IEC 62443 (Industrial Automation and Control Systems Security)

IEC 62443 is a multi-part international standard published by the International Electrotechnical Commission (IEC) and the International Society of Automation (ISA) addressing cybersecurity for Industrial Automation and Control Systems. It is organized into four series: Series 1 (General — terminology, concepts, metrics, and the security life cycle), Series 2 (Policies & Procedures — patch management, security program requirements for asset owners, and third-party service providers), Series 3 (System — security risk assessment and system design), and Series 4 (Component — product development requirements). The most operationally critical parts are IEC 62443-3-3 (System Security Requirements and Security Levels) and IEC 62443-4-2 (Technical Security Requirements for IACS Components). Security Levels (SL) range from SL 1 (casual or unintentional violation) to SL 4 (state-sponsored attack with sophisticated means).

Engineering implementation centers on the Zone and Conduit model defined in IEC 62443-3-2. Assets are grouped into Security Zones based on required protection level and function; inter-zone communication is restricted to explicitly defined Conduits with enforced security controls (firewalls, deep-packet inspection, protocol break devices). A typical refinery control system might have: a Safety Instrumented System (SIS) zone at SL 3, a Basic Process Control System (BPCS) zone at SL 2, a Historian/DMZ zone at SL 2, and a corporate IT zone at SL 1, with conduits enforcing unidirectional data diodes between the BPCS and Historian zones. IEC 62443-4-2 defines seven Foundational Requirements (FR): identification and authentication (IAC), use control (UC), system integrity (SI), data confidentiality (DC), restricted data flow (RDF), timely response to events (TRE), and resource availability (RA).

The intersection of IEC 62443 with software supply chain security is increasingly important. IEC 62443-4-1 (Product Security Development Life-Cycle Requirements) defines a Secure Development Lifecycle (SDL) for IACS product manufacturers, requiring threat modeling, security design review, and security testing for every product release. Component manufacturers seeking IEC 62443-4-2 certification must undergo third-party testing by an accredited certification body (e.g., TÜV SÜD, Exida). The standard is referenced in TSA Pipeline Security Directives, NERC CIP for ICS vendors, and the EU NIS2 Directive (Article 24) as a recognized international standard for OT security. ISA/IEC 62443 certification is increasingly demanded in procurement contracts for industrial control system components.

We perform IEC 62443-3-2 zone and conduit analysis for OT environments, designing security zone architectures that achieve target Security Levels without disrupting operational availability requirements. We implement conduit security controls including protocol-aware firewalls, data diodes for historian replication, and remote access solutions that satisfy IEC 62443-2-4 service provider requirements. We also advise IACS product manufacturers on IEC 62443-4-1 SDL compliance for certification.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.