Skip to main content
> IEC 62443

IEC 62443 Industrial Automation and Control Systems Security

International standard for securing industrial control systems and operational technology

Established: 2007 (evolved from ISA/IEC 62443) Last Updated: Ongoing (multiple parts updated 2018-2024; IEC 62443-2-1 revised August 2024) Scope: Industrial Automation and Control Systems (IACS)
SL 0-4
Security Levels

What is IEC 62443 and who uses it?

IEC 62443 is a multi-part international standard series for the cybersecurity of industrial automation and control systems (IACS), developed jointly by ISA and IEC. Where IT security frameworks focus on data confidentiality, IEC 62443 is built around the OT priority order: safety first, availability second, integrity third. The series covers asset owners, system integrators, and product vendors. Its core concepts are security zones and conduits (segmenting OT networks and controlling traffic between segments) and Security Levels (SL 1-4) that match protection requirements to threat sophistication. Key parts include 2-1 (security program for asset owners, revised as [IEC 62443-2-1:2024](https://webstore.iec.ch/en/publication/62883) in August 2024), 3-3 (system security requirements and security levels), 4-1 (secure product development), and 4-2 (component requirements). Manufacturers, energy utilities, water systems, and other critical infrastructure operators use it globally.

// What is IEC 62443?

IEC 62443 is a multi-part series of standards addressing cybersecurity for industrial automation and control systems (IACS). Developed jointly with ISA (ISA/IEC 62443), it provides a systematic approach to securing operational technology environments including SCADA systems, distributed control systems, and programmable logic controllers.

Unlike IT-focused frameworks, IEC 62443 is designed specifically for OT environments where safety, availability, and reliability come first. The standards address security throughout the system lifecycle: from product development to system integration to operations and maintenance.

The framework uses Security Levels (SL 0-4) to define required protection based on threat sophistication, enabling organizations to match security investments to actual risk. Compliance is increasingly required in regulated industries and by critical infrastructure operators worldwide.

// Inside the Regulation

IEC 62443 comprises multiple parts organized into four main groups: General concepts, Policies and Procedures, System-level requirements, and Component-level requirements.

1

General Concepts (62443-1-x)

Foundation documents defining terminology, concepts, and security models.

62443-1-1: Terminology and Concepts

Establishes common vocabulary and foundational concepts for IACS security.

62443-1-2: Master Glossary

Complete definitions for terms used throughout the standard series.

62443-1-3: System Security Conformance Metrics

Quantitative metrics for measuring security conformance and effectiveness.

2

Policies and Procedures (62443-2-x)

Requirements for security management programs and processes.

62443-2-1: Security Program Requirements

Establishing and maintaining an IACS security management system including policies, procedures, and practices.

62443-2-2: IACS Security Program Ratings

Protection levels and maturity model for security program assessment.

62443-2-3: Patch Management

Requirements for patch management in IACS environments where traditional IT patching may be impractical.

62443-2-4: Security Requirements for IACS Service Providers

Security requirements for integrators, maintenance providers, and other service providers.

3

System Level (62443-3-x)

Requirements for secure system architecture and design.

62443-3-2: Security Risk Assessment

Methodology for assessing cybersecurity risk to IACS, identifying zones and conduits.

62443-3-3: System Security Requirements and Security Levels

Defines Security Levels (SL 1-4) and specific requirements for each level covering access control, use control, data integrity, confidentiality, and more.

4

Component Level (62443-4-x)

Requirements for secure product development and component security.

62443-4-1: Product Development Requirements

Secure development lifecycle requirements for IACS products including security by design.

62443-4-2: Technical Security Requirements for Components

Security capabilities required in IACS components at each Security Level.

Note: Security Levels in IEC 62443 range from SL 0 (no specific requirements) to SL 4 (protection against sophisticated attacks with extended resources). Most industrial applications require SL 2 (protection against intentional violation using simple means) or SL 3 (protection against sophisticated attacks).

// Who Must Comply

  • 1 Critical infrastructure operators with industrial control systems
  • 2 Manufacturing facilities with automated production
  • 3 Oil and gas companies with pipeline SCADA systems
  • 4 Electric utilities with grid control systems
  • 5 Water and wastewater treatment facilities
  • 6 Chemical and pharmaceutical manufacturers
  • 7 IACS product vendors and system integrators

// Key Requirements

Zone and Conduit Model

Segment OT environments into security zones with controlled communication conduits

Security Levels

Assign and implement appropriate Security Levels (SL 1-4) based on risk assessment

Access Control

Implement role-based access control for all IACS components and functions

Use Control

Restrict and monitor use of IACS components to authorized purposes

System Integrity

Ensure integrity of IACS components, data, and software through validation and monitoring

Incident Response

Maintain IACS-specific incident response capabilities including OT recovery procedures

// Enforcement & Penalties

IEC 62443 is a voluntary international standard without direct enforcement penalties. However, compliance is increasingly required by regulation, contract, or insurance. Failure to meet industry-standard security practices creates significant liability exposure.

Examples:

  • Regulatory citations where IEC 62443 is referenced (NERC CIP, FDA, etc.)
  • Contract disputes with customers requiring IEC 62443 compliance
  • Insurance claim denials where industry standards weren't met
  • Civil liability following OT security incidents affecting safety

// Cyber Insurance Impact

Industrial and OT cyber insurance policies increasingly reference IEC 62443 as the expected standard of care. Policies may require evidence of zone/conduit implementation, Security Level achievement, and ongoing compliance. Premium discounts may be available for certified compliance.

// How Breach Craft Helps

We help organizations achieve IEC 62443 compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of IEC 62443.

// Common Questions

What are IEC 62443 security levels?

Security Levels (SL 0-4) define how much protection an IACS zone or component must provide against increasingly capable attackers. SL 0 means no specific requirements. SL 1 protects against casual or unintentional violations. SL 2 (the most common target for industrial facilities) protects against intentional attacks using simple, low-cost means. SL 3 protects against sophisticated attackers with moderate resources. SL 4 is reserved for systems that must resist state-level or highly resourced attacks. Organizations first establish a Target Security Level (SL-T) through risk assessment, then verify that implemented controls reach that level (SL-A, achieved). The gap between the two drives the remediation roadmap.

What are zones and conduits in IEC 62443?

Zones are logical or physical groupings of IACS assets that share the same security requirements. A conduit is the communication path between zones, including the controls governing what traffic can cross. The zone-and-conduit model requires asset owners to map their OT environment, assign each zone a Security Level target, and then verify that conduit controls (firewalls, data diodes, encrypted tunnels) enforce the boundary between zones of different levels. This is the primary OT network segmentation concept in IEC 62443-3-2 (security risk assessment) and 3-3 (system security requirements).

How does IEC 62443 relate to NIST CSF and NERC CIP?

The NIST Cybersecurity Framework (CSF) is IT-centric and sector-agnostic; IEC 62443 is OT-specific and goes deeper on industrial control system requirements. The two complement each other and NIST has published mappings between them. NERC CIP applies exclusively to the bulk electric system in North America and carries regulatory enforcement; IEC 62443 is a voluntary international standard with no direct penalties but is increasingly cited in contracts, insurance policies, and sector-specific regulations (including FDA guidance on medical device cybersecurity). Organizations in regulated industries often use IEC 62443 to demonstrate the security baseline that NERC CIP or FDA guidance points toward.

Is IEC 62443 compliance mandatory?

IEC 62443 itself is a voluntary international standard with no enforcement body or direct penalties. In practice, it is increasingly treated as required by other means. Customers in energy, defense, and critical infrastructure supply chains write IEC 62443 compliance into contracts. Regulators reference it: the EU's NIS2 Directive names it as a recognized standard for OT security. Cyber insurers use it as a benchmark for OT coverage decisions. The August 2024 revision of IEC 62443-2-1:2024 updated the asset owner security program requirements for the first time since 2010, and auditors are starting to test against the new edition.

// Industries That Need IEC 62443

These industries commonly require IEC 62443 compliance as part of their regulatory obligations.

Guide last reviewed: June 16, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873