EN IEC 62443 — Industrial Automation and Control Systems Cybersecurity
IEC 62443 (adopted in Europe as EN IEC 62443) is the definitive international standard series for cybersecurity of Industrial Automation and Control Systems (IACS) — the world of PLCs, SCADA systems, DCS, industrial networks, sensors, actuators, HMIs, and the communication networks that connect them. Developed jointly by ISA (International Society of Automation) as ISA/IEC 62443, it has been adopted by IEC as the IEC 62443 series and by CENELEC as EN IEC 62443.
While standards like EN 18031 and EN 303 645 address consumer IoT and radio equipment cybersecurity, EN IEC 62443 addresses Operational Technology (OT) security — factory automation, industrial control systems, critical infrastructure, and process industries. Its complexity and multi-layered structure reflect the unique security challenges of environments where physical process control, safety, and availability are the primary concerns.
Key Facts
| Detail | Information |
|---|---|
| Full series name | IEC 62443 / EN IEC 62443 — Security for industrial automation and control systems |
| Developed by | ISA99 committee (as ISA/IEC 62443), adopted by IEC and CENELEC |
| Structure | Multi-part series (4 groups, 13+ individual standards) |
| Regulatory relevance | NIS2 Directive (for critical infrastructure operators), CRA (for devices used in industrial context), IEC 62443 increasingly referenced by sector regulators |
| Applies to | IACS components, systems, and service providers — covers asset owners, system integrators, and product suppliers |
| Certification | ISASecure certification programme (CRTL, EDSA, SSA schemes) |
The IEC 62443 Series Structure
Unlike EN 300 328 or EN 303 645 — which are single documents — IEC 62443 is a family of standards organised into four groups:
Group 1: General
Foundational concepts, terminology, and metrics applicable across all other groups.
| Standard | Title |
|---|---|
| IEC 62443-1-1 | Terminology, concepts and models |
| IEC 62443-1-2 | Master glossary of terms and abbreviations |
| IEC 62443-1-3 | System security conformance metrics |
| IEC 62443-1-4 | IACS security lifecycle and use-cases |
Group 2: Policies and Procedures (Asset Owner / Operator)
Addresses the security management and operational aspects of IACS from the perspective of the asset owner — the organisation operating the industrial system.
| Standard | Title |
|---|---|
| IEC 62443-2-1 | Requirements for an IACS security management system |
| IEC 62443-2-2 | Implementation guidance for an IACS security management system |
| IEC 62443-2-3 | Patch management in the IACS environment |
| IEC 62443-2-4 | Requirements for IACS service providers (system integrators, maintenance providers) |
Group 3: System (System Integrator)
Addresses the security requirements at the system level — how an IACS system should be designed, deploying Security Levels (SL) and Zones and Conduits concepts.
| Standard | Title |
|---|---|
| IEC 62443-3-2 | Security risk assessment for system design |
| IEC 62443-3-3 | System security requirements and security levels |
Group 4: Components (Product Supplier / Manufacturer)
Addresses the security requirements for individual components — hardware devices, software applications, and embedded systems used within IACS systems. This is the most relevant group for hardware manufacturers supplying components into industrial markets.
| Standard | Title |
|---|---|
| IEC 62443-4-1 | Secure product development lifecycle requirements |
| IEC 62443-4-2 | Technical security requirements for IACS components |
Security Levels (SL): The Core Framework
The concept of Security Levels (SL 1–4) is central to IEC 62443 and defines the degree of protection required against different threat actors:
| Security Level | Protection Against | Typical Application |
|---|---|---|
| SL 1 | Unintentional or coincidental violation | Basic protection against casual or accidental threats |
| SL 2 | Intentional violation using simple means | Protection against motivated intruders with limited resources |
| SL 3 | Sophisticated attack using IACS-specific knowledge | Protection against sophisticated attackers with domain expertise |
| SL 4 | State-sponsored sophisticated attack | Critical infrastructure protection against nation-state threats |
Security Levels are defined at three levels:
- SL-T (Target) — The security level targeted by the asset owner
- SL-C (Capability) — The security level a component or system is capable of supporting
- SL-A (Achieved) — The security level actually achieved in a given installation
For hardware component manufacturers, IEC 62443-4-2 defines the technical requirements for components at each Security Level Capability (SLC).
Zones and Conduits
IEC 62443-3-2 introduces the Zones and Conduits model for segmenting IACS networks:
- Zone: A grouping of assets with common security requirements and trust level. Each zone has a defined SL-T.
- Conduit: A communication pathway between zones. Conduits control and monitor the flow of information between zones with different security levels.
This model is the ICS/OT equivalent of network segmentation in IT security. It dictates how firewalls, data diodes, industrial DMZs, and unidirectional gateways should be deployed.
IEC 62443-4-1: Secure Product Development Lifecycle
IEC 62443-4-1 is particularly relevant for hardware and software product manufacturers supplying components to IACS systems. It defines requirements for a Security Development Lifecycle (SDL) that must be in place for a manufacturer’s development processes:
Core Requirements Areas
- Security Management — Documented security policy, roles and responsibilities, security training
- Specification of Security Requirements — Threat modelling, security requirements definition
- Secure by Design — Defence-in-depth, least privilege, minimise attack surface
- Secure Implementation — Secure coding standards, code review, no forbidden functions
- Security Verification and Validation — Penetration testing, fuzz testing, vulnerability scanning
- Management of Security-Related Issues — Vulnerability management and disclosure process
- Security Update Management — Patch management, update delivery capability
- Security Guidelines Documentation — Security hardening guides for integrators and operators
Certification of a manufacturer’s SDL against IEC 62443-4-1 (offered by organisations like TÜV SÜD, Exida, Bureau Veritas) demonstrates that the process by which products are developed meets industrial cybersecurity standards — equivalent to ISO 9001 quality management, but for cybersecurity.
IEC 62443-4-2: Component Technical Requirements
IEC 62443-4-2 defines the technical security capabilities that hardware and software components must support at each Security Level Capability:
| Requirement Category | Examples |
|---|---|
| Identification and Authentication | Unique component identity, strong authentication for user access, role-based access control |
| Use Control | Session locking, authorisation enforcement for all functions |
| System Integrity | Software update authentication, boot integrity verification, malware protection |
| Data Confidentiality | Encryption of data in transit and at rest where sensitive |
| Restricted Data Flow | Minimise unnecessary network connectivity, firewall capability |
| Timely Response to Events | Audit logging, event notification, log integrity protection |
| Resource Availability | DoS resistance, backup and recovery capabilities |
Hardware implications for component manufacturers:
- SLC 2+: Requires unique device identity — hardware-based (e.g., device certificate provisioned at manufacturing, X.509 certificate stored in TPM or SE)
- SLC 2+: Requires cryptographic authentication — hardware entropy source for key generation
- SLC 3+: Requires platform integrity verification — Secure Boot anchored to hardware root of trust
- SLC 3+: Requires non-repudiation — hardware-based signing capability
IEC 62443 and the CRA
The EU Cyber Resilience Act (CRA) explicitly recognises that products used in IACS environments may need to satisfy both CRA requirements and IEC 62443:
| Regulation | Focus | Target |
|---|---|---|
| CRA | Consumer and commercial connected products | Product manufacturers |
| IEC 62443-4-2 | Industrial component cybersecurity capabilities | Industrial hardware/software suppliers |
| NIS2 | Cybersecurity of critical infrastructure operators | Operators of essential/important entities |
For hardware manufacturers selling into both consumer/commercial and industrial markets, harmonising between CRA requirements and IEC 62443-4-2 technical requirements is increasingly important. Both require Secure Boot, hardware root of trust, vulnerability management, and software update capability — they differ primarily in the formality of documentation and depth of process requirements.
Related Terms
- CRA — EU Cyber Resilience Act; increasingly aligned with IEC 62443 for industrial products.
- NIS2 Directive — Operators of critical infrastructure subject to NIS2 must implement IACS cybersecurity; IEC 62443 is the reference standard.
- Hardware Root of Trust — Foundational hardware security capability required at IEC 62443 SLC 2+.
- Secure Boot — Required for IEC 62443-4-2 SLC 3+ component certification.
- SBOM — Software Bill of Materials; increasingly required as part of IEC 62443-4-1 vulnerability management.
- EN 18031 — Consumer/radio equipment cybersecurity counterpart to IEC 62443.
Hardware manufacturers designing components for industrial and critical infrastructure markets — industrial gateways, PLCs, SCADA peripherals, smart meters, energy management systems — increasingly face customer requirements for IEC 62443-4-1 SDL certification and IEC 62443-4-2 component capability claims. Inovasense advises on IEC 62443 applicability, SDL gap analysis, and the intersection with CRA and NIS2 compliance obligations. See our EU compliance consulting.
Official References
- IEC 62443 — Industrial Automation and Control Systems Security — IEC (series overview)