IEC 62443 (developed with ISA) is the leading series of standards for the cybersecurity of Industrial Automation and Control Systems (IACS) — the operational technology (OT) behind manufacturing, utilities, energy and critical infrastructure. It addresses people, processes and technology across the OT lifecycle.
How the series is organised
| Group | Focus |
|---|---|
| General (1-x) | Concepts, terminology and metrics |
| Policies & Procedures (2-x) | Security programme for asset owners and service providers |
| System (3-x) | Security technologies, risk assessment and system requirements |
| Component (4-x) | Secure product development and technical component requirements |
Zones, conduits and security levels
- Segment the OT environment into zones (groups of assets with common security needs) and conduits (the communications between them).
- Assign a target Security Level (SL 1–4) to each zone based on the threat it must resist — from casual (SL1) to sophisticated, well-resourced attackers (SL4).
- Apply Foundational Requirements: identification & authentication, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability.
Roles
| Role | Responsibility |
|---|---|
| Asset owner | Operates the IACS and owns the security programme |
| System integrator | Designs and deploys secure control systems |
| Product supplier | Develops secure control products (secure-by-design) |
Implementation roadmap
- Inventory OT assets and map the process network.
- Perform an OT risk assessment; define zones and conduits.
- Assign target Security Levels to each zone.
- Implement segmentation and the Foundational Requirements.
- Establish OT monitoring, patching (carefully) and incident response.
- Assess and continuously improve.
How CyberSigma helps
We assess your OT/ICS environment against IEC 62443 — asset inventory, zone/conduit design, security-level assignment and OT-safe testing — to secure industrial systems without disrupting operations.
Frequently asked questions
How is IEC 62443 different from ISO 27001?
ISO 27001 is a general information-security management system; IEC 62443 is purpose-built for industrial control systems (OT), addressing safety, availability and process constraints that IT frameworks do not.
Official documents
CyberSigma resources
Need help with IEC 62443?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
