62K
Reference guide

IEC 62443

The international standard for cybersecurity of industrial automation and control systems — clearly explained, logically structured and usable for real OT environments.

SoftwareEmbedded DevicesHost DevicesNetwork Devices

What this standard does

IEC 62443 defines security requirements for industrial automation and control systems. It helps teams secure components, zones, conduits and processes in a reproducible way.

The goal is straightforward:

  • Reduce vulnerabilities in industrial components and systems.
  • Apply systematic, repeatable security measures.
  • Support layered defence across IT, OT and supplier boundaries.
  • Improve cybersecurity without compromising safety, availability or essential operations.

Security Levels

Four levels to make risks and measures discussable.

SL 1

Basic

Protection against casual or coincidental misuse with limited motivation or means.

SL 2

Moderate

Protection against intentional attackers with simple means, generic skills and low motivation.

SL 3

High

Protection against attackers with sophisticated means, IACS knowledge and clear intent.

SL 4

Critical

Protection against highly sophisticated, well-funded attackers with specialised OT capabilities.

Foundational Requirements

The seven Foundational Requirements

These seven domains form the core of the IEC 62443 measures. They connect policy, architecture, component requirements and daily OT practice.

FR 1

Identification & Authentication Control

Ensure users, processes and devices are uniquely identified and reliably authenticated before being granted access.

FR 2

Use Control

Restrict actions to what is explicitly allowed via roles, permissions, session management and controlled privilege assignment.

FR 3

System Integrity

Protect components against unauthorised changes, malware, faulty configurations and loss of integrity.

FR 4

Data Confidentiality

Protect sensitive information against unauthorised access, especially where OT data is business-sensitive or safety-critical.

FR 5

Restricted Data Flow

Segment communication between zones and conduits so data only flows via controlled paths.

FR 6

Timely Response to Events

Detect, log and handle security events in time without losing sight of operational continuity.

FR 7

Resource Availability

Protect availability of systems, resources and essential functions against overload, failures and attacks.

Component types

The standard becomes concrete at component level.

Each component class has different focal points. The guide makes visible where you need to record evidence, measures and configurations.

Software Applications

  • Application identities
  • Secure configuration
  • Logging and audit trails

Embedded Devices

  • Firmware integrity
  • Interface hardening
  • Secure update processes

Host Devices

  • Patch and malware management
  • Account management
  • Backup and recovery

Network Devices

  • Zone segmentation
  • Firewall rules
  • Remote access control

Core principles

Principles that keep IEC 62443 practical in OT.

Support of Essential Functions

Security measures must not unnecessarily disturb safety, availability or process continuity.

Least Privilege

Users, services and components only get the rights needed for their operational task.

Secure Development Lifecycle

Security is included from design and development through configuration, maintenance and decommissioning.

Compensating Countermeasures

Where legacy OT cannot be modified directly, use additional measures to reduce the risk.

From guide to evidence

Make IEC 62443 directly applicable with templates.

Use the package to capture policies, procedures, risk analysis, zones & conduits and self-assessments in documents your team can use.

Order package