Knowledge Center / IEC 62443
IEC / ISA · Global

IEC 62443 (OT/ICS Security)

The standard for cybersecurity of industrial automation and control systems.

IEC 62443 (developed with ISA) is the leading series of standards for the cybersecurity of Industrial Automation and Control Systems (IACS) — the operational technology (OT) behind manufacturing, utilities, energy and critical infrastructure. It addresses people, processes and technology across the OT lifecycle.

How the series is organised

GroupFocus
General (1-x)Concepts, terminology and metrics
Policies & Procedures (2-x)Security programme for asset owners and service providers
System (3-x)Security technologies, risk assessment and system requirements
Component (4-x)Secure product development and technical component requirements

Zones, conduits and security levels

  • Segment the OT environment into zones (groups of assets with common security needs) and conduits (the communications between them).
  • Assign a target Security Level (SL 1–4) to each zone based on the threat it must resist — from casual (SL1) to sophisticated, well-resourced attackers (SL4).
  • Apply Foundational Requirements: identification & authentication, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability.

Roles

RoleResponsibility
Asset ownerOperates the IACS and owns the security programme
System integratorDesigns and deploys secure control systems
Product supplierDevelops secure control products (secure-by-design)

Implementation roadmap

  1. Inventory OT assets and map the process network.
  2. Perform an OT risk assessment; define zones and conduits.
  3. Assign target Security Levels to each zone.
  4. Implement segmentation and the Foundational Requirements.
  5. Establish OT monitoring, patching (carefully) and incident response.
  6. Assess and continuously improve.
How CyberSigma helps
We assess your OT/ICS environment against IEC 62443 — asset inventory, zone/conduit design, security-level assignment and OT-safe testing — to secure industrial systems without disrupting operations.

Frequently asked questions

How is IEC 62443 different from ISO 27001?
ISO 27001 is a general information-security management system; IEC 62443 is purpose-built for industrial control systems (OT), addressing safety, availability and process constraints that IT frameworks do not.
Official documents

Need help with IEC 62443?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.