IEC 62443 Standard

Current Status and Structure of the Industrial Automation and Control Systems Security Standard

Industrial Security Cybersecurity Compliance Risk Management Control Systems Version 3.0
Learn More

IEC 62443 Standard Overview

A comprehensive framework for securing industrial automation and control systems

The IEC 62443 series provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS). This guide presents the latest status of the standard's components across all tiers.

The standard is organized into six tiers, each addressing different aspects of industrial cybersecurity, from general concepts to specific implementation and conformance requirements.

Document Types & Status Legend

Document Types

Standard Normative document with mandatory requirements
TS Technical Specification (Functional)
TR Technical Report (Procedural)
PAS Publicly Available Specification

Publication Status

Published Officially published and available
Under Revision Currently being updated
In Development Being developed or planned

IEC 62443 Standard Structure

Tier 1: General

Covers fundamental concepts, terminology, and models for industrial automation and control systems security.

IEC 62443-1-1

Published

Terminology, concepts and models

Standard

Establishes the core terminology and concepts used throughout the IEC 62443 series. Provides the foundation for understanding industrial cybersecurity principles.

IEC 62443-1-2

Published

Master glossary of terms and abbreviations

TR

Comprehensive glossary that standardizes terminology across all parts of the IEC 62443 series, ensuring consistent interpretation and application.

IEC 62443-1-3

In Development

Performance metrics for IACS security

TR

Defines metrics for measuring the performance of security controls in industrial automation and control systems. Provides a framework for evaluating security effectiveness.

IEC 62443-1-4

Published

IACS security lifecycle and use-cases

TR

Describes the security lifecycle for industrial automation and control systems. Provides practical use cases to illustrate security concepts and implementation approaches.

IEC 62443-1-5

In Development

Scheme for IEC 62443 Cyber Security Profiles

TR

Establishes a framework for creating cybersecurity profiles based on the IEC 62443 standard. Enables industry-specific adaptations of the standard.

IEC 62443-1-6

In Development

Application of the ISA/IEC 62443 standards to the ICT

TR

Provides guidance on applying IEC 62443 standards to Information and Communication Technology (ICT) systems that interact with industrial control systems.

Tier 2: Policies & Procedures

Addresses organizational security policies and procedures for industrial automation and control systems.

IEC 62443-2-1

New Version

Security program requirements for IACS asset owners

Standard

Defines requirements for establishing and maintaining an effective cybersecurity management system for industrial automation and control systems. Focuses on organizational aspects of security.

IEC 62443-2-2

Released

IACS Security Protection Rating

PAS

Provides a methodology for rating the security protection capabilities of industrial automation and control systems. Helps organizations assess their security posture.

IEC 62443-2-3

Published

Patch management in the IACS environment

TR

Provides guidance on establishing and operating a patch management program for industrial automation and control systems. Addresses the unique challenges of patching operational technology.

IEC 62443-2-4

Published

Security program requirements for IACS service providers

Standard

Specifies requirements for security programs of service providers that perform integration, maintenance, or other services for industrial automation and control systems.

IEC 62443-2-5

In Development

Implementation guidance for IACS asset owners

TR

Provides practical guidance for asset owners on implementing security controls in industrial environments. Includes best practices and implementation considerations.

Tier 3: System

Focuses on system-level security requirements and security assurance levels for industrial control systems.

IEC 62443-3-1

In Development

Security technologies for IACS

TR

Provides an overview of security technologies applicable to industrial automation and control systems. Includes guidance on selecting appropriate technologies for different environments.

IEC 62443-3-2

Published

Security Risk Assessment for System Design

Standard

Establishes requirements for assessing cybersecurity risk for industrial automation and control systems. Provides a methodology for determining appropriate security levels for zones and conduits.

IEC 62443-3-3

Published

System security requirements and security levels

Standard

Defines system security requirements and security levels for industrial automation and control systems. Provides a framework for specifying security capabilities required for a given security level.

Tier 4: Component/Product

Addresses security requirements for components and development processes in industrial control systems.

IEC 62443-4-1

Published

Secure Product Development Lifecycle Requirements

Standard

Specifies process requirements for the secure development of products used in industrial automation and control systems. Defines a secure development lifecycle for control system components.

IEC 62443-4-2

Published

Technical security requirements for IACS components

Standard

Provides detailed technical security requirements for components used in industrial automation and control systems. Categorizes components and specifies requirements for each category.

Tier 5: Profiles

Provides industry-specific security profiles and implementation guidance for different sectors.

IEC 62443-5-x

In Development

Industry-Specific Profiles

TS

Series of documents providing industry-specific security profiles based on the IEC 62443 framework. Tailors security requirements to specific industrial sectors and applications.

Profile Tier Structure

The Profile Tier is a newly announced component of the IEC 62443 framework that provides sector-specific implementations of the standard:

  • Adapts general requirements to specific industry needs
  • Provides implementation guidance for specific sectors
  • Enables consistent application across similar systems

Profile X

In Development

Sector-Specific Implementation

TS

Placeholder for future industry-specific security profiles. Will provide detailed implementation guidance for particular industrial sectors.

Profile Components

Each profile typically includes:

  • Sector-specific threat models
  • Tailored security control sets
  • Implementation examples
  • Sector-specific compliance guidance

Tier 6: Evaluation & Conformance

Provides methodologies for evaluating compliance with the IEC 62443 standard and certification frameworks.

IEC 62443-6-1

Published

Security Evaluation Methodology for IEC 62443-2-4

TR

Provides a methodology for evaluating compliance with the requirements specified in IEC 62443-2-4 for service providers. Establishes criteria for assessing service provider security programs.

IEC 62443-6-2

Published

Security Evaluation Methodology for IEC 62443-4-2

TR

Establishes a methodology for evaluating compliance with the technical security requirements for components specified in IEC 62443-4-2. Provides a framework for component certification.

Conformance & Certification

Published

Certification Framework

TR

The Conformance & Certification tier establishes frameworks for certifying compliance with the IEC 62443 standard. This includes certification schemes for products, systems, and organizations.

Conformance Tiers

The standard defines multiple conformance tiers:

  • Self-declaration of conformance
  • Independent assessment
  • Certification by accredited bodies
Certification Scope

Certification can be applied at different levels:

  • Component certification (IEC 62443-4-x)
  • System certification (IEC 62443-3-x)
  • Organizational certification (IEC 62443-2-x)

IEC 62443 Implementation Lifecycle

The IEC 62443 standard follows a continuous improvement lifecycle with three main phases: Assess, Develop and Implement, and Maintain. This approach allows organizations to systematically build and improve their industrial cybersecurity capabilities.

IEC 62443 Lifecycle ASSESS 1 Assess Phase • Risk Assessment • Asset Inventory • Vulnerability Scan DEVELOP & IMPLEMENT 2 Develop & Implement • Security Policies • Security Controls • Deploy Controls • Train Personnel MAINTAIN 3 Maintain Phase • Monitor Systems • Patch Management • Continuous Improvement

1. Assess

Evaluate current security posture and identify risks to industrial control systems.

Key Activities:

  • Inventory control systems and assets
  • Identify zones and conduits
  • Conduct risk assessment
  • Determine target security levels

Key Standards:

IEC 62443-3-2 IEC 62443-1-1

2. Develop and Implement

Create and deploy security policies, procedures, and controls based on assessment results.

Key Activities:

  • Develop security policies and procedures
  • Create security architecture
  • Implement network segmentation
  • Deploy security controls
  • Configure systems securely
  • Train personnel

Key Standards:

IEC 62443-2-1 IEC 62443-3-3 IEC 62443-4-2

3. Maintain

Continuously monitor, maintain, and improve the security of industrial control systems.

Key Activities:

  • Monitor security controls
  • Manage patches and updates
  • Respond to security incidents
  • Continuously improve security
  • Conduct periodic reassessments

Key Standards:

IEC 62443-2-3 IEC 62443-2-4