Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →

  1. Education Center
    2. Regulations, Standards & Compliance

IEC 62443: How to secure IACS (Industrial Automation and Control Systems)

Posted byEC Team 16 Minutes
IEC-62443-How-to-secure-IACS-Industrial-Automation-and-Control-Systems
Table Of Contents

IEC 62443 is a series of international standards that defines a risk-based framework for securing industrial automation and control systems (IACS), covering the people, processes, and technology across operational technology (OT) environments. 

IEC 62443 secures IACS by dividing a plant into zones and conduits, assigning each a target security level (SL 1 to SL 4) based on risk, and applying seven foundational requirements that cover authentication, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. Asset owners, system integrators, and product suppliers share responsibility for meeting them.

Key Takeaways 

  • IEC 62443 is the leading global standard for OT and IACS cybersecurity, developed jointly by the ISA99 committee and the IEC. 
  • It uses a zones and conduits model and four security levels (SL 1 to SL 4) set by risk assessment, not by guesswork. 
  • Seven foundational requirements (FR 1 to FR 7) define what protection each zone must enforce. 
  • The 2024 edition of IEC 62443-2-1 restructures asset-owner requirements into Security Program Elements and adds a maturity model. 
  • PKI and digital certificates underpin device and user authentication (FR 1) and protect data integrity and confidentiality (FR 3 and FR 4). 

What is IEC 62443 and Who Maintains it? 

IEC 62443 is a family of standards for the security of industrial automation and control systems across their full lifecycle. It was created by the ISA99 committee of the International Society of Automation (ISA) and is published jointly with the International Electrotechnical Commission (IEC), which is why it is often written as ISA/IEC 62443. The series applies to sectors that run operational technology, including manufacturing, energy, water, oil and gas, transportation, and building automation. 

Unlike IT-focused standards, IEC 62443 is built for environments where availability and safety come first and where equipment can stay in service for decades. It treats security as a shared responsibility across everyone who builds, integrates, and operates the system. 

How IEC 62443 is Structured: the Parts 

IEC 62443 is organized into four groups that map to general concepts, policies and procedures, system design, and component requirements. The table below lists the parts most teams reference. 

The series keeps expanding. IEC PAS 62443-1-6:2025 adds guidance for the Industrial Internet of Things (IIoT). Confirm the current edition of each part against the IEC webstore before citing a version in formal documentation. 

Group Key part What it covers 
General 62443-1-1 Terminology, concepts, and models for the whole series. 
Policies & procedures 62443-2-1 (2024 edition) Requirements for an asset owner’s IACS security program, now organized into Security Program Elements with a maturity model. 
Policies & procedures 62443-2-4 Security requirements for IACS service providers and integrators. 
System 62443-3-2 Risk assessment used to partition a system into zones and conduits and set target security levels. 
System 62443-3-3 System-level technical security requirements mapped to the seven foundational requirements. 
Component 62443-4-1 Secure product development lifecycle requirements for suppliers. 
Component 62443-4-2 Technical security requirements for individual components such as controllers, sensors, and applications. 

The series keeps expanding. IEC PAS 62443-1-6:2025 adds guidance for the Industrial Internet of Things (IIoT). Confirm the current edition of each part against the IEC webstore before citing a version in formal documentation. 

Security Levels (SL 1 to SL 4) 

A security level is a measure of how much confidence you have that a zone or conduit can resist a given class of attacker. IEC 62443 defines four levels, and you assign them based on risk rather than applying the highest level everywhere. 

FRFoundation RequirementsWhat it Enforces
FR 1 Identification and authentication control (IAC) Verify the identity of every user, process, and device before granting access. 
FR 2 Use control (UC) Enforce privileges after authentication, restrict portable media, and log actions. 
FR 4 Data confidentiality (DC) Protect sensitive information at rest and in transit from disclosure. 
FR 5Restricted data flow (RDF)Segment the network using zones and conduits to limit how data moves.
FR 6 Timely response to events (TRE)Detect, report, and respond to security events with auditable records.
FR 7Resource availability (RA)Keep control systems available and resilient against denial of service.

Achieving Compliance With IEC 62443

An organization intending to comply with IEC 62443 must carry out a full risk assessment, which will include identifying important risks, vulnerabilities, and critical assets related to the entire Industrial Automation and Control Systems (IACS). On the basis of this assessment, the Security Management System (SMS) is devised, which contains the policies, processes, and responsibilities of securing the IACS, targeting both technical and organizational cybersecurity. Network segmentation can be accomplished by creating secure zones, each with a controlled conduit for data movement between them. Strong access control mechanisms must be imposed, including multi-factor authentication and role-based access, to prevent unauthorized access.

Continuous monitoring should be set up to effectively detect and respond to threats as they arise. There will also be the establishment of an incident response plan outlining measures to contain, recover, and communicate with all stakeholders in cybersecurity incidents. Employee training should be established to empower staff on what to do when it comes to security threats faced by an organization. In addition, any third-party vendors and suppliers that the organization works with must satisfy its security requirements. This reduces exposure to IACS from the outside. Finally, regular compliance audits and third-party certification should be sought to substantiate the adherence to IEC 62443.

What Does IEC 62443-4-2 Require?

One of its key requirements is the adoption of a Secure Development Lifecycle (SDL), which integrates security from the beginning of product development, ensuring that security testing and validation occur at every stage to safeguard product integrity. The standard also mandates patch management processes to ensure timely vulnerability updates regarding operational security. IEC 62443-4-2 stresses the importance of Strong Access Control and Authentication Mechanisms, ensuring that only authorized users can access IACS components, which aligns with the zero-trust-security.

It also incorporates Physical Security Measures to prevent unauthorized physical access and protect air-gapped systems. Data protection is a key focus, with requirements for encryption to secure sensitive data alongside controls to maintain system integrity and detect malware or unauthorized changes. The standard also emphasizes System Resilience to Cyberattacks, requiring components to maintain secure operations under threat, and mandates incident detection and response mechanisms to address security breaches swiftly.

Compliance with IEC 62443-4-2 is not easy to achieve because of its high technical complexity, high demand for resources and expertise, and the need for continuous monitoring and maintenance of security measures throughout the lifecycle of IACS components. Implementing the standard requires a deep understanding of both cybersecurity principles and the specific operational requirements of industrial control systems. Additionally, it involves addressing challenges such as legacy systems, limited resources for smaller organizations, and the evolving nature of cyber threats, which necessitate ongoing updates and adjustments to security practices.

Where Cryptography and PKI Fit in IEC 62443 

Cryptography is how several foundational requirements are met in practice. Device and user authentication under FR 1 increasingly relies on digital certificates issued by a public key infrastructure (PKI), so each controller, sensor, or operator station can prove its identity rather than sharing a static password. Certificate-based authentication is a common way to reach SL 2 and above for FR 1. 

System integrity (FR 3) uses signed firmware and code signing to confirm that software has not been altered, and data confidentiality (FR 4) uses TLS and other encrypted channels across conduits. Running this at industrial scale means issuing, renewing, and revoking large numbers of certificates reliably, which is where a managed PKI and certificate lifecycle management become part of the OT security program. See also how PKI secures the IoT ecosystem

Enterprise PKI Services

Get complete end-to-end consultation support for all your PKI requirements!

Learn More

Roles and certification 

IEC 62443 assigns duties to three roles, and certification exists for each. The asset owner operates the IACS and owns the overall security program. The system integrator designs and commissions the solution. The product supplier builds the components and follows the secure development lifecycle in 62443-4-1. 

Independent conformance is available through the ISASecure program, which certifies components (CSA), systems (SSA), and development processes (SDLA) against the relevant parts of the standard. Achieving a certification is evidence you can show to customers, regulators, and insurers. 

How to Start an IEC 62443 Program 

Most teams follow this sequence to move from no formal program to a defensible one: 

  1. Identify the system under consideration and inventory every asset, including legacy devices. 
  1. Run an initial high-level risk assessment to find the worst-case consequences. 
  1. Partition the system into zones and conduits and assign a target security level to each (62443-3-2). 
  1. Perform a detailed risk assessment per zone and document required controls in a cybersecurity requirements specification. 
  1. Map each control to a foundational requirement and select systems and components that meet the capability levels (62443-3-3 and 62443-4-2). 
  1. Build the supporting program: policies, certificate and key management, monitoring, and incident response (62443-2-1). 
  1. Validate the achieved security levels, then maintain and reassess as the plant and the threat landscape change. 

How Encryption Consulting Helps 

Encryption Consulting’s Compliance Advisory Services help asset owners and integrators build an IEC 62443 program, run the 62443-3-2 zone and conduit risk assessment, and stand up the certificate and key management that FR 1, FR 3, and FR 4 depend on. Our work is backed by ISO/IEC 27001:2022 and SOC 2 certified practices. 

For the cryptographic layer, CertSecure Manager and our PKI Services issue and manage device and user certificates across OT at scale. 

Frequently Asked Questions 

Is IEC 62443 Mandatory? 

IEC 62443 is a voluntary standard, not a law. However, regulators and customers increasingly require it. Frameworks such as the EU NIS2 Directive and sector regulations point to IEC 62443 as the recognized way to secure industrial systems, and many procurement contracts now demand ISASecure certification or 62443 conformance, which makes it effectively mandatory in many supply chains. 

What is the Difference Between IEC 62443 and NIST CSF? 

The NIST Cybersecurity Framework is a broad, sector-neutral set of outcomes for managing cyber risk across IT and OT. IEC 62443 is purpose-built for industrial automation and control systems and goes deeper, with specific technical requirements for zones, conduits, security levels, and components. Many organizations use the NIST CSF for governance and IEC 62443 for the detailed OT controls. 

What Are the IEC 62443 Security Levels? 

IEC 62443 defines four security levels. SL 1 protects against casual or accidental misuse, SL 2 against simple intentional attacks, SL 3 against sophisticated attacks using IACS-specific skills, and SL 4 against sophisticated attacks with extended resources such as nation-state actors. You assign a target level to each zone based on a risk assessment. 

Does IEC 62443 Require Encryption? 

IEC 62443 does not mandate one algorithm, but its foundational requirements drive cryptography in practice. Identification and authentication control (FR 1) commonly uses certificate-based device authentication, system integrity (FR 3) uses signed firmware and code, and data confidentiality (FR 4) uses encrypted channels such as TLS. The higher the target security level, the more cryptographic controls a zone typically needs. 

How Does IEC 62443 Relate to NIS2? 

NIS2 is an EU directive that sets legal cybersecurity obligations for essential and important entities, including many industrial operators. NIS2 states the obligations but not the technical detail. IEC 62443 supplies that detail for OT, so implementing IEC 62443 is a practical route to demonstrating the risk management and supply chain security that NIS2 requires. 

Build Your IEC 62443 Program 

Ready to scope your zones and close your security-level gaps? Talk to an Encryption Consulting compliance advisor, or start the cryptographic foundation with CertSecure Manager

Explore

More Topics