Continue your mission
IEC 62443 is the international standard series for OT and ICS cybersecurity, developed by ISA and adopted by IEC. It defines security levels, a zones-and-conduits architecture model, and conformance requirements for components, systems, and operators across critical infrastructure sectors.
# IEC 62443: Industrial Control System Security
IEC 62443 is the international standard series governing cybersecurity for operational technology (OT) and industrial control systems (ICS). Originally developed by the International Society of Automation (ISA) as the ISA/IEC 62443 series and subsequently adopted by the International Electrotechnical Commission (IEC), it provides a comprehensive framework addressing the policies, procedures, system requirements, and component requirements necessary to secure industrial automation and control systems (IACS) across their full lifecycle.
The standard is organized into four series covering general concepts, operational requirements, system-level requirements, and component-level requirements. Together they address the full ecosystem of stakeholders: asset owners who operate industrial facilities, system integrators who design and deploy control systems, and product suppliers who manufacture the hardware and software components used in those systems. This three-stakeholder model reflects how industrial environments actually function, with security responsibilities distributed across organizations rather than concentrated in a single owner.
IEC 62443 applies to industrial environments across energy, manufacturing, water and wastewater, oil and gas, chemical processing, pharmaceuticals, transportation, and building automation. Its adoption has accelerated significantly following regulatory mandates that reference it explicitly, including the EU NIS2 Directive and sector-specific requirements in energy and process industries. In some regulated environments, IEC 62443 conformance has moved from voluntary best practice to a contractual or regulatory requirement.
The central architectural concept in IEC 62443 is the zones-and-conduits model: industrial assets are grouped into security zones with common security requirements, and all communication between zones flows through controlled conduits that enforce access policies and provide visibility. This model provides a principled basis for segmenting industrial networks and systematically reducing the attack surface available to adversaries who have gained initial access.
The development of IEC 62443 traces to the early 2000s, when the ISA99 committee began work on what would become the first OT-specific security standard. The effort was driven by a recognition that IT-centric security frameworks, including ISO/IEC 27001, were inadequate for industrial environments that prioritize availability and process integrity over confidentiality, operate equipment with 20-30 year lifecycles, and cannot tolerate the kind of patch-and-reboot cycles common in enterprise IT.
ISA published the first documents in the series beginning in 2007, and IEC formally adopted them as a dual-branded standard (ISA/IEC 62443) starting around 2010. The standard has been actively developed and revised since, with significant updates to address cloud-connected OT, wireless industrial systems, and the increasing convergence of IT and OT networks. As of 2024, the series comprises more than a dozen documents across the four series, some published as standards and others as technical reports.
The industrial cybersecurity landscape that gave the standard urgency was shaped by several landmark events. The Stuxnet worm (2010) demonstrated that sophisticated adversaries could target industrial control systems with precision, causing physical damage to centrifuges in Iran's nuclear enrichment program while evading detection. Subsequent research revealed that the attack vectors used, including the exploitation of trust relationships between engineering workstations and PLCs, were not unique to nuclear facilities but were broadly present in industrial environments worldwide.
The 2015 and 2016 Ukraine power grid attacks demonstrated that attackers could achieve operational impact against energy infrastructure using a combination of spear phishing, credential theft, and custom malware targeting industrial communication protocols. The TRITON/TRISIS attack on a Middle Eastern petrochemical facility (2017) targeted safety instrumented systems directly, an attack that, if successful without triggering fail-safes, could have caused an explosion and mass casualties.
These incidents drove accelerating adoption of IEC 62443 as asset owners, regulators, and insurers sought a structured way to assess and improve the security posture of industrial environments. The standard's zones-and-conduits model and security level concept provided vocabulary and structure that the industrial community lacked.
The operational technology that IEC 62443 governs controls physical processes: the generation and distribution of electricity, the treatment and delivery of drinking water, the production of pharmaceuticals and chemicals, the operation of pipelines and refineries. A successful cyberattack on these systems is not merely a data breach. It is a physical event with consequences measured in safety incidents, environmental damage, supply chain disruption, and in extreme cases, loss of life.
The convergence of IT and OT networks has dramatically expanded the attack surface of industrial environments. Legacy OT systems designed before cybersecurity was a design consideration are increasingly connected to enterprise networks and the internet for monitoring, remote access, and business integration. The protocols used in industrial environments (Modbus, DNP3, Profinet, OPC-UA) were generally designed for reliability and determinism rather than security. Many lack authentication, encryption, or integrity verification.
IEC 62443 matters because it provides a systematic, risk-based approach to securing environments that cannot simply be patched like enterprise IT systems. The security level concept allows organizations to right-size security investments based on actual risk rather than applying uniform controls that either underprotect high-consequence systems or overburden low-risk assets with controls that impair operations.
For product suppliers, IEC 62443-4-2 component certification provides a credible, third-party-verified signal of security maturity that procurement teams can use when evaluating control system components. For system integrators, IEC 62443-2-4 defines the security obligations that apply when designing and deploying IACS. For asset owners, the full series provides a roadmap from initial risk assessment through ongoing security operations.
The standard is increasingly referenced in regulatory requirements. The EU NIS2 Directive (2022) requires critical infrastructure operators in member states to adopt risk management measures aligned with recognized standards, and IEC 62443 is the primary reference for OT environments. U.S. sector-specific guidance from CISA, NERC, and TSA increasingly references IEC 62443 as the appropriate framework for industrial environments.
IEC 62443 is organized into four series, each addressing a different aspect of IACS security.
Series 1: General. The foundational series establishes the concepts, terminology, and metrics used throughout the standard. IEC 62443-1-1 defines the IACS security model, the stakeholder roles (asset owner, integrator, supplier), and the fundamental security concepts including the zones-and-conduits model and security levels. IEC 62443-1-3 establishes system security conformance metrics. IEC 62443-1-4 addresses product and system security requirements for IACS.
Series 2: Policies and Procedures. Addresses the management system requirements for asset owners and integrators. IEC 62443-2-1 defines the requirements for an IACS security management system, analogous to the management system requirements in ISO/IEC 27001 but adapted for industrial environments. It covers risk assessment, security program elements, and continuous improvement. IEC 62443-2-4 specifies security requirements for IACS service providers (integrators) during integration and maintenance. IEC 62443-2-3 addresses patch management in industrial environments, acknowledging that OT patch management cycles are fundamentally different from IT environments due to availability constraints and change management complexity.
Series 3: System Requirements. Addresses security at the system level. IEC 62443-3-2 provides guidance on security risk assessment for system design, including the process for defining zones, conduits, and target security levels. IEC 62443-3-3 establishes foundational requirements (FRs) and system requirements (SRs) that apply to IACS systems at each security level. The seven foundational requirements cover: identification and authentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. Each foundational requirement is decomposed into specific system requirements with defined applicability at each security level.
Series 4: Component Requirements. Addresses security at the component level. IEC 62443-4-1 defines secure development lifecycle requirements for product suppliers, covering security requirements definition, security-by-design practices, security testing, and security patch processes. IEC 62443-4-2 defines specific technical security requirements for components: embedded devices (PLCs, RTUs, DCS controllers), host devices (engineering workstations, historians), network devices (firewalls, switches), and software applications. Component certification against IEC 62443-4-2 is increasingly required by asset owners in procurement specifications.
Security Levels (SL 0 through SL 4). The security level concept is central to IEC 62443 and applies to both systems and components. Security levels are defined as:
For each zone in a system design, IEC 62443-3-2 requires the assignment of a target security level (SL-T) based on risk assessment. The achieved security level (SL-A) is then assessed against the target, with any gap requiring compensating controls or system redesign.
Zones and Conduits Model. A zone is a logical or physical grouping of assets that share common security requirements and a common trust level. A conduit is the communication pathway connecting two zones. Every conduit must be explicitly identified, its data flows documented, and appropriate controls applied at the conduit boundary. The zones-and-conduits model is more granular than a simple IT/OT segmentation approach: a single facility may have dozens of zones reflecting different risk profiles (a historian zone, a control zone for each process unit, a DMZ for business system integration, and so on).
The relationship to the Purdue Model is complementary rather than competing. The Purdue Model defines a reference architecture with five levels (field devices at Level 0 through enterprise systems at Level 4, with a DMZ as Level 3.5). IEC 62443 zones and conduits can be mapped to Purdue levels, with zone boundaries typically following level transitions. The practical effect is that Purdue provides the architectural template and IEC 62443 provides the security requirements that apply at each layer.
Conformance and Certification. IEC 62443 supports formal certification for both components and systems. Component suppliers can obtain third-party certification against IEC 62443-4-2 through accredited certification bodies, providing a verified security baseline that procurement teams can rely on. System integrators can certify IACS installations against IEC 62443-3-3. Asset owner security management systems can be assessed against IEC 62443-2-1. The ISASecure certification program, operated by the ISCI (ISA Security Compliance Institute), is the primary certification scheme aligned with IEC 62443.
CDA addresses OT and ICS security through the intersection of two PDM domains. The Vulnerability and Surface Defense (VSD) domain, expressed through Continuous Surface Reduction (CSR), is the primary lens for applying IEC 62443's zones-and-conduits model. Every conduit between zones is a potential attack pathway; every undocumented connection is a surface that adversaries have exploited in real incidents. The CSR methodology operationalizes the IEC 62443 principle that every communication between zones must be justified, documented, and controlled.
The Security Posture and Hygiene (SPH) domain, through Autonomous Posture Command (APC), addresses the ongoing operational requirements of IEC 62443-2-1 and IEC 62443-2-3: maintaining security awareness, managing configuration baselines, and operating patch management processes adapted to OT constraints. In industrial environments, APC must account for the reality that patching a live control system is not analogous to patching a workstation, requiring change control, vendor coordination, and often planned maintenance windows measured in months rather than days.
Risk Governance and Assurance (RGA), through Perpetual Compliance Assurance (PCA), provides the governance layer that connects IEC 62443 conformance requirements to business risk. CDA's IEC 62443 engagement model begins with a zone-and-conduit mapping exercise that establishes the current architecture, identifies undocumented communication pathways, and assigns target security levels based on consequence analysis. This output drives the prioritized remediation roadmap and the ongoing compliance monitoring program.
For clients subject to both NERC CIP and IEC 62443 (common in the energy sector), CDA maintains a cross-standard control mapping that satisfies both frameworks from a single set of operational controls, avoiding the significant waste of managing two parallel compliance programs. The IEC 62443 zones-and-conduits model and NERC CIP electronic security perimeter concept are conceptually aligned, and a well-designed network architecture can satisfy both simultaneously.
The supply chain dimension of IEC 62443-4-1 and IEC 62443-4-2 is increasingly relevant as asset owners face pressure to verify the security posture of the components they purchase. CDA integrates component security assessment into the procurement advisory services offered under C-RECON, ensuring that security requirements are established before procurement rather than discovered after deployment.
CDA Theater missions that address topics covered in this article.
A GRC platform is software that centralizes governance, risk, and compliance operations into a single system of record.
Internal audit is an independent, objective assurance function that evaluates whether an organization's controls are designed appropriately and operating effectively.
Board-level cybersecurity reporting is the practice of translating an organization's security posture, risk profile, and material incidents into the language of governance: financial exposure, liability, regulatory standing, and competitive position.
Written by Evan Morgan
Found an issue? Help improve this article.