IEC 62443 is a series of international standards that tell you how to secure industrial automation and control systems (IACS) from cyber threats. It covers everything — from the words you use to describe security, to how you build a security program, to the specific technical requirements your systems must meet.
The standard was created by ISA (the International Society of Automation) through its ISA99 committee, starting in 2002. The International Electrotechnical Commission (IEC) adopted it for global use. Today it is published as ISA/IEC 62443 in the United States and IEC 62443 internationally.
In 2021, the IEC approved IEC 62443 as a “horizontal standard.” That means it applies across all industries, not just one sector. It is now used in more than 20 industries — from oil and gas to building automation to medical devices.
Why it matters: CISA recommends IEC 62443 for protecting operational technology environments. The EU’s NIS2 directive aligns with it. The United Nations endorsed it. If you work in industrial cybersecurity, this is the standard you need to know.
Table of Contents
Who Is IEC 62443 For?
IEC 62443 is not a single document for a single audience. It assigns clear responsibilities to four groups of stakeholders. Each group has dedicated parts of the standard that apply to them:
| Stakeholder | Role | Relevant Parts |
|---|---|---|
| Asset Owners | Organizations that own and operate industrial systems (factories, plants, utilities) | 62443-2-1, 62443-2-4, 62443-3-2 |
| System Integrators | Companies that design, build, and commission control systems | 62443-2-4, 62443-3-2, 62443-3-3 |
| Product Suppliers | Manufacturers of components like PLCs, DCS, HMIs, and network equipment | 62443-4-1, 62443-4-2 |
| Service Providers | Companies that maintain, patch, or remotely access industrial systems | 62443-2-4 |
This shared responsibility model is a founding principle of IEC 62443. No single party can secure an industrial system alone. The asset owner needs secure products from suppliers. The integrator needs to design the system correctly. The service provider needs to maintain it safely. Each role has defined requirements.
How IEC 62443 Is Organized: The Four Categories
The standard is split into four numbered categories. Each category groups related documents together:
Category 1 — General (IEC 62443-1-x)
These documents lay the foundation. They define the terms, concepts, and models used throughout the entire series.
IEC TS 62443-1-1: Terminology, Concepts and Models This is where you start. It defines what terms like “security zone,” “conduit,” “defense in depth,” and “foundational requirements” mean. It explains the security context model — how threats, vulnerabilities, risks, assets, and countermeasures relate to each other. It also defines the seven foundational requirements that form the backbone of the entire series.
Key concepts introduced in 62443-1-1:
- The CIA priority is reversed for industrial systems — availability comes first, then integrity, then confidentiality. This is the opposite of traditional IT security.
- Security is not a project with a start and end date. It is a continuous process. Organizations that treat it as a one-time project see their security level decline over time.
- The standard defines a cybersecurity management system (CSMS) approach that sustains security gains and keeps risk at an acceptable level.
Other Part 1 documents:
- IEC 62443-1-2 — Master glossary of terms and abbreviations
- IEC 62443-1-3 — Quantitative security compliance metrics
- IEC 62443-1-4 — IACS security lifecycle and use cases
- IEC 62443-1-5 — Cybersecurity profiles (industry-specific requirements)
- IEC 62443-1-6 — Applying 62443 to the Industrial Internet of Things (under development)
Category 2 — Policies and Procedures (IEC 62443-2-x)
These documents tell asset owners and service providers how to manage security at an organizational level.
IEC 62443-2-1: Establishing an IACS Security Program This is the playbook for building a cybersecurity management system (CSMS). It covers three main categories:
- Risk assessment — identifying your assets, classifying them, and assessing the threats and vulnerabilities they face. This includes building the business rationale for why security spending is justified.
- Addressing risk — creating security policies, building awareness, selecting countermeasures, and implementing them. This covers personnel security, physical security, network segmentation, access control, and incident response.
- Monitoring and improving — checking that your CSMS is working, conducting audits, and making continuous improvements.
The standard emphasizes that cybersecurity must integrate IT and OT teams. Historically, these groups operated separately and did not understand each other’s requirements. Successful programs bring both skill sets together along with process safety and physical security personnel.
IEC TR 62443-2-3: Patch Management in the IACS Environment Patching industrial systems is not like patching office computers. You cannot just push updates automatically. This technical report defines a structured process for exchanging patch information between product suppliers and asset owners. It covers how suppliers should package and communicate patch details, and how asset owners should evaluate, test, and deploy patches safely.
IEC 62443-2-4: Security Program Requirements for IACS Service Providers This part sets requirements for any company that provides integration or maintenance services for industrial systems. It covers what security capabilities a service provider must offer during the design, installation, commissioning, and ongoing maintenance of a control system. If you hire a system integrator or a maintenance contractor, this is the standard that defines what you should expect from them.
Category 3 — System (IEC 62443-3-x)
These documents address security at the system level — how to design, assess, and build secure industrial systems.
IEC TR 62443-3-1: Security Technologies for IACS A technical report that reviews the security tools and technologies available for industrial environments. It covers authentication, authorization, encryption, filtering, firewalls, intrusion detection, and more — with an honest assessment of what works and what does not work in OT environments.
IEC 62443-3-2: Security Risk Assessment and System Design This part tells you how to divide your system into zones and conduits, conduct a risk assessment for each one, and assign target security levels. It is the bridge between the organizational planning in Category 2 and the technical requirements in Category 3.
IEC 62443-3-3: System Security Requirements and Security Levels This is the most technically detailed part. It defines the specific system requirements (SRs) for each of the seven foundational requirements, organized by security level (SL 1 through SL 4). If you need to know exactly what your system must do at a given security level, this is the document to use.
Category 4 — Component (IEC 62443-4-x)
These documents target product suppliers who manufacture the hardware and software used in industrial systems.
IEC 62443-4-1: Secure Product Development Lifecycle Requirements Sets requirements for the development process itself. Suppliers must follow a secure development lifecycle that includes threat modeling, secure design, security testing, and vulnerability management. The standard defines four maturity levels for these processes.
IEC 62443-4-2: Technical Security Requirements for IACS Components Defines the specific security capabilities that individual components (controllers, network devices, software applications, embedded devices) must have. These requirements map to the same seven foundational requirements and four security levels used in 62443-3-3.
The 7 Foundational Requirements
Every technical requirement in IEC 62443 traces back to one of seven foundational requirements (FRs). These are defined in IEC 62443-1-1 and detailed in 62443-3-3. They are the backbone of the entire standard:
FR 1 — Identification and Authentication Control (IAC)
Verify the identity of every user, software process, and device before granting access. This includes:
- Human user identification and authentication (SR 1.1)
- Software process and device identification and authentication (SR 1.2)
- Account management (SR 1.3)
- Identifier management (SR 1.4)
- Authenticator management (SR 1.5)
- Wireless access management (SR 1.6)
- Strength of password-based authentication (SR 1.7)
- Public key infrastructure certificates (SR 1.8)
- Strength of public key authentication (SR 1.9)
- Authenticator feedback (SR 1.10)
- Unsuccessful login attempts (SR 1.11)
- System use notification (SR 1.12)
- Access via untrusted networks (SR 1.13)
FR 2 — Use Control (UC)
After authenticating a user or process, enforce what they are allowed to do. This covers:
- Authorization enforcement
- Wireless use control
- Use control for portable and mobile devices
- Mobile code protection
- Session lock and remote session termination
- Auditable events and audit storage
FR 3 — System Integrity (SI)
Protect the system from unauthorized changes and detect when integrity is violated:
- Communication integrity
- Malicious code protection
- Security functionality verification
- Software and information integrity (with automated notification of violations)
- Input validation
- Deterministic output
FR 4 — Data Confidentiality (DC)
Prevent unauthorized access to sensitive information:
- Information confidentiality
- Information persistence (proper erasure of sensitive data)
- Use of cryptography
FR 5 — Restricted Data Flow (RDF)
Control how data moves through the system:
- Network segmentation
- Zone boundary protection
- General-purpose, person-to-person communication restrictions
- Application partitioning
FR 6 — Timely Response to Events (TRE)
Detect and respond to security events quickly:
- Audit log accessibility
- Continuous monitoring
FR 7 — Resource Availability (RA)
Keep the system running even under attack:
- Denial of service protection
- Resource management
- Control system backup
- Control system recovery and reconstitution
- Emergency power
- Network and security configuration settings
Security Levels: SL 1 Through SL 4
IEC 62443 uses four security levels to match protection to the threat you face. Each level is defined by the type of attacker it defends against:
| Security Level | Attacker Profile | Who Needs It |
|---|---|---|
| SL 1 | Casual or coincidental violation | All systems. This is the minimum baseline — protection against accidental exposure and untargeted threats. |
| SL 2 | Intentional attack using simple means and low resources | General manufacturing, commercial buildings, and systems without high-value targets. |
| SL 3 | Intentional attack using sophisticated means and moderate resources | Critical infrastructure, energy systems, water treatment, and high-value industrial operations. |
| SL 4 | Intentional attack using sophisticated means with extended resources (nation-state level) | The most sensitive systems — defense, nuclear, and critical national infrastructure. |
Three Types of Security Levels
The standard defines three different measurements of security level:
- SL-T (Target) — the security level your risk assessment says you need. This is set by the asset owner based on the risk assessment in 62443-3-2.
- SL-C (Capability) — the security level the system is designed to support. This is determined by the system’s technical features and architecture.
- SL-A (Achieved) — the security level you actually have after the system is deployed and configured.
The gap between SL-T and SL-A is your residual risk. If your target is SL 3 but your achieved level is SL 2, you have a documented gap that needs to be addressed through compensating controls or system upgrades.
Maturity Levels (for processes)
Separate from security levels, IEC 62443-4-1 defines four maturity levels for development processes:
| Maturity Level | Description |
|---|---|
| ML 1 — Initial | Processes are ad hoc and not formally documented. |
| ML 2 — Managed | Processes are documented and followed. Staff are trained. Results are repeatable. |
| ML 3 — Defined (Practiced) | Processes are standardized across the organization with evidence of consistent practice. |
| ML 4 — Improving | Processes are measured, analyzed, and continuously improved based on metrics. |
Zones and Conduits: The Network Segmentation Model
One of IEC 62443’s most practical contributions is the zone and conduit model for network segmentation. It is defined in 62443-1-1 and used throughout the series.
Security Zones
A security zone is a logical grouping of physical, information, and application assets that share common security requirements. Every asset inside a zone is protected to the same level. Assets outside the zone are, by definition, at a different security level and cannot be trusted to the same degree.
Key properties of zones:
- Every zone has a defined border — the boundary between included and excluded assets.
- Zones can contain sub-zones for additional layers of protection (defense in depth).
- Zones can be physical (based on location) or virtual (based on functionality).
- Each zone has its own target security level (SL-T).
Conduits
A conduit is a special type of security zone that groups communication channels. It is the controlled pathway that allows data to flow between zones.
Key properties of conduits:
- A conduit protects the communication channels it contains, similar to how a physical conduit protects cables.
- Conduits can be trusted (same security level as the zones they connect) or untrusted (lower security level, requiring individual channel security).
- Every conduit has its own security requirements based on the zones it connects.
How Zones and Conduits Work Together
A typical industrial network might be organized like this:
- Enterprise Zone — corporate IT systems, email, ERP
- Enterprise Conduit — connects enterprise to plant networks (through a DMZ)
- Plant Zone — file servers, application servers, data servers
- Plant Control Conduit — connects plant network to control systems (through a firewall)
- Control Zone — controllers, I/O modules, field devices
Each zone boundary is a point where security controls are applied. The conduit between zones defines what communication is allowed and how it is protected. This prevents an attacker who compromises the enterprise network from moving directly into the control systems.
The Cybersecurity Management System (CSMS)
IEC 62443-2-1 defines the requirements for a formal cybersecurity management system. The CSMS is not a product — it is a structured program that covers people, processes, and technology.
The CSMS has three main categories:
1. Risk Assessment
- Identify all assets that need protection (hardware, software, information, people, processes)
- Build a business rationale — why cybersecurity investment is justified
- Classify and assess risks based on threats, vulnerabilities, and potential consequences
- Prioritize actions based on risk level
2. Addressing Risk
This is where you build and implement your defenses:
- Security policies — written rules that define acceptable behavior and security expectations
- Organization and awareness — assigning roles, training personnel, building a security culture
- Personnel security — background checks, access provisioning, role changes, termination procedures
- Physical and environmental security — protecting hardware, controlling facility access
- Network segmentation — implementing the zones and conduit model
- Access control — authentication, authorization, remote access management
- Incident response — planning, detection, containment, recovery, and lessons learned
3. Monitoring and Improving
- Conformance — auditing the CSMS against its own requirements
- Review and improve — updating policies, procedures, and controls based on audit results, new threats, and operational changes
- Maintaining the CSMS — treating security as a continuous process, not a project
Critical insight from the standard: IEC 62443-1-1 includes a figure showing how security levels decline over time when organizations treat cybersecurity as a one-time project. New threats emerge, systems change, and people forget. Only a continuous CSMS approach maintains security over time.
Maturity Phases: Where Is Your Organization?
IEC 62443-1-1 defines a set of maturity phases that describe how far along an organization is in building its security program:
| Phase | Steps | What It Means |
|---|---|---|
| Concept | Identification, Concept | You recognize the need for security. You start documenting assets and developing the program. |
| Functional Analysis | Definition, Functional Design | You define security requirements and design the program architecture. |
| Implementation | Detailed Design, Construction | You build out the technical and organizational controls. |
| Operations | Operations, Compliance Monitoring | You run the program, monitor compliance, and respond to incidents. |
| Disposal | Dissolution | You securely decommission systems and data when no longer needed. |
Different parts of your system can be at different maturity phases. A new production line might be in the implementation phase while an older legacy system is still in the concept phase. The standard acknowledges this reality.
IEC 62443 vs. Other Standards
IEC 62443 does not exist in isolation. Here is how it compares and works with other frameworks:
| Standard | Scope | How It Relates to IEC 62443 |
|---|---|---|
| NIST CSF | High-level risk management framework for all sectors | Provides the governance umbrella. IEC 62443 provides the OT-specific details underneath. Use both together. |
| ISO/IEC 27001 | Information security management systems | Focuses on IT data security. IEC 62443 extends this to industrial environments with different priorities and constraints. |
| NIST SP 800-82 | Guide to ICS security | U.S.-specific guidance that aligns well with IEC 62443. Often used alongside it. |
| NERC CIP | Cybersecurity for the North American bulk electric system | Sector-specific regulation. IEC 62443 provides a broader framework that NERC CIP-compliant organizations can map to. |
| NIS2 Directive | EU directive for network and information systems security | Regulatory requirement that aligns with IEC 62443 principles. Compliance with 62443 supports NIS2 compliance. |
IEC 62443 is not a replacement for these frameworks. It works alongside them. Many organizations use NIST CSF or ISO 27001 for overall governance and IEC 62443 for the industrial-specific technical and process requirements.
How to Start Implementing IEC 62443
If you are new to IEC 62443, here is a practical reading order and action plan:
Step 1: Learn the Language
Read IEC 62443-1-1. Understand the key concepts: zones, conduits, security levels, foundational requirements, and the CSMS model. This takes a few hours and gives you the vocabulary to navigate the rest of the series.
Step 2: Build Your Security Program
Use IEC 62443-2-1 to establish your CSMS. Start with a risk assessment, build a business rationale, create policies, and assign roles. This is the organizational foundation everything else builds on.
Step 3: Assess Your Risk
Apply IEC 62443-3-2 to divide your system into zones and conduits, assess the risk for each, and assign target security levels. This tells you where to focus your efforts.
Step 4: Define System Requirements
Use IEC 62443-3-3 to identify the specific system requirements (SRs) for each foundational requirement at your target security level. This becomes your technical checklist.
Step 5: Evaluate Your Vendors
Use IEC 62443-2-4 to set requirements for your system integrators and service providers. Use IEC 62443-4-1 and 4-2 to evaluate whether your component suppliers meet the necessary security standards.
Step 6: Implement, Monitor, and Improve
Deploy the controls, monitor for compliance, and continuously improve. Use the patch management process from IEC TR 62443-2-3 to handle updates safely.
IEC 62443 Certification
There are two types of certification related to IEC 62443:
Product and System Certification
The IECEE (IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and Components) operates an Industrial Cyber Security Programme. It provides third-party testing and certification against IEC 62443 requirements for:
- Components (against 62443-4-2)
- Systems (against 62443-3-3)
- Development processes (against 62443-4-1)
ISASecure is another certification program, operated by the ISA Security Compliance Institute, that certifies products and development processes against IEC 62443.
Professional Certification
ISA offers professional certifications for individuals:
- ISA/IEC 62443 Cybersecurity Certificate Program — for engineers, integrators, and security professionals who need to understand and apply the standards.
These certifications signal to employers and customers that you or your products meet the requirements of the standard.
Complete List of IEC 62443 Documents
Here is every published part of the series as of 2026:
| Document | Title | Type | Status |
|---|---|---|---|
| IEC TS 62443-1-1 | Terminology, concepts and models | Technical Specification | Published (2009) |
| IEC 62443-1-2 | Master glossary of terms and abbreviations | Standard | Published |
| IEC 62443-1-3 | System security compliance metrics | Standard | Published |
| IEC 62443-1-4 | IACS security lifecycle and use cases | Technical Specification | Published |
| IEC 62443-1-5 | Profiles | Standard | Published |
| IEC 62443-2-1 | Establishing an IACS security program | Standard | Published (2010, Ed. 2 in progress) |
| IEC TR 62443-2-3 | Patch management in the IACS environment | Technical Report | Published (2015) |
| IEC 62443-2-4 | Security program requirements for IACS service providers | Standard | Published (2015) |
| IEC 62443-2-5 | Implementation guidance for IACS asset owners | Standard | Published |
| IEC TR 62443-3-1 | Security technologies for IACS | Technical Report | Published (2009) |
| IEC 62443-3-2 | Security risk assessment for system design | Standard | Published |
| IEC 62443-3-3 | System security requirements and security levels | Standard | Published (2013) |
| IEC 62443-4-1 | Secure product development lifecycle requirements | Standard | Published |
| IEC 62443-4-2 | Technical security requirements for IACS components | Standard | Published |
| IEC 62443-6-1 | Security evaluation methodology for IEC 62443-2-4 | Standard | Published |
| IEC 62443-6-2 | Security evaluation methodology for IEC 62443-4-2 | Standard | Published |
Note: The series is constantly evolving. New editions and new parts (such as 62443-1-6 for Industrial IoT) are under development. Always check the IEC webstore for the latest versions.
Frequently Asked Questions
What does IEC 62443 stand for?
IEC 62443 is a numbering designation from the International Electrotechnical Commission. “62443” is the standard number. It was originally published as ISA-99 by the International Society of Automation before being adopted by IEC.
Is IEC 62443 mandatory?
Not universally. However, many regulations reference or align with it (NIS2, various national frameworks), and industries like energy, water, and manufacturing increasingly require compliance through contracts and procurement specifications. It is the de facto global benchmark for industrial cybersecurity.
How much does it cost to implement IEC 62443?
It varies widely based on your environment size, current maturity, and target security level. A small single-site operation might invest tens of thousands in the first year. A large multi-site critical infrastructure operator could spend millions over several years. The standard’s risk-based approach helps you prioritize spending where it matters most.
Can I get certified against IEC 62443?
Yes. Products can be certified through IECEE or ISASecure programs. Organizations can demonstrate compliance through third-party assessments. Individuals can earn ISA professional certifications.
What is the difference between IEC 62443 and ISO 27001?
ISO 27001 is a general information security management standard designed for IT environments. IEC 62443 is specifically designed for industrial automation and control systems where availability and safety are the top priorities. Many organizations implement both — ISO 27001 for the enterprise IT side and IEC 62443 for the OT side.
Which part of IEC 62443 should I read first?
Start with IEC 62443-1-1 for the concepts and vocabulary. Then read 62443-2-1 to understand how to build a security program. Then move to 62443-3-3 for the specific technical requirements. This sequence gives you the theory, the process, and the checklist.
Does IEC 62443 apply to IoT devices?
Yes. IEC 62443-4-2 covers technical requirements for components, including embedded devices. A new part (62443-1-6) specifically addressing Industrial IoT is under development. The standard’s zone and conduit model works well for segmenting IoT devices from critical control systems.
How does IEC 62443 relate to the Purdue Model?
The Purdue Enterprise Reference Architecture (PERA) defines a layered model of industrial network levels (0 through 5). IEC 62443 does not replace the Purdue Model — it adds a security framework on top of it. The zones and conduits concept maps naturally to Purdue levels, making them complementary tools.