IndustryHub
APPRENDRE / NORMES / IEC

IEC 62443

⚠ Cette page n'est pas encore traduite. Affichage en anglais.
IEC 62443

Industrial Automation and Control Systems Security

IEC 62443 is the international reference for cybersecurity of industrial automation and control systems (IACS). Multi-part framework covering policies, system requirements, component requirements, and certification. The OT-side counterpart of ISO/IEC 27001.

Organisme
IEC
Family
Cybersecurity OT
Première publication
2009
Dernière révision
2024 (parts -3-2, -2-1, -4-2 most recent)
Prochaine révision
active maintenance, multiple parts in revision
Statut
current
Accès
Paid (IEC webstore — ~50-150 CHF per part, ~14 parts total)

Structure du document

IEC 62443-1-1

Terminology, concepts and models

Foundation. Defines IACS, zone, conduit, security level (SL), and the 7 Foundational Requirements (FR1-FR7).

IEC 62443-2-1

Establishing an IACS security program

Operator-side : how to build a Cyber Security Management System (CSMS) for an industrial facility. Companion to ISO 27001 for OT environments.

IEC 62443-2-4

Security program requirements for IACS service providers

Requirements for system integrators and service providers (SI, OEM contractors).

IEC 62443-3-2

Security risk assessment and system design

The 'how to do a cyber risk assessment for an OT site' standard. Zones and conduits methodology, target Security Levels (SL-T).

IEC 62443-3-3

System security requirements and security levels

Defines 7 Foundational Requirements (Identification, Use Control, System Integrity, Data Confidentiality, Restricted Data Flow, Timely Response, Resource Availability) and how SL 1-4 map to them.

IEC 62443-4-1

Secure product development lifecycle requirements

For vendors. SDL practices : threat modeling, secure coding, security testing, vulnerability handling. Required for ISA Secure / IECEE CB certifications.

IEC 62443-4-2

Technical security requirements for IACS components

Specifies which component-level security capabilities (CR/CCSC) a PLC/RTU/HMI/Network device must implement to achieve SL 1, 2, 3, or 4 certification.

Concepts clés

Industrial Automation and Control System(IACS)
The complete control system of a plant : DCS, PLCs, SCADA, HMIs, safety PLCs, historians, engineering workstations, and the network connecting them. Distinct from corporate IT.
Security Level(SL)
Discrete level 1 to 4 expressing the strength of cybersecurity protection required. SL1 = casual or coincidental violation. SL2 = intentional violation with simple means. SL3 = sophisticated means, moderate resources. SL4 = state-actor level, extensive resources.
Zone
A grouping of assets sharing common security requirements. Typical zones: enterprise (level 4/5 of Purdue), DMZ, operations (L3 historians/MES), supervisory (L2 HMI/SCADA), control (L1 PLC), process (L0 field instruments). Each zone has a target SL.
Conduit
A logical or physical communication path between zones. Must be protected with controls matching the higher SL of the two zones it connects (firewall rules, data diode, deep packet inspection).
Foundational Requirements(FR1-FR7)
The 7 cybersecurity capability areas defined in IEC 62443-1-1 / 3-3: FR1 Identification & Authentication Control, FR2 Use Control, FR3 System Integrity, FR4 Data Confidentiality, FR5 Restricted Data Flows, FR6 Timely Response to Events, FR7 Resource Availability.
Cyber Security Management System(CSMS)
The set of organizational processes, policies and procedures established by the operator to manage IACS cybersecurity. Defined in IEC 62443-2-1. Equivalent to an ISO 27001 ISMS but scoped to OT.
Target Security Level vs Achieved Security Level(SL-T / SL-A)
SL-T = the security level the zone must reach (defined by risk assessment per -3-2). SL-A = the level actually achieved after implementing controls. SL-A ≥ SL-T to consider risk mitigated.
Capability Security Level(SL-C)
The maximum SL a product is capable of achieving when properly configured. Listed on the product datasheet (e.g., 'SL-C 3 per IEC 62443-4-2'). The operator combines components with sufficient SL-C to meet the zone's SL-T.
Purdue Reference Architecture
The 5-level hierarchical model widely referenced by IEC 62443 zoning practice: L0 Process, L1 Basic Control, L2 Supervisory, L3 Operations, L3.5 DMZ, L4/5 Enterprise. Not normative but de-facto industry consensus.

Notes & guidance

Why IEC 62443 became the OT cyber standard

Before 2010, industrial cybersecurity was mostly improvised — copy-paste of IT controls onto OT networks, or pure isolation hopes (“air gap”). Then came Stuxnet (2010), BlackEnergy/Industroyer (2015-2016), TRITON (2017), Colonial Pipeline (2021), and a sharp realization : OT environments need their own cybersecurity framework. IT standards (ISO 27001, NIST CSF) were not enough because OT has different priorities :

  • Availability > confidentiality > integrity (opposite of IT)
  • Lifecycles 20-40 years vs IT’s 3-5
  • Real-time constraints : no patching during operation
  • Embedded devices with limited compute, no antivirus possible
  • Vendor heterogeneity with proprietary protocols

ISA started the SP99 work in 2002, which became IEC 62443 in 2009. Today it’s the only complete OT-focused cybersecurity framework with both system-level (operator) and component-level (vendor) requirements, and an active certification ecosystem (ISASecure, TÜV).

NIS2 Directive (EU) — why this matters NOW

The EU NIS2 Directive (Directive 2022/2555) entered into force in 2023 with national transposition due by October 2024. It massively expands the scope of essential and important entities required to implement risk-based cybersecurity. For industrial operators in essential sectors (energy, water, transport, healthcare, digital infrastructure, manufacturing of critical products), NIS2 effectively makes IEC 62443 the de facto reference framework because :

  1. NIS2 mandates “appropriate technical, operational and organisational measures” — IEC 62443 is the most cited OT framework in implementing acts
  2. Fines up to €10M or 2% of global turnover for non-compliance
  3. Personal liability of executive management for inadequate cybersecurity

Similar momentum in the US with CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) and TSA pipeline security directives.

How IEC 62443 fits with IEC 61511 (Functional Safety)

A safety-critical system (SIS) is a juicy target for an attacker — disabling it during a real demand creates catastrophic potential. TRITON / TRISIS (2017) explicitly targeted a Triconex safety controller in Saudi Arabia. This is why IEC 61511 Edition 2 (2016) explicitly references IEC 62443 for cybersecurity of SIS, and the upcoming Edition 3 will tighten this further.

In practice, every IEC 61511 lifecycle phase now has a cybersecurity counterpart:

IEC 61511 PhaseCybersecurity overlap
Hazard & Risk AnalysisAdd cyber threats to HAZOP scenarios (e.g., “what if SIS logic compromised remotely?”)
Safety Requirements SpecAdd cybersecurity SL-T per IEC 62443-3-2
SIS DesignComponent selection with SL-C per IEC 62443-4-2
OperationsPatching, vulnerability monitoring, MOC includes cyber assessment
Audit (FSA)Cybersecurity assessment alongside functional safety audit

Zones, conduits and the Purdue model

IEC 62443’s zoning methodology, applied on top of the Purdue Enterprise Reference Architecture :

Level 4/5 : Enterprise — ERP, mail, HR        ←  IT, ISO 27001

        ╔═════ DMZ ════════╗
        ║  Historian replica ║   ← Conduit with strict filtering
        ║  AV / Patch server ║
        ╚════════════════════╝

Level 3   : Operations / Manufacturing — MES, Historian
              │  ← Conduit, deep packet inspection
Level 2   : Supervisory — HMI, SCADA, engineering WS
              │  ← Conduit, source/dest filtering
Level 1   : Basic Control — DCS controllers, PLCs, RTU
              │  ← Conduit, allowlist protocols only
Level 0   : Process — sensors, actuators, IO

        ╔═════ Safety zone ════════╗
        ║  Safety PLC (Triconex)   ║   ← Strict isolation, possibly air-gapped
        ║  IEC 61511 SIS           ║
        ╚══════════════════════════╝

Each level becomes a zone. Connections between zones become conduits subject to access controls, monitoring, and possibly physical separation (data diodes).

Edition 3 and current developments (2024-2026)

  • IEC 62443-2-1:2024 : major revision of the operator-side CSMS standard, aligned with current threat landscape and NIS2 expectations
  • IEC 62443-4-2:2024 : updated component security requirements, including post-quantum cryptography readiness statements
  • IEC 62443-2-2 : new part on “IACS Security Protection Scheme” (SP/CS) being drafted
  • AI/ML in IACS : working group looking at security of AI components in industrial systems

For OT cybersecurity teams, ISA / IEC 62443 certification (training + exam, via ISA or TÜV Rheinland) is becoming a hiring baseline in 2025-2026, similar to TÜV FS Engineer for functional safety roles.

Industries concernées

  • Process industries (Oil & Gas, Chemical, Pharma)
  • Power generation and transmission
  • Water and wastewater (CISA/NIS2 critical)
  • Manufacturing (NIS2 essential sectors)
  • Transportation (rail signaling, port operations)
  • Building automation for critical facilities

Normes liées

Pour aller plus loin