IEC 62443 is a series of international standards that define concepts, processes, and technical requirements for securing industrial automation and control systems (IACS). It covers the entire lifecycle of industrial systems, from design and integration to operation, maintenance, and decommissioning.
Scope and purpose
The IEC 62443 series focuses on cybersecurity in operational technology (OT) environments, including:
- Industrial control systems (ICS), DCS, SCADA, PLCs, and safety systems
- Supervisory systems such as HMIs, historians, and MES integrations
- Networks, zones, and conduits connecting field devices, control rooms, and enterprise IT
It provides a common language and structure for asset owners, system integrators, and product suppliers to define and implement cybersecurity capabilities in a consistent way.
Key concepts
Common elements across the IEC 62443 series include:
- Security levels (SLs) that describe target resistance to defined threat types.
- Zones and conduits for segmenting industrial networks and controlling communication paths.
- Risk-based approach to identify critical assets and prioritize controls.
- Lifecycle focus, including secure design, configuration, operation, monitoring, and change management.
Structure of the standard family
The IEC 62443 series is organized into multiple parts, grouped broadly as:
- General (terminology, concepts, models for IACS security)
- Policies and procedures (security program requirements for asset owners)
- System requirements (security requirements for integrated control systems and architectures)
- Component requirements (security capabilities for devices, software, and embedded products)
In practice, manufacturers and integrators map their controls, architectures, and procedures to the relevant IEC 62443 parts as a reference framework for industrial cybersecurity.
Operational context in manufacturing
In manufacturing and other regulated operations, IEC 62443 commonly appears in:
- Design of OT network segmentation and demilitarized zones between plant floor and enterprise IT
- Supplier and integrator requirements for PLCs, DCS, SCADA, MES, and IIoT devices
- Risk assessments and cybersecurity programs for production sites
- Alignment with broader security or regulatory expectations for industrial environments
Relationship to reference architectures
IEC 62443 is a standard, not a reference architecture model. When used with frameworks such as ISA-95 or Industry 4.0 models like RAMI 4.0, IEC 62443 typically supplies the cybersecurity requirements and practices that are then applied to the layers, hierarchy levels, or components defined by those architectures.
Common confusion
- IEC 62443 vs. ISA/IEC 62443: The series originated in ISA standards; the joint designation “ISA/IEC 62443” is often used, but it refers to the same family of documents.
- IEC 62443 vs. network firewalls or tools: IEC 62443 is not a product or a software package. It is a set of requirements and processes that can be implemented using various technical and organizational controls.
- IEC 62443 vs. compliance certificates: The standard provides requirements and guidance. Separate schemes may exist that assess alignment, but IEC 62443 itself is not a certificate or guarantee of compliance.