IEC 62443 (Industrial Cybersecurity) Compliance for SCADA Systems
Applying IEC 62443 (Industrial Cybersecurity) to scada systems deliverables — requirements, verification, and practical guidance.
IEC 62443 (Industrial Cybersecurity) Compliance for SCADA Systems
IEC 62443 is the primary international framework used to design, verify, and maintain cybersecurity for industrial automation and control systems, including SCADA architectures. For engineering teams, it is not just a security policy document; it directly shapes system architecture, network segmentation, access control, secure remote access, patching strategy, supplier requirements, and acceptance testing. In European projects, it also supports demonstrable “state of the art” risk reduction under the EU NIS2 Directive and aligns well with CE-oriented technical file discipline, even though IEC 62443 itself is not a CE marking directive.
1. What IEC 62443 means for SCADA design
For SCADA systems, the most practical entry point is IEC 62443-3-2, which addresses security risk assessment and system design, and IEC 62443-3-3, which defines the system security requirements and security levels. The standard expects cybersecurity to be engineered into the control system lifecycle, not added after commissioning.
In practice, this means the SCADA design must define:
- Security zones and conduits between them, as described in IEC 62443-3-2.
- Target Security Levels (SL-T) for each zone/conduit, based on threat and impact analysis.
- Technical requirements mapped to IEC 62443-3-3 foundational requirements.
- Supplier expectations for components, software, and services under IEC 62443-4-1 and IEC 62443-4-2.
The key design principle is segmentation: a SCADA system should not be treated as a flat trusted network. Remote engineering access, historian interfaces, OPC gateways, and OT/IT links must each be justified, bounded, and controlled.
2. Clause-by-clause practical guidance for design
IEC 62443-3-2: Security risk assessment and system design
This clause is the starting point for SCADA architecture. It requires a structured risk assessment that identifies zones, conduits, threats, and consequences. For a water, manufacturing, or energy SCADA project, this means classifying assets such as PLCs, RTUs, engineering workstations, HMI servers, historians, and remote access jump hosts into zones with consistent security requirements.
A practical output is a zone/conduit matrix that records:
- Asset group and function
- Required availability, integrity, and confidentiality
- Expected attack paths
- Required security level target
- Technical controls assigned to the conduit
Clause 4.3 of IEC 62443-3-2 is especially important because it drives the allocation of security requirements based on risk. In engineering terms, this is where decisions like “no direct internet access,” “DMZ for historian replication,” and “MFA for remote maintenance” are justified.
IEC 62443-3-3: System security requirements
IEC 62443-3-3 defines seven foundational requirements that directly shape SCADA design:
- Identification and authentication control (IAC)
- Use control (UC)
- System integrity (SI)
- Data confidentiality (DC)
- Restricted data flow (RDF)
- Timely response to events (TRE)
- Resource availability (RA)
For SCADA, the most visible design implications are strong identity management, role-based access, secure protocols, logging, backup/restore, and high-availability architecture. A common verification mistake is to test only login functionality; IEC 62443-3-3 requires evidence that the system meets the full set of assigned security requirements, not just authentication.
IEC 62443-4-1 and 62443-4-2: Supplier and component requirements
IEC 62443-4-1 applies to secure product development lifecycle practices, while IEC 62443-4-2 defines technical security capabilities for components such as controllers, embedded devices, gateways, and software. For procurement teams, these clauses are critical because they allow cybersecurity requirements to be written into tenders and vendor evaluations.
For example, a SCADA gateway should be assessed for secure boot, signed firmware, patchability, role-based access, event logging, and network segmentation capability. A vendor claim of “IEC 62443 compliant” should be traced to the exact component certification scope and security level. If the supplier cannot show evidence against IEC 62443-4-2 requirements, the claim should not be accepted at face value.
3. Small decision table: what to specify and what to verify
| SCADA design decision | IEC 62443 driver | Typical verification evidence |
|---|---|---|
| Remote access via VPN and jump host | IEC 62443-3-3 RDF, IAC, UC | Network diagram, MFA test record, access logs |
| DMZ between IT and OT | IEC 62443-3-2 zones/conduits | Firewall rules, conduit list, architecture review |
| Role-based HMI permissions | IEC 62443-3-3 UC | Account matrix, functional test, screenshots |
| Patch and vulnerability process | IEC 62443-2-3, 4-1 | Patch procedure, change logs, vulnerability register |
4. Verification: how to prove compliance in FAT, SAT, and handover
IEC 62443 compliance is verified through evidence, not declarations. In FAT and SAT, the test plan should map each applicable security requirement to a test case. This is analogous to the structured verification approach used in EN 60204-1 for machine electrical equipment, where design intent must be demonstrated by inspection and functional testing. For SCADA cybersecurity, the same discipline applies to access control, logging, backup restore, account lifecycle, and network isolation.
A practical verification package should include:
- Security requirements traceability matrix
- Zone/conduit diagram
- Account and privilege matrix
- Remote access validation
- Backup and restore test results
- Patch and vulnerability management procedure
- Supplier certificates and scope statements
Where industrial safety functions are integrated with SCADA, cybersecurity verification should also be coordinated with the machinery risk assessment process under ISO 12100 and related EN/IEC safety standards. Cybersecurity does not replace functional safety, but it protects the integrity of safety-related control paths.
5. Practical compliance strategy for project teams
The most efficient way to implement IEC 62443 is to treat it as an engineering specification from day one. During concept design, define zones and target security levels. During detailed design, allocate technical controls to each conduit and system component. During procurement, require supplier evidence to IEC 62443-4-1 or 4-2 where applicable. During commissioning, execute formal cybersecurity tests alongside functional tests. During operations, maintain patching, logging, and incident response processes.
For most SCADA projects, the minimum defensible baseline includes MFA for remote access, DMZ segmentation, unique user accounts, least-privilege roles, secure backups, logging with review responsibility, and a documented vulnerability management process. Higher-risk environments may require stronger requirements such as application allowlisting, removable media control, enhanced monitoring, and more restrictive conduit policies.
IEC 62443 is therefore not a checkbox standard. It is a design method that helps the SCADA team translate cyber risk into clear technical requirements, testable acceptance criteria, and maintainable operating procedures. When applied correctly, it improves resilience, clarifies supplier accountability, and strengthens the project’s compliance position under European cybersecurity expectations.
If you are planning a SCADA project and want to align architecture, procurement, and verification with IEC 62443 from the start, discuss your project with us via /contact.
Other standards for SCADA Systems
Other services governed by IEC 62443 (Industrial Cybersecurity)
Frequently asked questions
What does IEC 62443 compliance mean for a SCADA system on a European industrial project?
IEC 62443 compliance for a SCADA system means designing, implementing, and maintaining cybersecurity controls across the automation lifecycle using the IEC 62443 series, especially IEC 62443-3-2 for risk assessment and security level targeting, and IEC 62443-3-3 for technical requirements. On European projects, it is commonly used alongside EN IEC adoption of the IEC 62443 standards to define zones, conduits, access control, logging, and secure remote access for operators, engineers, and integrators.
How do I define zones and conduits for a SCADA architecture under IEC 62443?
IEC 62443-3-2 requires grouping assets into zones with similar security requirements and defining conduits as controlled communication paths between them. For a typical SCADA system, this often means separating the enterprise network, DMZ, SCADA servers, historian, operator HMIs, engineering workstations, PLC/RTU networks, and remote access paths, then assigning target security levels based on risk.
Which IEC 62443 parts are most relevant when specifying SCADA panels, PLCs, and remote I/O for an EPC project?
The most relevant parts are IEC 62443-2-1 for the asset owner’s security program, IEC 62443-3-2 for system risk assessment, and IEC 62443-3-3 for system security requirements. For product selection, IEC 62443-4-1 addresses secure development lifecycle practices, while IEC 62443-4-2 defines component security capabilities for embedded devices, controllers, and communication modules.
What security requirements should be included in a SCADA control panel specification to support IEC 62443?
A compliant panel specification should require role-based access control, authenticated maintenance access, secure network segmentation, event logging, and protection of configuration interfaces on HMIs, switches, and industrial PCs per IEC 62443-3-3. It should also address physical access control, grounding, EMC, and enclosure integrity under IEC 60204-1 and relevant EN panel construction standards, because cybersecurity controls are weakened if the panel can be easily tampered with.
How is remote access to SCADA systems typically handled in an IEC 62443-compliant design?
IEC 62443 expects remote access to be explicitly risk-assessed and routed through a controlled conduit such as a VPN or jump server in a DMZ, with multifactor authentication and session logging. Unrestricted direct access from vendors or engineers to PLCs, historians, or operator stations is not consistent with the segmentation and least-privilege principles in IEC 62443-3-3.
What evidence do owners and EPC contractors usually need to prove IEC 62443 compliance on a SCADA project?
Typical evidence includes a documented risk assessment, zone and conduit diagrams, security level targets, network architecture drawings, access control matrix, backup and recovery procedures, and test records for security functions. Procurement packages often also request supplier declarations or certificates showing alignment with IEC 62443-4-1 and IEC 62443-4-2 for relevant SCADA components.
How does IEC 62443 apply to SCADA historians, OPC UA servers, and protocol gateways?
These assets should be treated as part of the SCADA security architecture and assigned to appropriate zones with tightly controlled conduits, because they often bridge between control and enterprise networks. For OPC UA, security features such as certificate-based authentication, encryption, and signed communication should be enabled where supported, consistent with IEC 62443-3-3 requirements for identification, integrity, and confidentiality.
What is the difference between IEC 62443 compliance and general IT cybersecurity for SCADA systems?
IEC 62443 is specifically written for industrial automation and control systems, so it focuses on availability, deterministic communications, safety impacts, and lifecycle engineering rather than only IT perimeter defense. In practice, it complements IT frameworks by adding industrial concepts like zones and conduits, security levels, and component capability requirements that are directly applicable to SCADA, PLC, RTU, and panel environments.