標準簡介
IEC 62443 (ISA/IEC 62443) 是由 國際電工委員會 (IEC) 發布的現行有效標準,常用於製造業、能源、科技、汽車、電子產品等產業,並適用於全球等市場。
本頁整理了 IEC 62443 (ISA/IEC 62443) 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。
Defense in Depth
Promotes a multi-layered security approach with zones and conduits, ensuring no single point of failure can compromise the entire industrial control system.
Stakeholder-Based Framework
Defines distinct requirements for asset owners, system integrators, and product suppliers — ensuring security responsibilities are clear across the supply chain.
Security Levels
Introduces four security levels (SL 1–4) representing increasing protection against casual, intentional, sophisticated, and state-sponsored threats respectively.
list_alt Series Structure
- Part 1: General concepts, terminology, and models
- Part 2: Policies, procedures, and security management system
- Part 3: System-level security requirements and security levels
- Part 4: Component and product development requirements
- Zones and conduits model for network segmentation
- Four security levels (SL 1–4) for risk-based protection
- Secure product development lifecycle (IEC 62443-4-1)
- Covers entire IACS lifecycle from design through decommissioning
Who Needs to Comply?
Organizations operating industrial automation and control systems — including manufacturing, energy and utilities, oil and gas, transportation, building automation, water treatment, and any sector with operational technology (OT) environments.
Key Requirements
Security Risk Assessment
Conduct a thorough risk assessment of the IACS environment. Identify threats, vulnerabilities, and consequences. Determine target security levels for each zone based on the risk assessment results.
Zones and Conduits
Segment the IACS network into security zones with common security requirements. Define conduits that control communications between zones. Apply appropriate security controls at zone boundaries.
Secure Development Lifecycle
Product suppliers must follow a secure development lifecycle (IEC 62443-4-1) including threat modeling, secure coding practices, security testing, and vulnerability management throughout the product lifecycle.
Security Management System
Asset owners must implement an IACS security management system covering security policies, organization, staff competence, awareness training, incident response, and business continuity planning.
Patch and Change Management
Establish processes for evaluating, testing, and deploying security patches to IACS components. Maintain a formal change management process to prevent unauthorized modifications to the control system.
Penalties & Enforcement
No direct legal penalties — IEC 62443 is a voluntary standard. However, it is referenced by regulations such as the EU NIS2 Directive and the US NIST Cybersecurity Framework. Non-compliance can result in regulatory findings and increased liability following cyber incidents.