History

The development of the IEC 62443 series of standards originated in 2002, when the International Society of Automation (ISA) formed the ISA99 committee to create a comprehensive framework for cybersecurity in industrial automation and control systems (IACS), responding to growing concerns over vulnerabilities in critical infrastructure.[2] This initiative aimed to fill gaps in existing IT security practices, which were inadequate for the unique operational requirements of IACS environments. Early efforts focused on defining foundational concepts, models, and risk management approaches tailored to industrial settings.

In 2007, the first key documents were published under the ISA99 and ISA-62443 banners, including ISA-TR99.00.01-2007 on security technologies and ISA-62443-1-1-2007 establishing terminology, concepts, and models.[3] Collaboration between ISA and the International Electrotechnical Commission (IEC) intensified, culminating in formal adoption as a joint IEC/ISA standard by 2010, with the inaugural IEC publication of IEC/TS 62443-1-1 in 2009.[8] The emergence of the Stuxnet malware in 2010, which demonstrated the potential for sophisticated cyberattacks on IACS, served as a pivotal catalyst, amplifying urgency and driving refinements to address targeted threats in programmable logic controllers and supervisory control systems.[9] That same year, IEC 62443-2-1 was released, specifying requirements for security programs managed by IACS asset owners.[10]

Subsequent expansions from 2013 to 2015 built on these foundations, with ANSI/ISA-62443-3-3-2013 outlining system security requirements and security levels, and ISA-TR62443-2-3-2015 providing guidance on patch and vulnerability management in operational technology environments.[2] Between 2018 and 2023, the series saw significant consolidations and updates, including ANSI/ISA-62443-4-1-2018 and ANSI/ISA-62443-4-2-2018, which detailed secure product development lifecycles and technical security requirements for IACS components.[2] In 2021, the IEC recognized the series as a horizontal standard applicable across multiple industries, enhancing its global reach. Cyber incidents such as the 2021 Colonial Pipeline ransomware attack highlighted persistent risks to supply chain operations, informing ongoing revisions by emphasizing robust incident response and resilience measures in IACS security programs.[11]

Relationship between IEC and ISA

The International Society of Automation (ISA) serves as the originating body for the IEC 62443 series through its ISA99 committee, established in 2002 to address cybersecurity needs for industrial automation and control systems (IACS) by leveraging technical expertise from industry practitioners and end-users.[2] This committee develops the core content, focusing on practical, risk-based approaches derived from real-world automation environments.[2]

The International Electrotechnical Commission (IEC) adopted the ISA99 standards for internationalization, resulting in the dual-numbered ISA/IEC 62443 series, where documents are published simultaneously under both designations (e.g., ISA-62443-x-y and IEC 62443-x-y) to ensure identical content and global applicability.[2] This process involves joint working groups, particularly under IEC Technical Committee 65 Working Group 10 (IEC TC 65 WG 10), which collaborates closely with ISA99 to review and approve contributions, harmonizing the standards for worldwide use.[12] In 2021, IEC designated the series as a horizontal standard, applicable across multiple sectors, further solidifying this partnership.[13]

Governance of the series emphasizes shared responsibilities: ISA99 leads content development and technical innovation, while IEC oversees global harmonization, publication, and alignment with broader electrotechnical norms, with all updates requiring consensus from both organizations to maintain consistency and authority.[14] This collaborative model ensures that revisions incorporate input from diverse stakeholders, including international experts, without compromising the practitioner-driven foundation.[2]

Joint efforts between ISA and IEC include co-authored technical reports, such as those providing guidance on security program establishment, and alignments with complementary standards like IEC 61508 for functional safety, where IEC 62443 addresses cybersecurity aspects to support integrated safety-security lifecycles in IACS.[2][15] These initiatives, including the establishment of the ISA Global Cybersecurity Alliance in 2019, promote adoption and interoperability across global industries.[2]

General Concepts and Models (Part 1)

The General Concepts and Models (Part 1) of the IEC 62443 series establishes the foundational elements for securing industrial automation and control systems (IACS), comprising four technical specifications and reports that define essential terminology, frameworks, and evaluation tools. These documents provide a consistent basis for the entire standard family, enabling stakeholders to apply cybersecurity principles uniformly across industrial environments. By focusing on conceptual models rather than prescriptive requirements, Part 1 supports the integration of security into IACS design, operation, and assessment processes.[16][1]

IEC/TS 62443-1-1 introduces core terminology, concepts, and models for IACS cybersecurity, serving as the basis for all subsequent standards in the series. It defines IACS as the collection of personnel, hardware, software, and services that interact to perform essential functions in industrial processes, distinguishing them from traditional IT systems due to their real-time and safety-critical nature. Key terms include cybersecurity zones, which group assets sharing common security needs to simplify protection strategies, and conduits, representing communication paths between zones. The document outlines a reference model for secure IACS architecture, depicting hierarchical layers from field devices to enterprise systems, with interfaces that emphasize segmentation and monitoring. Central to this is the defense-in-depth principle, advocating multiple overlapping safeguards—such as access controls, encryption, and intrusion detection—to address threats comprehensively, reducing the risk of single-point failures. This model promotes resilience against evolving cyber threats in operational technology environments.[8][11][17]

IEC/TR 62443-1-2 provides a master glossary that consolidates and standardizes terms and abbreviations across the IEC 62443 series, ensuring precise and consistent usage among asset owners, system integrators, and product suppliers. The glossary encompasses definitions for fundamental elements like threats (potential causes of unwanted incidents), vulnerabilities (weaknesses exploitable by threats), assets (critical components or data requiring protection), and security requirements (measures to mitigate risks). By serving as a centralized reference, it facilitates clear communication and interoperability, preventing misinterpretations that could undermine security implementations in diverse industrial settings. This technical report is regularly updated to reflect advancements in cybersecurity terminology.[4][17]

IEC 62443-1-3 specifies system security conformance metrics, offering a structured methodology to quantify and evaluate IACS cybersecurity effectiveness. These metrics derive from foundational and technical requirements in the series, categorizing them into areas such as policy enforcement, detection capabilities, and response mechanisms. For instance, maturity metrics assess program development stages from ad hoc practices to optimized, continuous improvement, while performance metrics gauge system resilience, such as the percentage of assets protected against high-impact threats. This enables organizations to measure progress objectively, benchmark against industry norms, and prioritize enhancements, with conformance levels tied to security level targets. The approach supports auditing and certification, ensuring verifiable security outcomes without prescribing specific tools.[18][19]

IEC/TR 62443-1-4 details IACS security lifecycle models and use-case scenarios, guiding the embedding of cybersecurity from inception through decommissioning. The lifecycle model encompasses phases including concept, design, implementation, operation, maintenance, and retirement, with security integrated at each stage to address evolving risks. Patch management cycles are highlighted as a critical process, involving vulnerability assessment, testing in isolated environments, staged deployment, and post-update verification to minimize operational disruptions in safety-critical systems. Use-case models illustrate applications, such as retrofitting security into legacy IACS or coordinating multi-vendor updates, demonstrating how lifecycle integration aligns with principal roles like asset owners and product suppliers. This ensures sustained security posture, complementing the reference architecture from 1-1.[20][21]

IEC TS 62443-1-5:2023 provides implementation guidance for a cybersecurity scheme, outlining a framework for developing and applying security profiles that support conformance assessment across the IEC 62443 series. It defines profiles for different stakeholder roles, enabling the specification of security requirements in a standardized manner to facilitate certification and interoperability. This technical specification aids in aligning product development, system integration, and organizational programs with the overall standards framework.[22]

Policies and Procedures (Part 2)

The IEC 62443-2 series establishes foundational policies and procedures for organizations managing industrial automation and control systems (IACS), emphasizing the development of robust security programs tailored to operational needs. These standards guide asset owners and service providers in creating governance structures, risk mitigation strategies, and operational protocols to protect against cyber threats, while accommodating legacy systems through compensating controls.[23]

IEC 62443-2-1:2024 outlines requirements for IACS asset owners to develop comprehensive security programs, focusing on governance to define organizational roles and responsibilities for cybersecurity oversight. It mandates the implementation of risk management frameworks that involve identifying assets, assessing threats, and prioritizing mitigation measures based on potential impacts to operations. Additionally, the standard requires incident response plans that detail detection, analysis, containment, eradication, recovery, and post-incident review processes to minimize disruptions and ensure resilience. The 2024 edition restructures requirements into security program elements and introduces a maturity model for ongoing evaluation and improvement of cybersecurity programs. These elements form a maturity model allowing progressive enhancement of security capabilities, independent of specific technologies. The standard also specifies procedures for establishing an IACS security program, including mandatory training and awareness initiatives to equip personnel with knowledge of cybersecurity risks and best practices. Training programs must cover topics such as threat recognition, secure operations, and compliance with policies, ensuring ongoing education through regular sessions and updates to address evolving threats. Awareness efforts extend to all staff interacting with IACS, promoting a culture of vigilance via communications, simulations, and role-specific guidance to reduce human-related vulnerabilities.[23][24]

IEC TR 62443-2-3:2015 describes requirements for patch management in the IACS environment, providing guidance for asset owners on developing and implementing effective patch management programs. It covers the patch management lifecycle, including identification, evaluation, testing, deployment, and verification of patches, while considering the unique constraints of IACS such as limited downtime tolerance and safety implications. The technical report emphasizes risk-based prioritization of patches and coordination with suppliers to ensure timely and secure updates without compromising system availability.[25]

IEC PAS 62443-2-2:2025, currently under development as of November 2025, addresses the IACS security protection scheme, providing a framework for defining and implementing protection levels across organizational assets and processes to align with risk assessments.[26]

System Security (Part 3)

The IEC 62443-3 series establishes security requirements and processes for industrial automation and control systems (IACS), emphasizing a risk-based approach to protect entire systems from cyber threats.[2] This part focuses on system-level considerations, including risk assessment methodologies and technical requirements that guide the design and implementation of secure IACS architectures.[28] By integrating threat analysis with security level targeting, the standards enable asset owners to align protections with operational risks without mandating specific technologies.[29]

IEC TR 62443-3-1:2009 provides a current assessment of various cybersecurity tools, mitigation countermeasures, and technologies applicable to IACS. It highlights technologies like firewalls for network segmentation, encryption for data protection during transmission and storage, intrusion detection systems, and access control mechanisms. These technologies are evaluated for their suitability in industrial environments, considering factors such as real-time performance, reliability, and integration with legacy systems. The technical report guides stakeholders in selecting and deploying appropriate technologies to support defense-in-depth strategies and address specific threats identified in risk assessments.[30]

IEC 62443-3-2:2020 outlines a structured process for conducting cybersecurity risk assessments for system design, primarily targeted at asset owners and end users.[28] The process begins with identifying the system under consideration (SUC), which encompasses the IACS components and their interdependencies.[28] It then involves partitioning the SUC into zones and conduits to isolate risks based on potential impact.[28] Threat modeling follows, where relevant threats to IACS are identified, such as those affecting safety-related assets, temporary devices, wireless connections, or external network access; this step considers the likelihood and potential consequences of cyber attacks.[28]

Vulnerability identification in IEC 62443-3-2 requires a detailed analysis of weaknesses within the system, drawing from known exploits, architectural flaws, and operational practices to support precise risk evaluation.[28] The assessment proceeds through initial and detailed cyber risk evaluations, quantifying risks by combining threat likelihood with vulnerability severity and asset impact.[28] Based on these evaluations, security level targets (SL-T) are determined for each zone or conduit, specifying the required protection level (from SL-0 to SL-4) to mitigate identified risks adequately.[28] The process concludes with documentation in a cybersecurity requirements specification (CRS), which records all findings, SL-T assignments, and stakeholder approvals for implementation.[28] This methodology ensures that risk assessments are repeatable, adaptable to evolving threats, and integrated into the overall IACS lifecycle.[2]

Component Security (Part 4)

The IEC 62443-4 series establishes security requirements specifically for the development and specification of Industrial Automation and Control Systems (IACS) components by product suppliers.[2] It comprises two primary standards: IEC 62443-4-1, which outlines process-oriented requirements for a secure product development lifecycle, and IEC 62443-4-2, which defines technical security capabilities for individual components.[1] These standards aim to ensure that components, such as embedded devices and software, are designed with inherent cybersecurity resilience to mitigate risks when integrated into IACS environments.[3]

IEC 62443-4-1:2018, published as ANSI/ISA-62443-4-1, specifies secure product development lifecycle requirements for suppliers to systematically address cybersecurity throughout the product creation and maintenance phases.[31] Suppliers must define and implement security requirements early in the design process, applying principles of defense-in-depth to create layered protections against threats.[31] Threat modeling is a core element, requiring ongoing identification and assessment of potential risks, including those from evolving cyber threats, to inform design decisions and prioritize mitigations.[31] Secure coding practices are mandated, with suppliers required to adopt standardized guidelines that minimize vulnerabilities, such as input validation and error handling, during software development.[31] Additional requirements include comprehensive security testing—encompassing penetration testing and vulnerability assessments—at multiple lifecycle stages, along with processes for managing identified security issues through assessment, resolution, and communication to users.[31] Suppliers are also obligated to evaluate third-party components for security risks, provide timely updates and patches with clear documentation, and maintain user guidance on secure configuration and operation.[31] This lifecycle approach ensures that security is not an afterthought but an integrated aspect of product development, tailored to the unique constraints of IACS, such as real-time operations and long-term deployment.[32]

IEC 62443-4-2:2019 delineates technical security capabilities required for IACS components, including embedded devices, network components, host components, and software.[33] It specifies requirements aligned with the seven foundational requirements (FRs) outlined in IEC TS 62443-1-1: identification and authentication control (IAC), use control (UC), system integrity (SI), data confidentiality (DC), restricted data flow (RDF), timely response to events (TRE), and resource availability (RA).[33] These capabilities are categorized by the component's security level capability index (SL-C), which ranges from SL 1 to SL 4, indicating progressively stringent protections against cyber threats; SL-C measures the inherent security of the component itself, independent of system-level targets.[33][34] For instance, at higher SL-C levels, embedded devices must implement robust authentication mechanisms, such as multi-factor controls under IAC, and enforced access restrictions via UC to prevent unauthorized operations.[34] Software components require features like cryptographic protections for DC and SI, ensuring data encryption and integrity checks, while network components must support RDF through firewall-like filtering to limit unauthorized flows.[33] TRE demands mechanisms for detecting and alerting on security events within defined timeframes, and RA includes safeguards against denial-of-service attacks, such as resource throttling.[33] Compliance with these requirements enables components to achieve certified SL-C ratings, facilitating their selection for IACS deployments that demand specific security assurances.[34] A corrigendum issued in 2022 clarified certain technical specifications without altering the core framework.[33]

Principal Roles

The IEC 62443 standards define four principal roles within the industrial automation and control systems (IACS) security ecosystem to delineate responsibilities across the lifecycle of secure system development, operation, and maintenance.[35] These roles—Asset Owner (AO), Integration Service Provider (SI), Product Supplier (PS), and Maintenance Service Provider (SM)—ensure coordinated efforts in addressing cybersecurity risks, with each role's obligations outlined in the standards' policies and procedures section.[36]

The Asset Owner (AO) holds ultimate accountability for the IACS, including its operation and the equipment it controls.[35] This role is responsible for establishing and maintaining the overall IACS security program, conducting initial and ongoing risk assessments, defining acceptable risk levels, and allocating resources for security measures.[36] The Asset Owner also approves cybersecurity requirements, system partitioning into zones and conduits, and any changes or decommissioning processes to ensure alignment with organizational policies.[37]

The Integration Service Provider (SI) focuses on the design, implementation, and integration of secure IACS solutions.[35] This role involves configuring, testing, and commissioning systems while implementing technical security controls, such as segmentation into zones and conduits, and verifying compliance with specified security levels.[35] Integration Service Providers assist Asset Owners in risk assessments and handover processes, ensuring the delivered solution meets operational and security requirements without introducing vulnerabilities.[37]

The Product Supplier (PS) is tasked with developing and supporting secure hardware and software components for IACS environments.[36] This includes adhering to secure development practices, providing comprehensive documentation on security capabilities and limitations, and delivering updates to address vulnerabilities throughout the product lifecycle.[37] Product Suppliers must ensure their components can integrate securely into broader systems, offering guidance on hardening and threat mitigation independent of specific IACS deployments.[35]

The Maintenance Service Provider (SM) supports ongoing IACS maintenance and third-party operations with a focus on security continuity.[35] Responsibilities encompass monitoring for threats and vulnerabilities, implementing change management procedures, performing secure updates, and purging sensitive data during system decommissioning.[36] Maintenance Service Providers operate under Asset Owner directives, validating their activities against established security policies to maintain system integrity and provide assured support.[37]

Security Levels

Security Levels (SL) in the IEC 62443 series represent discrete metrics of cybersecurity performance for industrial automation and control systems (IACS), zones, and conduits, quantifying the system's ability to withstand attacks based on the attacker's potential sophistication, resources, expertise, and motivation. These levels provide a framework for tailoring security measures to the specific risk profile of an IACS asset, ensuring that protection aligns with identified threats without over-engineering defenses.[38]

The standards define four primary security levels, ranging from SL 0 to SL 4, each corresponding to increasing threat capabilities:

Three variants of SL are distinguished: the target security level (SL-T), which specifies the desired protection for a zone or conduit derived from risk assessment; the achieved security level (SL-A), denoting the actual protection realized through implemented controls in a system or zone; and the capability security level (SL-C), measuring the intrinsic security potential of individual components or products.[39] SL-T guides design and procurement, while SL-A and SL-C enable verification that deployed elements meet or exceed targets.[40]

SL-A for systems is calculated by assessing compliance with system requirements (SRs) grouped under seven foundational requirements (FRs)—identification and authentication control (FR 1), use control (FR 2), system integrity (FR 3), data confidentiality (FR 4), restricted data flow (FR 5), timely response to events (FR 6), and resource availability (FR 7)—where the overall SL-A equals the minimum SL achieved across all FRs, expressed as SL-A = \min(\text{SL-FR}_1, \text{SL-FR}_2, \dots, \text{SL-FR}_7).[38] In contrast, SL-C for components is derived similarly from component requirements (CRs) and enhancements (REs) in IEC 62443-4-2, focusing on the product's design and built-in features rather than operational implementation.[40] This differentiation ensures that component capabilities (SL-C) contribute reliably to system-level achievements (SL-A), with SL-T serving as the benchmark during risk assessment.[39]

Zones and Conduits

In the IEC 62443 series of standards, a zone is defined as a logical or physical grouping of assets within an industrial automation and control system (IACS) that share common security requirements and form a trust boundary. This segmentation approach allows organizations to apply uniform security controls to assets with similar risk profiles, such as controllers, sensors, or workstations, thereby isolating potential threats and preventing lateral movement across the system.[28] Zones establish clear boundaries where security policies can be enforced, ensuring that breaches in one area do not easily propagate to others.[41]

Conduits, in contrast, refer to the secure communication paths—either logical or physical—that connect multiple zones while enforcing specific controls to manage data flow. These paths incorporate measures such as access control policies, encryption, monitoring, and filtering to protect against unauthorized access or tampering during transmission between zones.[21] For instance, a conduit might secure the link between a zone containing programmable logic controllers (PLCs) and an enterprise IT zone, using firewalls or protocol gateways to restrict traffic to only essential, authenticated exchanges.[42]

Implementation of zones and conduits involves strategic network segmentation to limit the scope of potential breaches, often starting with mapping IACS assets and identifying natural boundaries based on functionality or physical proximity.[41] Techniques include deploying firewalls, virtual local area networks (VLANs), or data diodes to create these separations, as seen in isolating PLC networks from corporate IT infrastructure to prevent malware spread from office environments.[43] This approach enhances defense-in-depth by layering protections, where each zone and conduit acts as a checkpoint that requires attackers to overcome multiple barriers.[28] Security levels from IEC 62443 are typically assigned to zones to quantify the required resilience against threats.[21]

The benefits of this model include improved incident response through contained impacts and easier compliance with regulatory requirements, as segmentation reduces the attack surface in complex IACS environments.[41] In 2025 updates to the standards, greater emphasis has been placed on micro-segmentation techniques within zones and conduits, particularly for legacy systems that integrate non-IP protocols with modern TCP/IP networks, enabling finer-grained controls without full infrastructure overhauls.[44] This evolution supports adaptive security in hybrid setups, where conduits can dynamically enforce policies based on real-time threat intelligence.[45]

Risk Assessment Process

The risk assessment process in IEC 62443 provides a structured methodology for identifying, analyzing, and mitigating cybersecurity risks within industrial automation and control systems (IACS), ensuring alignment with organizational security objectives.[46] This process, detailed primarily in IEC 62443-3-2, emphasizes a systematic approach to evaluate risks at both high-level and detailed stages, enabling asset owners to prioritize threats based on potential impacts to safety, operations, and business continuity.[28] It integrates qualitative and quantitative elements to determine appropriate security measures, reducing vulnerabilities in interconnected IACS environments.[47]

The process begins with asset identification, where critical components of the system under consideration (SuC)—such as hardware, software, networks, and processes—are inventoried to define the scope of potential risks.[48] Following this, threat and vulnerability analysis involves cataloging potential cyber threats (e.g., unauthorized access or malware injection) and associated vulnerabilities (e.g., outdated firmware or weak authentication), often scoped within defined zones to focus on high-impact areas.[46] Next, likelihood and consequence evaluation assesses the probability of threat exploitation and the severity of outcomes, using scales typically ranging from low to high for each factor.[49]

Risk scoring is commonly achieved through matrices that multiply likelihood by consequence to generate a composite risk score, facilitating prioritization based on business impact—such as financial loss or operational downtime. For instance, a risk score can be calculated as:

where likelihood and consequence are assigned numerical values (e.g., 1-5 scale), allowing for visual heat maps to highlight critical scenarios.[48] This evaluation leads to SL-T determination, where the target security level (SL-T) is established for each zone or conduit, ranging from SL-0 (no protection needed) to SL-4 (protection against advanced threats), to specify the required countermeasures.[28] Finally, residual risk treatment involves selecting and implementing mitigation strategies—such as access controls or segmentation—to address remaining risks, followed by documentation in a cybersecurity requirements specification.[46]

The process is inherently iterative, integrated into the IACS lifecycle from design through decommissioning, with regular reviews to adapt to evolving threats, including post-incident analyses to refine future assessments.[47] IEC 62443-4-1 incorporates supply chain risks by requiring evaluation of third-party components and software integrity during asset identification and threat analysis, enhancing visibility into vendor-related vulnerabilities through practices like software bill of materials (SBOM).[50] This addresses quantitative methods for supply chain scoring, such as assessing supplier threat likelihood based on historical breach data, to ensure comprehensive risk mitigation across the ecosystem.[51]

Industry Applications

In the manufacturing sector, IEC 62443 has been widely adopted to secure supervisory control and data acquisition (SCADA) systems and programmable logic controllers (PLCs), which are critical for automated production lines. For instance, a major automotive manufacturer implemented the standard to protect its highly automated facilities by establishing security zones and conduits through network segmentation, achieving Security Level 2 (SL 2) capabilities that mitigate risks from accidental or casual violations.[52] This approach involves dividing the plant network into isolated segments for PLC communications and SCADA monitoring, ensuring that cyber threats do not propagate across production zones.[53] Such segmentation aligns with IEC 62443-3-2 requirements for risk-based zoning, enabling manufacturers to maintain operational continuity while addressing vulnerabilities in interconnected OT environments.[38]

In the energy and oil & gas industries, IEC 62443 supports pipeline protection, particularly following high-profile incidents like the 2021 Colonial Pipeline ransomware attack, which highlighted the need for robust OT cybersecurity in remote operations. The standard's framework has been recommended for compliance with post-incident directives, such as those from the U.S. Transportation Security Administration, by applying defense-in-depth strategies to secure supervisory systems and remote access points.[54] For remote pipeline monitoring and control, SL 3 is typically required to defend against intentional, sophisticated attacks using extended resources, involving enhanced authentication, encryption, and anomaly detection for SCADA and RTU communications.[55] Operators have leveraged IEC 62443-3-3 system requirements to segment remote assets, reducing the blast radius of potential breaches and ensuring resilience in distributed oil and gas infrastructures.[56]

The water and wastewater sector utilizes IEC 62443 to enhance industrial control systems (ICS) resilience in utilities, where disruptions can impact public health and supply chains. A water utility case study demonstrated the standard's application in modernizing legacy ICS through foundational controls like access management and network segmentation, aligning with risk assessment processes to protect treatment plants from cyber threats.[52] In the European Union, utilities are increasingly adopting IEC 62443 to prepare for compliance with the Cyber Resilience Act (CRA), which imposes cybersecurity requirements starting in 2026 for critical infrastructure products, as the standard's technical requirements map closely to CRA's essential cybersecurity obligations for digital products in critical infrastructure.[57] This includes zoning SCADA systems for wastewater treatment to isolate operational technology from IT networks, thereby improving overall system integrity and regulatory adherence.[58]

As of 2025, IEC 62443's implementation has expanded globally through regulatory alignments, including Australia's adoption in July 2025 as a national standard for critical infrastructure cybersecurity and U.S. Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) updates in September 2025 that incorporate 62443 principles.[59][60]

Accredited Certification Schemes

Accreditation bodies play a crucial role in the IEC 62443 certification ecosystem by evaluating and endorsing certification bodies (CBs) to ensure their competence in assessing conformance to the standard's security requirements. Organizations such as the International Laboratory Accreditation Cooperation (ILAC) and the International Accreditation Forum (IAF) recognize national and regional accreditation bodies, which in turn accredit CBs to perform impartial evaluations of industrial automation and control systems (IACS) against IEC 62443. This framework guarantees that certified products, processes, and systems meet defined security levels (SL) through rigorous, standardized procedures.[64][65]

The certification process relies on third-party audits conducted by these accredited CBs, which operate under the requirements of ISO/IEC 17065 for bodies certifying products, processes, and services. These audits involve comprehensive assessments of an entity's adherence to IEC 62443's security lifecycle and technical specifications, including verification of SL capabilities for components, systems, and organizations. CBs must demonstrate ongoing compliance through regular surveillance and re-accreditation, ensuring the reliability and impartiality of conformance testing. For instance, laboratories supporting these audits are often accredited to ISO/IEC 17025 for testing and calibration competence.[66][65][67]

International recognition of IEC 62443 certifications is facilitated by ILAC and IAF's multi-lateral mutual recognition arrangements (MLAs), which promote cross-border validity and reduce duplication of efforts. These agreements, signed by over 100 accreditation bodies worldwide, enable certificates issued by accredited CBs in one country to be accepted globally, fostering trust in supply chains for critical infrastructure. Specific schemes, such as ISASecure, leverage this infrastructure for their assessments.[68][69]

ISASecure Program

The ISASecure program, administered by the International Society of Automation (ISA), provides third-party certification for industrial automation and control systems (IACS) to demonstrate conformance with the IEC 62443 series of cybersecurity standards. Launched in 2010, it focuses on off-the-shelf products, supplier development practices, and system integrations used in operational technology environments, helping asset owners and suppliers mitigate cybersecurity risks through verified compliance.[70]

The program comprises three primary certification components: ISASecure-SSA for system security assurance, ISASecure-CSA for component security assurance, and ISASecure-SDLA for secure development lifecycle assurance (often aligned with component security development processes). ISASecure-SSA certifies complete control systems against the requirements of IEC 62443-3-3, evaluating their ability to achieve specified security levels through integrated security functions and risk management.[66] ISASecure-CSA assesses individual components, such as embedded devices, software modules, and network elements, for their technical cybersecurity capabilities under IEC 62443-4-2, assigning Security Levels (SL 1 to SL 4) based on robustness against threats.[71] ISASecure-SDLA verifies an organization's product development lifecycle processes per IEC 62443-4-1, ensuring secure design, implementation, and maintenance practices from requirements gathering to decommissioning.[64] Approved research and testing elements are integrated through accredited laboratories that validate conformance using standardized test tools and methodologies.

Certification follows a structured process emphasizing both capability and implementation. Laboratory testing determines the Security Level Capability (SL-C) by examining inherent product features in controlled environments, while on-site audits evaluate the Security Level Achieved (SL-A) to confirm effective deployment and operational security controls. Annual re-certification is mandatory, involving surveillance audits and updates to address evolving threats or standard revisions. The program incorporates amendments, such as those to IEC 62443-4-2 Edition 2 (released in 2022), by revising certification criteria to include enhanced requirements for component resilience.[72]

By November 2025, the ISASecure program has issued over 150 certifications across its components, with 92 for CSA, 54 for SDLA, and 9 for SSA, reflecting growing adoption in sectors like manufacturing and energy. Key achievements include the issuance of the world's first SL 3 certifications under the updated standards in April 2024, demonstrating advanced cybersecurity maturity for certified systems and components.[73][74][75][76] The program's certification bodies operate under general ISO/IEC 17065 accreditation to ensure impartiality and global recognition.[77]

In June 2025, ISASecure launched the Automation and Control System Security Assurance (ACSSA) inspection and certification scheme, which assesses and certifies the cybersecurity of operational IACS at asset owner sites. Aligned with IEC 62443-2-1 and -3-2, ACSSA evaluates risk management, security policies, and implementation to achieve targeted security levels, providing a unified approach for site-level conformance in critical infrastructure.[78]

IECEE CB Scheme

The IECEE CB Scheme, part of the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components, has been extended to encompass cybersecurity certification for industrial automation and control systems (IACS) under IEC 62443-4-2, enabling mutual recognition of test reports for component-level security requirements.[79] This adaptation focuses on verifying that products meet the technical requirements (CRs) associated with the seven foundational requirements (FRs) of the standard, such as identification and authentication control and system integrity. By participating in the scheme, manufacturers can demonstrate compliance through a one-time evaluation, avoiding repetitive assessments in multiple markets.[80]

National Certification Bodies (NCBs), accredited under IECEE rules, perform the testing and issue CB Test Certificates (CBTCs) that specify the product's achieved Security Level (SL) capabilities, typically ranging from SL 1 to SL 4 based on the assessed foundational requirements.[81] These certificates are mutually accepted by all IECEE member countries, streamlining international trade for certified IACS components and reducing barriers for exporters.[82] The process involves rigorous testing of product samples against the standard's requirements, with reports detailing conformance evidence for each applicable CR.[83]

The scheme's scope is limited to hardware and software components of IACS, including embedded devices and network modules, emphasizing technical security capabilities rather than full system integration or development processes.[84] In 2025, expansions included the accreditation of additional operational technology (OT)-specific testing laboratories as NCBs, such as Applus+ Laboratories for IEC 62443-4-1 and 4-2, further broadening access to specialized cybersecurity assessments.[85] This development supports growing demand for verified secure products in critical infrastructure sectors.[86]

Updates and Amendments

In 2024, the ISA/IEC 62443 series underwent significant revisions, particularly in ANSI/ISA-62443-2-1, which establishes requirements for asset owners to develop, implement, maintain, and improve an industrial automation and control systems (IACS) security program. This update replaces the 2010 version by restructuring requirements into security program elements and introducing a maturity model to assess compliance and effectiveness in reducing cybersecurity risks to tolerable levels.[5] The changes emphasize governance and accountability, aligning with evolving threats in critical infrastructure sectors like manufacturing and energy.[24]

In 2025, ISA published ISA-TR62443-2-2-2025, providing guidance on IACS security protection schemes.[2] Emerging technology considerations, including guidance on cloud-native architectures and virtualization, have been incorporated into secure-by-default principles in parts like IEC 62443-4-1, supporting hybrid IACS deployments.[87]

Alignment with Regulations

The IEC 62443 series integrates closely with the European Union's Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, which entered into force on December 11, 2024, and imposes mandatory cybersecurity requirements on products with digital elements, including operational technology (OT) systems.[88] For OT products classified as "important" under the CRA, EN IEC 62443-4-2 provides technical requirements for secure component development, mapping directly to CRA Annex I Part I (2) essential cybersecurity requirements, such as authentication, data protection, and resilience against vulnerabilities.[89] Similarly, EN IEC 62443-3-3 addresses system-level security for OT environments, aligning with the same CRA provisions through its definition of security levels (SL 1 to SL 4), where each level's acceptance criteria for control requirements and enhancements correspond to CRA conformity assessment levels, enabling manufacturers to demonstrate compliance via risk-based security profiles tailored to specific OT assets like industrial controllers.[89] EN IEC 62443-4-1 further supports CRA Annex I Part I (1) and Part II by outlining secure product lifecycle processes, including threat modeling and vulnerability handling, which facilitate conformity declarations for OT hardware and software.[89]

In the United States, IEC 62443 aligns with NIST Special Publication 800-82 Revision 3, "Guide to Operational Technology (OT) Security," published in September 2023, which provides non-prescriptive guidance for securing industrial control systems (ICS) and references IEC 62443 as a complementary framework for establishing defense-in-depth strategies in critical infrastructure sectors like energy and manufacturing.[90] This alignment emphasizes shared principles such as network segmentation, access controls, and incident response, with IEC 62443 offering normative requirements that build on NIST's risk management recommendations for OT environments.[91] CISA's Cross-Sector Cybersecurity Performance Goals, updated in 2023, also incorporate IEC 62443 elements for ICS protection, promoting its use alongside NIST guidelines to mitigate supply chain risks and enhance resilience.[92] In 2025, ongoing harmonization efforts by CISA, in collaboration with the FBI and international partners like the UK NCSC, encourage OT operators to align practices with IEC 62443 and NIST SP 800-82 to address evolving threats, including through joint advisories on ICS vulnerabilities.[93]

IEC 62443 supports compliance with the EU's NIS2 Directive (Directive (EU) 2022/2555), which expands cybersecurity obligations for essential and important entities in sectors like transport and water supply, by providing a technical framework that maps to NIS2 Article 21 requirements on risk management, supply chain security, and incident reporting.[94] For instance, IEC 62443-2-1 sections on establishing cybersecurity management systems (e.g., 4.3.4.5 for incident response and 4.3.2.2 for supply chain risks) directly address NIS2 mandates, enabling organizations to implement holistic OT security measures while demonstrating conformity through auditable security levels.[94] This integration has driven global adoption trends, with IEC 62443 increasingly referenced in national implementations of NIS2 across EU member states, fostering standardized OT cybersecurity practices beyond Europe in regions like North America and Asia.[94]

Looking ahead, the IEC 62443 series is set for amendments addressing emerging technologies, including industrial Internet of Things (IIoT) integrations, with planned updates to EN IEC 62443-4-1 (A11:2026) and EN IEC 62443-4-2 (A11:2026) to incorporate cloud-native architectures, AI-driven threats, and virtualization in OT contexts.[89] Vertical sector profiles under EN IEC TS 62443-1-5, such as those for virtual private networks (#20) and firewalls (#36), are expected by November 2026, enhancing applicability to IIoT ecosystems through tailored risk assessments and certification pathways.[89] Further developments, including guidance on generative AI and supply chain resilience for IIoT, are anticipated between 2026 and 2028, building on ongoing ISA/IEC studies to extend the standard's scope to hybrid IT/OT environments.[95]

History

The development of the IEC 62443 series of standards originated in 2002, when the International Society of Automation (ISA) formed the ISA99 committee to create a comprehensive framework for cybersecurity in industrial automation and control systems (IACS), responding to growing concerns over vulnerabilities in critical infrastructure.[2] This initiative aimed to fill gaps in existing IT security practices, which were inadequate for the unique operational requirements of IACS environments. Early efforts focused on defining foundational concepts, models, and risk management approaches tailored to industrial settings.

In 2007, the first key documents were published under the ISA99 and ISA-62443 banners, including ISA-TR99.00.01-2007 on security technologies and ISA-62443-1-1-2007 establishing terminology, concepts, and models.[3] Collaboration between ISA and the International Electrotechnical Commission (IEC) intensified, culminating in formal adoption as a joint IEC/ISA standard by 2010, with the inaugural IEC publication of IEC/TS 62443-1-1 in 2009.[8] The emergence of the Stuxnet malware in 2010, which demonstrated the potential for sophisticated cyberattacks on IACS, served as a pivotal catalyst, amplifying urgency and driving refinements to address targeted threats in programmable logic controllers and supervisory control systems.[9] That same year, IEC 62443-2-1 was released, specifying requirements for security programs managed by IACS asset owners.[10]

Subsequent expansions from 2013 to 2015 built on these foundations, with ANSI/ISA-62443-3-3-2013 outlining system security requirements and security levels, and ISA-TR62443-2-3-2015 providing guidance on patch and vulnerability management in operational technology environments.[2] Between 2018 and 2023, the series saw significant consolidations and updates, including ANSI/ISA-62443-4-1-2018 and ANSI/ISA-62443-4-2-2018, which detailed secure product development lifecycles and technical security requirements for IACS components.[2] In 2021, the IEC recognized the series as a horizontal standard applicable across multiple industries, enhancing its global reach. Cyber incidents such as the 2021 Colonial Pipeline ransomware attack highlighted persistent risks to supply chain operations, informing ongoing revisions by emphasizing robust incident response and resilience measures in IACS security programs.[11]

Relationship between IEC and ISA

The International Society of Automation (ISA) serves as the originating body for the IEC 62443 series through its ISA99 committee, established in 2002 to address cybersecurity needs for industrial automation and control systems (IACS) by leveraging technical expertise from industry practitioners and end-users.[2] This committee develops the core content, focusing on practical, risk-based approaches derived from real-world automation environments.[2]

The International Electrotechnical Commission (IEC) adopted the ISA99 standards for internationalization, resulting in the dual-numbered ISA/IEC 62443 series, where documents are published simultaneously under both designations (e.g., ISA-62443-x-y and IEC 62443-x-y) to ensure identical content and global applicability.[2] This process involves joint working groups, particularly under IEC Technical Committee 65 Working Group 10 (IEC TC 65 WG 10), which collaborates closely with ISA99 to review and approve contributions, harmonizing the standards for worldwide use.[12] In 2021, IEC designated the series as a horizontal standard, applicable across multiple sectors, further solidifying this partnership.[13]

Governance of the series emphasizes shared responsibilities: ISA99 leads content development and technical innovation, while IEC oversees global harmonization, publication, and alignment with broader electrotechnical norms, with all updates requiring consensus from both organizations to maintain consistency and authority.[14] This collaborative model ensures that revisions incorporate input from diverse stakeholders, including international experts, without compromising the practitioner-driven foundation.[2]

Joint efforts between ISA and IEC include co-authored technical reports, such as those providing guidance on security program establishment, and alignments with complementary standards like IEC 61508 for functional safety, where IEC 62443 addresses cybersecurity aspects to support integrated safety-security lifecycles in IACS.[2][15] These initiatives, including the establishment of the ISA Global Cybersecurity Alliance in 2019, promote adoption and interoperability across global industries.[2]

General Concepts and Models (Part 1)

The General Concepts and Models (Part 1) of the IEC 62443 series establishes the foundational elements for securing industrial automation and control systems (IACS), comprising four technical specifications and reports that define essential terminology, frameworks, and evaluation tools. These documents provide a consistent basis for the entire standard family, enabling stakeholders to apply cybersecurity principles uniformly across industrial environments. By focusing on conceptual models rather than prescriptive requirements, Part 1 supports the integration of security into IACS design, operation, and assessment processes.[16][1]

IEC/TS 62443-1-1 introduces core terminology, concepts, and models for IACS cybersecurity, serving as the basis for all subsequent standards in the series. It defines IACS as the collection of personnel, hardware, software, and services that interact to perform essential functions in industrial processes, distinguishing them from traditional IT systems due to their real-time and safety-critical nature. Key terms include cybersecurity zones, which group assets sharing common security needs to simplify protection strategies, and conduits, representing communication paths between zones. The document outlines a reference model for secure IACS architecture, depicting hierarchical layers from field devices to enterprise systems, with interfaces that emphasize segmentation and monitoring. Central to this is the defense-in-depth principle, advocating multiple overlapping safeguards—such as access controls, encryption, and intrusion detection—to address threats comprehensively, reducing the risk of single-point failures. This model promotes resilience against evolving cyber threats in operational technology environments.[8][11][17]

IEC/TR 62443-1-2 provides a master glossary that consolidates and standardizes terms and abbreviations across the IEC 62443 series, ensuring precise and consistent usage among asset owners, system integrators, and product suppliers. The glossary encompasses definitions for fundamental elements like threats (potential causes of unwanted incidents), vulnerabilities (weaknesses exploitable by threats), assets (critical components or data requiring protection), and security requirements (measures to mitigate risks). By serving as a centralized reference, it facilitates clear communication and interoperability, preventing misinterpretations that could undermine security implementations in diverse industrial settings. This technical report is regularly updated to reflect advancements in cybersecurity terminology.[4][17]

IEC 62443-1-3 specifies system security conformance metrics, offering a structured methodology to quantify and evaluate IACS cybersecurity effectiveness. These metrics derive from foundational and technical requirements in the series, categorizing them into areas such as policy enforcement, detection capabilities, and response mechanisms. For instance, maturity metrics assess program development stages from ad hoc practices to optimized, continuous improvement, while performance metrics gauge system resilience, such as the percentage of assets protected against high-impact threats. This enables organizations to measure progress objectively, benchmark against industry norms, and prioritize enhancements, with conformance levels tied to security level targets. The approach supports auditing and certification, ensuring verifiable security outcomes without prescribing specific tools.[18][19]

IEC/TR 62443-1-4 details IACS security lifecycle models and use-case scenarios, guiding the embedding of cybersecurity from inception through decommissioning. The lifecycle model encompasses phases including concept, design, implementation, operation, maintenance, and retirement, with security integrated at each stage to address evolving risks. Patch management cycles are highlighted as a critical process, involving vulnerability assessment, testing in isolated environments, staged deployment, and post-update verification to minimize operational disruptions in safety-critical systems. Use-case models illustrate applications, such as retrofitting security into legacy IACS or coordinating multi-vendor updates, demonstrating how lifecycle integration aligns with principal roles like asset owners and product suppliers. This ensures sustained security posture, complementing the reference architecture from 1-1.[20][21]

IEC TS 62443-1-5:2023 provides implementation guidance for a cybersecurity scheme, outlining a framework for developing and applying security profiles that support conformance assessment across the IEC 62443 series. It defines profiles for different stakeholder roles, enabling the specification of security requirements in a standardized manner to facilitate certification and interoperability. This technical specification aids in aligning product development, system integration, and organizational programs with the overall standards framework.[22]

Policies and Procedures (Part 2)

The IEC 62443-2 series establishes foundational policies and procedures for organizations managing industrial automation and control systems (IACS), emphasizing the development of robust security programs tailored to operational needs. These standards guide asset owners and service providers in creating governance structures, risk mitigation strategies, and operational protocols to protect against cyber threats, while accommodating legacy systems through compensating controls.[23]

IEC 62443-2-1:2024 outlines requirements for IACS asset owners to develop comprehensive security programs, focusing on governance to define organizational roles and responsibilities for cybersecurity oversight. It mandates the implementation of risk management frameworks that involve identifying assets, assessing threats, and prioritizing mitigation measures based on potential impacts to operations. Additionally, the standard requires incident response plans that detail detection, analysis, containment, eradication, recovery, and post-incident review processes to minimize disruptions and ensure resilience. The 2024 edition restructures requirements into security program elements and introduces a maturity model for ongoing evaluation and improvement of cybersecurity programs. These elements form a maturity model allowing progressive enhancement of security capabilities, independent of specific technologies. The standard also specifies procedures for establishing an IACS security program, including mandatory training and awareness initiatives to equip personnel with knowledge of cybersecurity risks and best practices. Training programs must cover topics such as threat recognition, secure operations, and compliance with policies, ensuring ongoing education through regular sessions and updates to address evolving threats. Awareness efforts extend to all staff interacting with IACS, promoting a culture of vigilance via communications, simulations, and role-specific guidance to reduce human-related vulnerabilities.[23][24]

IEC TR 62443-2-3:2015 describes requirements for patch management in the IACS environment, providing guidance for asset owners on developing and implementing effective patch management programs. It covers the patch management lifecycle, including identification, evaluation, testing, deployment, and verification of patches, while considering the unique constraints of IACS such as limited downtime tolerance and safety implications. The technical report emphasizes risk-based prioritization of patches and coordination with suppliers to ensure timely and secure updates without compromising system availability.[25]

IEC PAS 62443-2-2:2025, currently under development as of November 2025, addresses the IACS security protection scheme, providing a framework for defining and implementing protection levels across organizational assets and processes to align with risk assessments.[26]

System Security (Part 3)

The IEC 62443-3 series establishes security requirements and processes for industrial automation and control systems (IACS), emphasizing a risk-based approach to protect entire systems from cyber threats.[2] This part focuses on system-level considerations, including risk assessment methodologies and technical requirements that guide the design and implementation of secure IACS architectures.[28] By integrating threat analysis with security level targeting, the standards enable asset owners to align protections with operational risks without mandating specific technologies.[29]

IEC TR 62443-3-1:2009 provides a current assessment of various cybersecurity tools, mitigation countermeasures, and technologies applicable to IACS. It highlights technologies like firewalls for network segmentation, encryption for data protection during transmission and storage, intrusion detection systems, and access control mechanisms. These technologies are evaluated for their suitability in industrial environments, considering factors such as real-time performance, reliability, and integration with legacy systems. The technical report guides stakeholders in selecting and deploying appropriate technologies to support defense-in-depth strategies and address specific threats identified in risk assessments.[30]

IEC 62443-3-2:2020 outlines a structured process for conducting cybersecurity risk assessments for system design, primarily targeted at asset owners and end users.[28] The process begins with identifying the system under consideration (SUC), which encompasses the IACS components and their interdependencies.[28] It then involves partitioning the SUC into zones and conduits to isolate risks based on potential impact.[28] Threat modeling follows, where relevant threats to IACS are identified, such as those affecting safety-related assets, temporary devices, wireless connections, or external network access; this step considers the likelihood and potential consequences of cyber attacks.[28]

Vulnerability identification in IEC 62443-3-2 requires a detailed analysis of weaknesses within the system, drawing from known exploits, architectural flaws, and operational practices to support precise risk evaluation.[28] The assessment proceeds through initial and detailed cyber risk evaluations, quantifying risks by combining threat likelihood with vulnerability severity and asset impact.[28] Based on these evaluations, security level targets (SL-T) are determined for each zone or conduit, specifying the required protection level (from SL-0 to SL-4) to mitigate identified risks adequately.[28] The process concludes with documentation in a cybersecurity requirements specification (CRS), which records all findings, SL-T assignments, and stakeholder approvals for implementation.[28] This methodology ensures that risk assessments are repeatable, adaptable to evolving threats, and integrated into the overall IACS lifecycle.[2]

Component Security (Part 4)

The IEC 62443-4 series establishes security requirements specifically for the development and specification of Industrial Automation and Control Systems (IACS) components by product suppliers.[2] It comprises two primary standards: IEC 62443-4-1, which outlines process-oriented requirements for a secure product development lifecycle, and IEC 62443-4-2, which defines technical security capabilities for individual components.[1] These standards aim to ensure that components, such as embedded devices and software, are designed with inherent cybersecurity resilience to mitigate risks when integrated into IACS environments.[3]

IEC 62443-4-1:2018, published as ANSI/ISA-62443-4-1, specifies secure product development lifecycle requirements for suppliers to systematically address cybersecurity throughout the product creation and maintenance phases.[31] Suppliers must define and implement security requirements early in the design process, applying principles of defense-in-depth to create layered protections against threats.[31] Threat modeling is a core element, requiring ongoing identification and assessment of potential risks, including those from evolving cyber threats, to inform design decisions and prioritize mitigations.[31] Secure coding practices are mandated, with suppliers required to adopt standardized guidelines that minimize vulnerabilities, such as input validation and error handling, during software development.[31] Additional requirements include comprehensive security testing—encompassing penetration testing and vulnerability assessments—at multiple lifecycle stages, along with processes for managing identified security issues through assessment, resolution, and communication to users.[31] Suppliers are also obligated to evaluate third-party components for security risks, provide timely updates and patches with clear documentation, and maintain user guidance on secure configuration and operation.[31] This lifecycle approach ensures that security is not an afterthought but an integrated aspect of product development, tailored to the unique constraints of IACS, such as real-time operations and long-term deployment.[32]

IEC 62443-4-2:2019 delineates technical security capabilities required for IACS components, including embedded devices, network components, host components, and software.[33] It specifies requirements aligned with the seven foundational requirements (FRs) outlined in IEC TS 62443-1-1: identification and authentication control (IAC), use control (UC), system integrity (SI), data confidentiality (DC), restricted data flow (RDF), timely response to events (TRE), and resource availability (RA).[33] These capabilities are categorized by the component's security level capability index (SL-C), which ranges from SL 1 to SL 4, indicating progressively stringent protections against cyber threats; SL-C measures the inherent security of the component itself, independent of system-level targets.[33][34] For instance, at higher SL-C levels, embedded devices must implement robust authentication mechanisms, such as multi-factor controls under IAC, and enforced access restrictions via UC to prevent unauthorized operations.[34] Software components require features like cryptographic protections for DC and SI, ensuring data encryption and integrity checks, while network components must support RDF through firewall-like filtering to limit unauthorized flows.[33] TRE demands mechanisms for detecting and alerting on security events within defined timeframes, and RA includes safeguards against denial-of-service attacks, such as resource throttling.[33] Compliance with these requirements enables components to achieve certified SL-C ratings, facilitating their selection for IACS deployments that demand specific security assurances.[34] A corrigendum issued in 2022 clarified certain technical specifications without altering the core framework.[33]

Principal Roles

The IEC 62443 standards define four principal roles within the industrial automation and control systems (IACS) security ecosystem to delineate responsibilities across the lifecycle of secure system development, operation, and maintenance.[35] These roles—Asset Owner (AO), Integration Service Provider (SI), Product Supplier (PS), and Maintenance Service Provider (SM)—ensure coordinated efforts in addressing cybersecurity risks, with each role's obligations outlined in the standards' policies and procedures section.[36]

The Asset Owner (AO) holds ultimate accountability for the IACS, including its operation and the equipment it controls.[35] This role is responsible for establishing and maintaining the overall IACS security program, conducting initial and ongoing risk assessments, defining acceptable risk levels, and allocating resources for security measures.[36] The Asset Owner also approves cybersecurity requirements, system partitioning into zones and conduits, and any changes or decommissioning processes to ensure alignment with organizational policies.[37]

The Integration Service Provider (SI) focuses on the design, implementation, and integration of secure IACS solutions.[35] This role involves configuring, testing, and commissioning systems while implementing technical security controls, such as segmentation into zones and conduits, and verifying compliance with specified security levels.[35] Integration Service Providers assist Asset Owners in risk assessments and handover processes, ensuring the delivered solution meets operational and security requirements without introducing vulnerabilities.[37]

The Product Supplier (PS) is tasked with developing and supporting secure hardware and software components for IACS environments.[36] This includes adhering to secure development practices, providing comprehensive documentation on security capabilities and limitations, and delivering updates to address vulnerabilities throughout the product lifecycle.[37] Product Suppliers must ensure their components can integrate securely into broader systems, offering guidance on hardening and threat mitigation independent of specific IACS deployments.[35]

The Maintenance Service Provider (SM) supports ongoing IACS maintenance and third-party operations with a focus on security continuity.[35] Responsibilities encompass monitoring for threats and vulnerabilities, implementing change management procedures, performing secure updates, and purging sensitive data during system decommissioning.[36] Maintenance Service Providers operate under Asset Owner directives, validating their activities against established security policies to maintain system integrity and provide assured support.[37]

Security Levels

Security Levels (SL) in the IEC 62443 series represent discrete metrics of cybersecurity performance for industrial automation and control systems (IACS), zones, and conduits, quantifying the system's ability to withstand attacks based on the attacker's potential sophistication, resources, expertise, and motivation. These levels provide a framework for tailoring security measures to the specific risk profile of an IACS asset, ensuring that protection aligns with identified threats without over-engineering defenses.[38]

The standards define four primary security levels, ranging from SL 0 to SL 4, each corresponding to increasing threat capabilities:

Three variants of SL are distinguished: the target security level (SL-T), which specifies the desired protection for a zone or conduit derived from risk assessment; the achieved security level (SL-A), denoting the actual protection realized through implemented controls in a system or zone; and the capability security level (SL-C), measuring the intrinsic security potential of individual components or products.[39] SL-T guides design and procurement, while SL-A and SL-C enable verification that deployed elements meet or exceed targets.[40]

SL-A for systems is calculated by assessing compliance with system requirements (SRs) grouped under seven foundational requirements (FRs)—identification and authentication control (FR 1), use control (FR 2), system integrity (FR 3), data confidentiality (FR 4), restricted data flow (FR 5), timely response to events (FR 6), and resource availability (FR 7)—where the overall SL-A equals the minimum SL achieved across all FRs, expressed as SL-A = \min(\text{SL-FR}_1, \text{SL-FR}_2, \dots, \text{SL-FR}_7).[38] In contrast, SL-C for components is derived similarly from component requirements (CRs) and enhancements (REs) in IEC 62443-4-2, focusing on the product's design and built-in features rather than operational implementation.[40] This differentiation ensures that component capabilities (SL-C) contribute reliably to system-level achievements (SL-A), with SL-T serving as the benchmark during risk assessment.[39]

Zones and Conduits

In the IEC 62443 series of standards, a zone is defined as a logical or physical grouping of assets within an industrial automation and control system (IACS) that share common security requirements and form a trust boundary. This segmentation approach allows organizations to apply uniform security controls to assets with similar risk profiles, such as controllers, sensors, or workstations, thereby isolating potential threats and preventing lateral movement across the system.[28] Zones establish clear boundaries where security policies can be enforced, ensuring that breaches in one area do not easily propagate to others.[41]

Conduits, in contrast, refer to the secure communication paths—either logical or physical—that connect multiple zones while enforcing specific controls to manage data flow. These paths incorporate measures such as access control policies, encryption, monitoring, and filtering to protect against unauthorized access or tampering during transmission between zones.[21] For instance, a conduit might secure the link between a zone containing programmable logic controllers (PLCs) and an enterprise IT zone, using firewalls or protocol gateways to restrict traffic to only essential, authenticated exchanges.[42]

Implementation of zones and conduits involves strategic network segmentation to limit the scope of potential breaches, often starting with mapping IACS assets and identifying natural boundaries based on functionality or physical proximity.[41] Techniques include deploying firewalls, virtual local area networks (VLANs), or data diodes to create these separations, as seen in isolating PLC networks from corporate IT infrastructure to prevent malware spread from office environments.[43] This approach enhances defense-in-depth by layering protections, where each zone and conduit acts as a checkpoint that requires attackers to overcome multiple barriers.[28] Security levels from IEC 62443 are typically assigned to zones to quantify the required resilience against threats.[21]

The benefits of this model include improved incident response through contained impacts and easier compliance with regulatory requirements, as segmentation reduces the attack surface in complex IACS environments.[41] In 2025 updates to the standards, greater emphasis has been placed on micro-segmentation techniques within zones and conduits, particularly for legacy systems that integrate non-IP protocols with modern TCP/IP networks, enabling finer-grained controls without full infrastructure overhauls.[44] This evolution supports adaptive security in hybrid setups, where conduits can dynamically enforce policies based on real-time threat intelligence.[45]

Risk Assessment Process

The risk assessment process in IEC 62443 provides a structured methodology for identifying, analyzing, and mitigating cybersecurity risks within industrial automation and control systems (IACS), ensuring alignment with organizational security objectives.[46] This process, detailed primarily in IEC 62443-3-2, emphasizes a systematic approach to evaluate risks at both high-level and detailed stages, enabling asset owners to prioritize threats based on potential impacts to safety, operations, and business continuity.[28] It integrates qualitative and quantitative elements to determine appropriate security measures, reducing vulnerabilities in interconnected IACS environments.[47]

The process begins with asset identification, where critical components of the system under consideration (SuC)—such as hardware, software, networks, and processes—are inventoried to define the scope of potential risks.[48] Following this, threat and vulnerability analysis involves cataloging potential cyber threats (e.g., unauthorized access or malware injection) and associated vulnerabilities (e.g., outdated firmware or weak authentication), often scoped within defined zones to focus on high-impact areas.[46] Next, likelihood and consequence evaluation assesses the probability of threat exploitation and the severity of outcomes, using scales typically ranging from low to high for each factor.[49]

Risk scoring is commonly achieved through matrices that multiply likelihood by consequence to generate a composite risk score, facilitating prioritization based on business impact—such as financial loss or operational downtime. For instance, a risk score can be calculated as:

where likelihood and consequence are assigned numerical values (e.g., 1-5 scale), allowing for visual heat maps to highlight critical scenarios.[48] This evaluation leads to SL-T determination, where the target security level (SL-T) is established for each zone or conduit, ranging from SL-0 (no protection needed) to SL-4 (protection against advanced threats), to specify the required countermeasures.[28] Finally, residual risk treatment involves selecting and implementing mitigation strategies—such as access controls or segmentation—to address remaining risks, followed by documentation in a cybersecurity requirements specification.[46]

The process is inherently iterative, integrated into the IACS lifecycle from design through decommissioning, with regular reviews to adapt to evolving threats, including post-incident analyses to refine future assessments.[47] IEC 62443-4-1 incorporates supply chain risks by requiring evaluation of third-party components and software integrity during asset identification and threat analysis, enhancing visibility into vendor-related vulnerabilities through practices like software bill of materials (SBOM).[50] This addresses quantitative methods for supply chain scoring, such as assessing supplier threat likelihood based on historical breach data, to ensure comprehensive risk mitigation across the ecosystem.[51]

Industry Applications

In the manufacturing sector, IEC 62443 has been widely adopted to secure supervisory control and data acquisition (SCADA) systems and programmable logic controllers (PLCs), which are critical for automated production lines. For instance, a major automotive manufacturer implemented the standard to protect its highly automated facilities by establishing security zones and conduits through network segmentation, achieving Security Level 2 (SL 2) capabilities that mitigate risks from accidental or casual violations.[52] This approach involves dividing the plant network into isolated segments for PLC communications and SCADA monitoring, ensuring that cyber threats do not propagate across production zones.[53] Such segmentation aligns with IEC 62443-3-2 requirements for risk-based zoning, enabling manufacturers to maintain operational continuity while addressing vulnerabilities in interconnected OT environments.[38]

In the energy and oil & gas industries, IEC 62443 supports pipeline protection, particularly following high-profile incidents like the 2021 Colonial Pipeline ransomware attack, which highlighted the need for robust OT cybersecurity in remote operations. The standard's framework has been recommended for compliance with post-incident directives, such as those from the U.S. Transportation Security Administration, by applying defense-in-depth strategies to secure supervisory systems and remote access points.[54] For remote pipeline monitoring and control, SL 3 is typically required to defend against intentional, sophisticated attacks using extended resources, involving enhanced authentication, encryption, and anomaly detection for SCADA and RTU communications.[55] Operators have leveraged IEC 62443-3-3 system requirements to segment remote assets, reducing the blast radius of potential breaches and ensuring resilience in distributed oil and gas infrastructures.[56]

The water and wastewater sector utilizes IEC 62443 to enhance industrial control systems (ICS) resilience in utilities, where disruptions can impact public health and supply chains. A water utility case study demonstrated the standard's application in modernizing legacy ICS through foundational controls like access management and network segmentation, aligning with risk assessment processes to protect treatment plants from cyber threats.[52] In the European Union, utilities are increasingly adopting IEC 62443 to prepare for compliance with the Cyber Resilience Act (CRA), which imposes cybersecurity requirements starting in 2026 for critical infrastructure products, as the standard's technical requirements map closely to CRA's essential cybersecurity obligations for digital products in critical infrastructure.[57] This includes zoning SCADA systems for wastewater treatment to isolate operational technology from IT networks, thereby improving overall system integrity and regulatory adherence.[58]

As of 2025, IEC 62443's implementation has expanded globally through regulatory alignments, including Australia's adoption in July 2025 as a national standard for critical infrastructure cybersecurity and U.S. Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) updates in September 2025 that incorporate 62443 principles.[59][60]

Accredited Certification Schemes

Accreditation bodies play a crucial role in the IEC 62443 certification ecosystem by evaluating and endorsing certification bodies (CBs) to ensure their competence in assessing conformance to the standard's security requirements. Organizations such as the International Laboratory Accreditation Cooperation (ILAC) and the International Accreditation Forum (IAF) recognize national and regional accreditation bodies, which in turn accredit CBs to perform impartial evaluations of industrial automation and control systems (IACS) against IEC 62443. This framework guarantees that certified products, processes, and systems meet defined security levels (SL) through rigorous, standardized procedures.[64][65]

The certification process relies on third-party audits conducted by these accredited CBs, which operate under the requirements of ISO/IEC 17065 for bodies certifying products, processes, and services. These audits involve comprehensive assessments of an entity's adherence to IEC 62443's security lifecycle and technical specifications, including verification of SL capabilities for components, systems, and organizations. CBs must demonstrate ongoing compliance through regular surveillance and re-accreditation, ensuring the reliability and impartiality of conformance testing. For instance, laboratories supporting these audits are often accredited to ISO/IEC 17025 for testing and calibration competence.[66][65][67]

International recognition of IEC 62443 certifications is facilitated by ILAC and IAF's multi-lateral mutual recognition arrangements (MLAs), which promote cross-border validity and reduce duplication of efforts. These agreements, signed by over 100 accreditation bodies worldwide, enable certificates issued by accredited CBs in one country to be accepted globally, fostering trust in supply chains for critical infrastructure. Specific schemes, such as ISASecure, leverage this infrastructure for their assessments.[68][69]

ISASecure Program

The ISASecure program, administered by the International Society of Automation (ISA), provides third-party certification for industrial automation and control systems (IACS) to demonstrate conformance with the IEC 62443 series of cybersecurity standards. Launched in 2010, it focuses on off-the-shelf products, supplier development practices, and system integrations used in operational technology environments, helping asset owners and suppliers mitigate cybersecurity risks through verified compliance.[70]

The program comprises three primary certification components: ISASecure-SSA for system security assurance, ISASecure-CSA for component security assurance, and ISASecure-SDLA for secure development lifecycle assurance (often aligned with component security development processes). ISASecure-SSA certifies complete control systems against the requirements of IEC 62443-3-3, evaluating their ability to achieve specified security levels through integrated security functions and risk management.[66] ISASecure-CSA assesses individual components, such as embedded devices, software modules, and network elements, for their technical cybersecurity capabilities under IEC 62443-4-2, assigning Security Levels (SL 1 to SL 4) based on robustness against threats.[71] ISASecure-SDLA verifies an organization's product development lifecycle processes per IEC 62443-4-1, ensuring secure design, implementation, and maintenance practices from requirements gathering to decommissioning.[64] Approved research and testing elements are integrated through accredited laboratories that validate conformance using standardized test tools and methodologies.

Certification follows a structured process emphasizing both capability and implementation. Laboratory testing determines the Security Level Capability (SL-C) by examining inherent product features in controlled environments, while on-site audits evaluate the Security Level Achieved (SL-A) to confirm effective deployment and operational security controls. Annual re-certification is mandatory, involving surveillance audits and updates to address evolving threats or standard revisions. The program incorporates amendments, such as those to IEC 62443-4-2 Edition 2 (released in 2022), by revising certification criteria to include enhanced requirements for component resilience.[72]

By November 2025, the ISASecure program has issued over 150 certifications across its components, with 92 for CSA, 54 for SDLA, and 9 for SSA, reflecting growing adoption in sectors like manufacturing and energy. Key achievements include the issuance of the world's first SL 3 certifications under the updated standards in April 2024, demonstrating advanced cybersecurity maturity for certified systems and components.[73][74][75][76] The program's certification bodies operate under general ISO/IEC 17065 accreditation to ensure impartiality and global recognition.[77]

In June 2025, ISASecure launched the Automation and Control System Security Assurance (ACSSA) inspection and certification scheme, which assesses and certifies the cybersecurity of operational IACS at asset owner sites. Aligned with IEC 62443-2-1 and -3-2, ACSSA evaluates risk management, security policies, and implementation to achieve targeted security levels, providing a unified approach for site-level conformance in critical infrastructure.[78]

IECEE CB Scheme

The IECEE CB Scheme, part of the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components, has been extended to encompass cybersecurity certification for industrial automation and control systems (IACS) under IEC 62443-4-2, enabling mutual recognition of test reports for component-level security requirements.[79] This adaptation focuses on verifying that products meet the technical requirements (CRs) associated with the seven foundational requirements (FRs) of the standard, such as identification and authentication control and system integrity. By participating in the scheme, manufacturers can demonstrate compliance through a one-time evaluation, avoiding repetitive assessments in multiple markets.[80]

National Certification Bodies (NCBs), accredited under IECEE rules, perform the testing and issue CB Test Certificates (CBTCs) that specify the product's achieved Security Level (SL) capabilities, typically ranging from SL 1 to SL 4 based on the assessed foundational requirements.[81] These certificates are mutually accepted by all IECEE member countries, streamlining international trade for certified IACS components and reducing barriers for exporters.[82] The process involves rigorous testing of product samples against the standard's requirements, with reports detailing conformance evidence for each applicable CR.[83]

The scheme's scope is limited to hardware and software components of IACS, including embedded devices and network modules, emphasizing technical security capabilities rather than full system integration or development processes.[84] In 2025, expansions included the accreditation of additional operational technology (OT)-specific testing laboratories as NCBs, such as Applus+ Laboratories for IEC 62443-4-1 and 4-2, further broadening access to specialized cybersecurity assessments.[85] This development supports growing demand for verified secure products in critical infrastructure sectors.[86]

Updates and Amendments

In 2024, the ISA/IEC 62443 series underwent significant revisions, particularly in ANSI/ISA-62443-2-1, which establishes requirements for asset owners to develop, implement, maintain, and improve an industrial automation and control systems (IACS) security program. This update replaces the 2010 version by restructuring requirements into security program elements and introducing a maturity model to assess compliance and effectiveness in reducing cybersecurity risks to tolerable levels.[5] The changes emphasize governance and accountability, aligning with evolving threats in critical infrastructure sectors like manufacturing and energy.[24]

In 2025, ISA published ISA-TR62443-2-2-2025, providing guidance on IACS security protection schemes.[2] Emerging technology considerations, including guidance on cloud-native architectures and virtualization, have been incorporated into secure-by-default principles in parts like IEC 62443-4-1, supporting hybrid IACS deployments.[87]

Alignment with Regulations

The IEC 62443 series integrates closely with the European Union's Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, which entered into force on December 11, 2024, and imposes mandatory cybersecurity requirements on products with digital elements, including operational technology (OT) systems.[88] For OT products classified as "important" under the CRA, EN IEC 62443-4-2 provides technical requirements for secure component development, mapping directly to CRA Annex I Part I (2) essential cybersecurity requirements, such as authentication, data protection, and resilience against vulnerabilities.[89] Similarly, EN IEC 62443-3-3 addresses system-level security for OT environments, aligning with the same CRA provisions through its definition of security levels (SL 1 to SL 4), where each level's acceptance criteria for control requirements and enhancements correspond to CRA conformity assessment levels, enabling manufacturers to demonstrate compliance via risk-based security profiles tailored to specific OT assets like industrial controllers.[89] EN IEC 62443-4-1 further supports CRA Annex I Part I (1) and Part II by outlining secure product lifecycle processes, including threat modeling and vulnerability handling, which facilitate conformity declarations for OT hardware and software.[89]

In the United States, IEC 62443 aligns with NIST Special Publication 800-82 Revision 3, "Guide to Operational Technology (OT) Security," published in September 2023, which provides non-prescriptive guidance for securing industrial control systems (ICS) and references IEC 62443 as a complementary framework for establishing defense-in-depth strategies in critical infrastructure sectors like energy and manufacturing.[90] This alignment emphasizes shared principles such as network segmentation, access controls, and incident response, with IEC 62443 offering normative requirements that build on NIST's risk management recommendations for OT environments.[91] CISA's Cross-Sector Cybersecurity Performance Goals, updated in 2023, also incorporate IEC 62443 elements for ICS protection, promoting its use alongside NIST guidelines to mitigate supply chain risks and enhance resilience.[92] In 2025, ongoing harmonization efforts by CISA, in collaboration with the FBI and international partners like the UK NCSC, encourage OT operators to align practices with IEC 62443 and NIST SP 800-82 to address evolving threats, including through joint advisories on ICS vulnerabilities.[93]

IEC 62443 supports compliance with the EU's NIS2 Directive (Directive (EU) 2022/2555), which expands cybersecurity obligations for essential and important entities in sectors like transport and water supply, by providing a technical framework that maps to NIS2 Article 21 requirements on risk management, supply chain security, and incident reporting.[94] For instance, IEC 62443-2-1 sections on establishing cybersecurity management systems (e.g., 4.3.4.5 for incident response and 4.3.2.2 for supply chain risks) directly address NIS2 mandates, enabling organizations to implement holistic OT security measures while demonstrating conformity through auditable security levels.[94] This integration has driven global adoption trends, with IEC 62443 increasingly referenced in national implementations of NIS2 across EU member states, fostering standardized OT cybersecurity practices beyond Europe in regions like North America and Asia.[94]

Looking ahead, the IEC 62443 series is set for amendments addressing emerging technologies, including industrial Internet of Things (IIoT) integrations, with planned updates to EN IEC 62443-4-1 (A11:2026) and EN IEC 62443-4-2 (A11:2026) to incorporate cloud-native architectures, AI-driven threats, and virtualization in OT contexts.[89] Vertical sector profiles under EN IEC TS 62443-1-5, such as those for virtual private networks (#20) and firewalls (#36), are expected by November 2026, enhancing applicability to IIoT ecosystems through tailored risk assessments and certification pathways.[89] Further developments, including guidance on generative AI and supply chain resilience for IIoT, are anticipated between 2026 and 2028, building on ongoing ISA/IEC studies to extend the standard's scope to hybrid IT/OT environments.[95]