IEC 62443 (Industrial Cybersecurity) Compliance for Industrial Automation
Applying IEC 62443 (Industrial Cybersecurity) to industrial automation deliverables — requirements, verification, and practical guidance.
IEC 62443 (Industrial Cybersecurity) Compliance for Industrial Automation
IEC 62443 is the primary international framework for securing industrial automation and control systems (IACS). For panel builders, system integrators, SCADA architects, and EPC contractors, it is not just a cybersecurity checklist; it is a design and verification method that shapes architecture, component selection, documentation, testing, and handover. In practice, IEC 62443 helps define what must be protected, how strongly it must be protected, and how the supplier proves it.
For European projects, IEC 62443 also aligns well with CE-driven engineering discipline, risk management expectations under the Machinery Directive/Regulation transition, and the operational resilience focus of EU NIS2. While IEC 62443 is not itself a CE marking directive, it provides the technical basis for defensible security requirements, especially when industrial systems are connected, remotely accessed, or integrated with enterprise networks.
1) Start with the IEC 62443 model: zones, conduits, and security levels
The most important design concept is the zone and conduit model from IEC 62443-3-2. A zone groups assets with similar security needs; a conduit is the controlled communication path between zones. This is where cybersecurity moves from policy into engineering.
In practical terms, your design should identify:
- Safety-related zones, such as SIS or machine safety networks
- Control zones, such as PLC and remote I/O segments
- Supervisory zones, such as SCADA and historian layers
- External zones, such as vendor remote support or cloud services
IEC 62443-3-2 requires a risk-based allocation of target security levels (SL-T). The security level is commonly expressed as SL 1 to SL 4, where the threat capability increases from casual to highly sophisticated attackers. A practical engineering formula for prioritization is:
$$Risk = Likelihood \times Impact$$
Use this to justify segmentation, authentication strength, logging depth, and remote access controls. The key deliverable is not merely a network diagram, but a security requirements specification tied to each zone and conduit.
2) Clause-by-clause design guidance for the service line
IEC 62443-2-1: Security program requirements for asset owners
This part defines the governance layer. For service providers, it matters because your design must fit the owner’s operational security program. Expect requirements for account management, incident response, backup, patching, and access review. If the owner lacks these controls, your scope should clearly state assumptions and shared responsibilities.
Practical implication: include an O&M cybersecurity package covering password policy, patch windows, backup verification, remote access approval, and incident escalation paths.
IEC 62443-3-2: Security risk assessment and system design
This is the core design standard. It requires asset identification, threat analysis, zone definition, conduit definition, and SL-T assignment. For automation projects, this should be completed before detailed engineering freezes the architecture.
Practical implication: design firewalls, data diodes, jump hosts, and VLANs only after the risk assessment. Do not retrofit segmentation after FAT unless there is a formal change-control process.
IEC 62443-3-3: System security requirements and security levels
This part translates security into technical requirements. It defines foundational requirements (FRs) across seven areas: identification and authentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability.
Practical implication: for each FR, define concrete implementation evidence. For example:
- Unique user IDs and role-based access control for PLC/HMI engineering stations
- Signed firmware or verified software integrity for controllers and gateways
- Network segmentation and rule-based filtering between OT and IT
- Event logging for login attempts, configuration changes, and remote sessions
- Backup and restore procedures for PLC logic, HMI projects, and historian databases
IEC 62443-3-3 is where many projects fail if they only write policies but do not provide testable technical controls.
IEC 62443-4-1: Secure product development lifecycle
For suppliers of panels, software, and embedded devices, this standard defines secure development practices: security requirements, threat modeling, secure coding, vulnerability handling, and release management. It is especially relevant when you deliver custom SCADA applications, PLC libraries, or industrial gateways.
Practical implication: maintain a secure development lifecycle file with code review records, dependency management, vulnerability disclosure handling, and patch release notes.
IEC 62443-4-2: Technical security requirements for components
This standard applies to component capabilities such as PLCs, HMIs, switches, and edge devices. It is the procurement filter for product selection. If a device cannot support authentication, session timeout, logging, or firmware protection, it may be unsuitable for higher security zones.
Practical implication: ask vendors for conformance claims, supported security functions, and evidence of implementation. Do not rely on marketing brochures alone.
3) Design and verification: what to prove at FAT, SAT, and handover
IEC 62443 compliance is verified through evidence, not intention. The verification plan should map each requirement to a test or document.
| Decision point | Preferred approach | Why it matters |
|---|---|---|
| Remote access | Jump host + MFA + session logging | Supports least privilege and traceability under IEC 62443-3-3 FR 1 and FR 6 |
| Network segmentation | Zones and conduits with firewall rules | Limits lateral movement and reduces attack surface |
| Device hardening | Disable unused services, change defaults, manage accounts | Meets secure configuration expectations in 3-3 and 4-2 |
| Software delivery | Signed releases, version control, rollback plan | Improves integrity and maintainability |
At FAT, verify account creation, password policy, backup restoration, alarm logging, firewall rules, and remote access workflow. At SAT, verify site-specific segmentation, time sync, event forwarding, and recovery procedures. At handover, provide as-built network diagrams, security settings export, asset inventory, patch baseline, and incident contacts.
4) How IEC 62443 interacts with adjacent standards
IEC 62443 often sits alongside functional safety and electrical standards. It does not replace them. For example, IEC 61511 or IEC 62061 governs safety lifecycle requirements, while IEC 60204-1 addresses electrical equipment of machines. Cybersecurity controls must not compromise safety functions or emergency stop behavior. If a networked safety system is used, document how cybersecurity and safety are isolated and verified.
For North American projects, ISA/IEC 62443 is widely accepted, and NFPA 79 may influence machine electrical design, especially where industrial control panels are built for US deployment. The practical point is consistent: cybersecurity requirements must be engineered into the panel architecture, not appended later.
5) Procurement and contract language that makes compliance real
To make IEC 62443 actionable, include it in procurement and scope statements. Specify target SLs, required product capabilities, documentation deliverables, and acceptance tests. For example, require vendors to identify supported IEC 62443-4-2 capabilities and require system integrators to provide a zone/conduit model and verification matrix.
A strong contract package should include:
- Security requirements specification
- Asset inventory and network architecture
- Hardening checklist and admin account policy
- Backup, restore, and patch management procedure
- FAT/SAT cybersecurity test protocol
- Incident response and remote support procedure
In short, IEC 62443 turns cybersecurity into an engineered deliverable: assess, segment, specify, implement, and verify. If you are planning a new automation or SCADA scope and want the cybersecurity architecture aligned with IEC 62443 from day one, discuss the project with us via /contact.
Other standards for Industrial Automation
- IEC 61131-3 (PLC Programming Languages)Read →
- IEC 61511 (Functional Safety — Process Industry)Read →
- ISA-95 (Enterprise–Control System Integration)Read →
- NFPA 79 (Electrical Standard for Industrial Machinery)Read →
- EN / IEC 60204-1 (Safety of Machinery — Electrical Equipment)Read →
- ATEX / IECEx (Hazardous Areas)Read →
Other services governed by IEC 62443 (Industrial Cybersecurity)
Frequently asked questions
What does IEC 62443 compliance mean for a mixed-vendor industrial automation system on a European EPC project?
IEC 62443 compliance means applying a risk-based cybersecurity lifecycle to the control system, including the asset owner, system integrator, product supplier, and service provider roles defined in IEC 62443-2-1 and IEC 62443-2-4. For mixed-vendor projects, the key is to define security zones and conduits, assign target security levels, and verify each component supports the required security capabilities in IEC 62443-3-3 and IEC 62443-4-2. In European projects, this is typically aligned with contractual cybersecurity requirements and EN adoption of IEC 62443 where applicable.
How do I determine the target Security Level (SL-T) for a PLC, SCADA, or DCS system under IEC 62443?
The target Security Level is determined by performing a risk assessment on each zone and conduit, considering consequence, threat capability, and exposure, as described in IEC 62443-3-2. The result is a required SL-T from SL 1 to SL 4 for each security requirement in IEC 62443-3-3, such as identification and authentication control, system integrity, and data confidentiality. For SCADA and DCS environments, SL-T is usually set per zone rather than per device, then allocated to PLCs, HMIs, historians, remote access paths, and engineering workstations.
What documentation should an EPC contractor deliver to demonstrate IEC 62443 compliance in a control panel or automation package?
Typical evidence includes a cybersecurity risk assessment, zone-and-conduit architecture, security requirements specification, hardening standards, account and remote access procedures, patch and vulnerability management process, and verification test records. IEC 62443-2-1 covers the asset owner security program, while IEC 62443-2-4 and IEC 62443-3-3 support integrator deliverables and system security requirements. For panel and skid packages, the supplier should also provide secure configuration baselines and product security claims aligned with IEC 62443-4-2.
How are zones and conduits used in IEC 62443 for SCADA networks and industrial Ethernet?
Zones group assets with similar security needs, such as a PLC cell, HMI station, safety controller area, or remote operations network, while conduits are the controlled communication paths between zones, as defined in IEC 62443-3-2. This model is used to reduce trust assumptions and to apply firewall rules, jump servers, authentication, and protocol restrictions at each boundary. In practice, industrial Ethernet segments, remote access tunnels, and historian links should be treated as conduits and validated against the required security level.
What cybersecurity functions must an industrial device support to be considered IEC 62443-4-2 capable?
IEC 62443-4-2 defines technical security requirements for components, including identification and authentication, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. A PLC, remote I/O module, industrial switch, or HMI may need different capability levels depending on the assigned SL-T, but the vendor should declare which requirements are met and how they are implemented. Buyers should request the component security target and supporting evidence, not just a marketing statement of 'IEC 62443 compliant.'
How should remote access for vendors and maintenance teams be designed to support IEC 62443 compliance?
Remote access should be brokered through a controlled conduit with strong authentication, session logging, least privilege, and time-bound authorization, consistent with IEC 62443-3-3 and IEC 62443-2-1. A common pattern is a VPN into a DMZ with a jump server, MFA, and separate approval workflow for each maintenance session. Direct access from the internet to PLCs, HMIs, or engineering workstations is not consistent with a robust IEC 62443 implementation.
How does IEC 62443 interact with functional safety systems such as SIS, ESD, or safety PLCs?
IEC 62443 addresses cybersecurity, while functional safety is governed separately by standards such as IEC 61508 and IEC 61511, so both must be engineered together without assuming one replaces the other. Safety systems often require stricter network segregation, access control, and change management because cyber compromise can impact the safety function. In practice, SIS networks are usually placed in a high-protection zone with tightly controlled conduits and validated recovery procedures.
What are the most common mistakes that cause industrial automation projects to fail IEC 62443 audits?
Common failures include no documented zone-conduit model, weak remote access controls, shared accounts on PLCs and HMIs, missing patch and vulnerability processes, and supplier equipment with no security capability declaration. Another frequent issue is treating the project as a one-time commissioning task instead of maintaining the security lifecycle required by IEC 62443-2-1 and IEC 62443-2-4. Audit readiness improves when cybersecurity requirements are embedded in procurement, FAT/SAT, and as-built documentation from the start.