Home/IEC 62443
Complete Standard Coverage

IEC 62443
Deep Dive

Complete coverage of all IEC 62443 series — from CSMS policy development to component security requirements, zone/conduit modeling, and compliance assessment.

Standard Parts
Overview & Structure
2-1Security Mgmt System
2-4Service Provider Req.
3-2Security Risk Assessment
3-3System Security Req.
4-1Secure Dev Lifecycle
4-2Component Security Req.
SLSecurity Levels
Z/CZone & Conduit Model
EXAM PREP
Test your IEC 62443 knowledge
Take IEC 62443 Exam →
IEC 62443 Series Overview

IEC 62443 is the international standard series for Industrial Automation and Control System (IACS) cybersecurity. It provides a comprehensive framework covering policies, procedures, system design, and component requirements across four series.

SERIES 1
General
Concepts, models, terminology, and metrics (1-1, 1-2, 1-3, 1-4)
SERIES 2
Policies & Procedures
CSMS, patch management, service provider requirements (2-1, 2-2, 2-3, 2-4)
SERIES 3
System
Risk assessment, security levels, system requirements (3-2, 3-3)
SERIES 4
Component
Secure development lifecycle, component requirements (4-1, 4-2)
IEC 62443-2-1
Cybersecurity Management System (CSMS)
Requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a cybersecurity management system for IACS. Aligned with ISO 27001 structure.
2-1 § 4.2
Business Rationale
Establish business case for CSMS, define scope, identify stakeholders, obtain management commitment
2-1 § 4.3
Risk Analysis
Identify threats and vulnerabilities, assess risk, determine risk tolerance, document risk treatment decisions
2-1 § 4.4
Implementing Security
Implement selected countermeasures, document implementation, train personnel, test effectiveness
2-1 § 4.5
Monitoring & Improving
Monitor CSMS effectiveness, conduct internal audits, management review, continual improvement process
2-1 § 4.3.2
Security Policies
Develop and maintain security policies covering all CSMS elements, document control, review cycles
2-1 § 4.3.3
Organization & Awareness
Define roles and responsibilities, security awareness training, competency requirements
IEC 62443-3-2
Security Risk Assessment for System Design
Requirements for performing security risk assessments for IACS. Defines the zone and conduit model and the process for determining Target Security Levels (SL-T).
Risk Assessment Process (8 Steps)
1
Identify IACS under assessment
Define scope, boundaries, and interfaces of the IACS
2
Initial cyber risk assessment
High-level risk assessment to prioritize detailed assessment areas
3
Partition IACS into zones and conduits
Group assets by security requirements, identify communication paths
4
Determine SL-T for each zone/conduit
Consequence-based and threat-based SL-T determination
5
Detailed cyber risk assessment
Threat identification, vulnerability assessment, likelihood and consequence analysis
IEC 62443-3-3
System Security Requirements & Security Levels
Defines 7 Foundational Requirements (FR) with 51 System Requirements (SR) across 4 Security Levels. The core technical requirements standard for IACS systems.
7 Foundational Requirements
FR 1
Identification & Authentication Control
Identify and authenticate all users (humans, software processes, and devices) before allowing access to the IACS. Covers human users, software processes, and devices.
SR 1.1 Human user IDSR 1.2 Software process IDSR 1.3 Account managementSR 1.4 Identifier managementSR 1.5 Authenticator managementSR 1.6 Wireless accessSR 1.7 Strength of passwordSR 1.8 PKI certificatesSR 1.9 Strength of public keySR 1.10 Authenticator feedbackSR 1.11 Unsuccessful loginSR 1.12 System use notificationSR 1.13 Access via untrusted networks
FR 2
Use Control
Enforce the assigned privileges of authenticated users and deny access to unauthorized users. Covers authorization, least privilege, and session management.
SR 2.1 Authorization enforcementSR 2.2 Wireless use controlSR 2.3 Use control for portable devicesSR 2.4 Mobile codeSR 2.5 Session lockSR 2.6 Remote session terminationSR 2.7 Concurrent session controlSR 2.8 Auditable eventsSR 2.9 Audit storage capacitySR 2.10 Response to audit processing failuresSR 2.11 TimestampsSR 2.12 Non-repudiation
FR 3
System Integrity
Ensure the integrity of the IACS by protecting against unauthorized manipulation of hardware, software, and data in transit or at rest.
SR 3.1 Communication integritySR 3.2 Malicious code protectionSR 3.3 Security functionality verificationSR 3.4 Software and information integritySR 3.5 Input validationSR 3.6 Deterministic outputSR 3.7 Error handlingSR 3.8 Session integritySR 3.9 Protection of audit information
FR 4
Data Confidentiality
Ensure the confidentiality of information on communication channels and in data repositories to prevent unauthorized disclosure.
SR 4.1 Information confidentialitySR 4.2 Information persistenceSR 4.3 Use of cryptography
FR 5
Restricted Data Flow
Segment the IACS into zones and conduits to limit the unnecessary flow of information and to restrict access to sensitive data.
SR 5.1 Network segmentationSR 5.2 Zone boundary protectionSR 5.3 General purpose person-to-person communication restrictionsSR 5.4 Application partitioning
FR 6
Timely Response to Events
Respond to security violations by notifying the proper authority, reporting needed forensic evidence, and taking timely corrective action.
SR 6.1 Audit log accessibilitySR 6.2 Continuous monitoring
FR 7
Resource Availability
Ensure the availability of the IACS against degradation or denial of service. Covers DoS protection, backup, and recovery.
SR 7.1 DoS protectionSR 7.2 Resource managementSR 7.3 Control system backupSR 7.4 Control system recovery and reconstitutionSR 7.5 Emergency powerSR 7.6 Network and security configuration settingsSR 7.7 Least functionalitySR 7.8 Control system component inventory
Security Levels (SL 1–4)
LevelNameThreat ActorMeansMotivationExample
SL 1BasicCasual / opportunisticGeneric toolsLowScript kiddie, accidental
SL 2IntermediateIntentional, simple meansCOTS toolsLow-mediumDisgruntled employee, hacktivist
SL 3AdvancedSophisticated, ICS-specificCustom toolsHighOrganized crime, advanced attacker
SL 4CriticalNation-state, APTCustom + insiderVery highSandworm, Xenotime, Volt Typhoon
SL-T (Target) = Required security level based on risk assessment. SL-C (Capability) = Security level a system/component can achieve. SL-A (Achieved) = Actual security level after implementation. The goal: SL-A ≥ SL-T.
Zone & Conduit Model

The zone and conduit model is the cornerstone of IEC 62443-3-2. Assets with similar security requirements are grouped into zones. Communication between zones flows through conduits which are themselves security zones.

Example Zone Hierarchy (Purdue-aligned)
Level 4-5
Enterprise Zone — Business IT, ERP, Corporate Network
↕ Conduit (Firewall + DMZ)
Level 3
Operations Zone — Historian, SCADA Server, EWS
↕ Conduit (OT Firewall)
Level 2
Control Zone — HMI, DCS, SCADA Clients
↕ Conduit (Managed Switch)
Level 1
Field Control Zone — PLCs, RTUs, Controllers
↕ Conduit (Protocol Gateway)
Level 0
Field Device Zone — Sensors, Actuators, Field Instruments
SAFETY ZONE (separate)
SIS / ESD — Physically and logically separated from BPCS. Highest SL-T. No conduit to control zone without safety analysis.
IEC 62443-4-1
Secure Product Development Lifecycle
Requirements for the product development lifecycle of IACS components. Defines 8 SDL practices that product suppliers must implement.
Practice 1
Security Management
Security management system, roles, training, supplier management, security competency
Practice 2
Specification of Security Requirements
Product security context, threat model, security requirements specification
Practice 3
Secure by Design
Security architecture, secure design principles, defense in depth, attack surface reduction
Practice 4
Secure Implementation
Secure coding standards, code review, static analysis, third-party component management
Practice 5
Security Verification & Validation
Security testing, penetration testing, vulnerability scanning, fuzz testing
Practice 6
Management of Security-Related Issues
Vulnerability disclosure policy, PSIRT, CVE coordination, security advisories
Practice 7
Security Update Management
Patch development, testing, distribution, emergency patch process, end-of-life policy
Practice 8
Security Guidelines Documentation
Product security documentation, hardening guides, secure deployment guidance