、服務、司法轄區、客戶承諾,以及組織是否需要認證、符合性證據、監管準備或內部治理。

IEC 62443 是否可認證?

expand_more

IEC 62443 可根據採用的部分和認證方案支持產品、過程和現場評估。

實施時應先關注什麼?

expand_more

先定義範圍和義務,再建立當前狀態差距評估。早期最重要的工作是確認責任、受影響資產或過程、風險準則、客戶或法律驅動因素,以及組織必須能夠提供的證據。

IEC 62443 需要哪些證據?

expand_more

有用證據包括IACS 資產登記冊、區域圖、風險評估、安全要求、安全開發記錄、補丁決策、訪問評審、事件日誌、備份測試和供應商證據。證據應進行版本控制,能夠追溯到責任人,並關聯風險、義務、控制、決策和糾正措施。

項目應多久評審一次?

expand_more

應按計劃週期評審,並在產品、服務、供應商、運行環境、事件、客戶承諾或法規變化時評審。高風險領域應採用更頻繁的監控和管理報告。

官方文件

查看全部

實施時間線

groups
2002年
ISA99 committee established to secure critical infrastructure
description
2007年
First standards published under ISA-62443 banner
warning
2010年
Stuxnet malware accelerates urgency; formal IEC adoption begins
check_circle
2018年
Key parts published: IEC 62443-4-1 (secure development) and 62443-4-2 (component requirements)
public
2021年
IEC recognizes 62443 as a horizontal standard across all industries
update
2024年
IEC 62443-2-1:2024 published — updated IACS security management system requirements

相關分類