The international standard series for securing Industrial Automation and Control Systems (IACS) - from corporate policy to fieldbus component. Applicable to every stakeholder in an OT environment.
Originally developed by ISA99 and adopted jointly by IEC and ISA, IEC 62443 is a multi-part standard series that defines a framework for securing Industrial Automation and Control Systems across their entire lifecycle. It addresses the people, processes, and technology required to establish and maintain a defensible OT security posture.
Covers IACS used in critical infrastructure - energy, water, manufacturing, oil & gas, transportation, pharmaceuticals, and building automation.
Six series of documents addressing general concepts, operational policies, system design, component requirements, and evaluation methodology.
Defines four Security Levels (SL 1–4) matched to threat severity, allowing proportionate security investment relative to actual risk.
Distinct requirements for asset owners, system integrators, and product manufacturers - each role has a dedicated body of normative guidance.
Underpins globally recognised certification schemes (ISASecure, TÜV, BSI) for both products and management systems.
Referenced by NIS2, NERC CIP, ASD SOCI, and other regulatory frameworks as the preferred technical standard for OT cybersecurity.
IEC 62443 deliberately separates obligations by role. The same system is viewed through three lenses - each with its own set of normative requirements.
Organisations that own and operate IACS. Responsible for security risk assessments, security management systems, patch management, and supplier qualification. Primarily addressed by Series 2.
Companies that design, build, integrate, and commission IACS solutions on behalf of asset owners. Required to conduct risk assessments and meet system-level security requirements. Primarily addressed by Series 3.
Vendors supplying hardware, software, and firmware components used in IACS (PLCs, RTUs, HMIs, historians, network devices). Subject to secure product development lifecycle requirements in Series 4.
The series spans six numbered groups covering general concepts through to evaluation methodology. Not every part is a normative standard - many are Technical Reports (informative guidance), Technical Specifications (pre-normative), or Publicly Available Specifications (time-limited guidance), and several parts remain in development.
Foundational concepts, terminology, models, and metrics applicable to all roles
Published as a Technical Specification (IEC/TS 62443-1-1:2009), not a full International Standard. Establishes the foundational vocabulary, concepts, and models - IACS, security levels, zones, conduits - used throughout all subsequent parts. Informative in status; content is widely adopted in practice.
Intended to provide a consolidated, precise glossary for all terms used across the series. Not yet published - currently under development by the ISA99 committee. Terms are currently defined within individual parts.
Intended to define quantitative metrics and measurement approaches for evaluating compliance with security requirements. Not yet published - currently under development by the ISA99 committee.
Intended to describe the IACS security lifecycle from initial concept through decommissioning, with illustrative use-case examples. Not yet published - currently under development by the ISA99 committee.
Published as a Technical Specification (IEC/TS 62443-1-5:2023). Defines the methodology and requirements for authoring IEC 62443 security profiles - sector- or application-specific subsets of the standard used in conformity assessment. Underpins the planned Series 5 security profiles sub-series, no parts of which have been published yet.
Published as a Publicly Available Specification (IEC PAS 62443-1-6:2025). Provides guidance for asset owners and service providers on applying the 62443 series to IIoT environments, addressing new communication channels, distributed architectures, and IIoT-specific cybersecurity concerns. As a PAS it is automatically withdrawn after four years (2029).
Operational security management requirements - primarily directed at asset owners
Specifies requirements for establishing, implementing, and maintaining a Security Management System (SMS) for IACS. Covers risk analysis, security policies, organisational roles, and ongoing program management - the OT counterpart to ISO/IEC 27001.
Published as a Publicly Available Specification (IEC PAS 62443-2-2:2025) - informative guidance, not normative requirements. Provides mechanisms and procedures for developing, validating, operating, and maintaining a Security Protection Scheme (SPS) that manages cyber risk across an operating facility. Companion document to 62443-2-1. Also published by ISA as ISA-TR62443-2-2:2025.
Published as a Technical Report (IEC TR 62443-2-3:2015) - informative guidance, not normative requirements. Addresses the unique challenges of patching in operational environments where availability is paramount. Covers roles and responsibilities for asset owners and vendors, patch assessment processes, and approaches for systems that cannot be taken offline.
Defines security capabilities and practices that asset owners should require of their system integrators and service providers. Covers solution delivery, configuration, remote access, documentation, and ongoing support activities throughout the project lifecycle.
System-level security requirements for design and risk assessment - primarily for system integrators
Published as a Technical Report (IEC TR 62443-3-1:2009) - informative guidance, not normative requirements. Evaluates the applicability of common security technologies (authentication, encryption, firewalls, IDS, etc.) to industrial control environments. Note: published in 2009 and may not reflect the current technology landscape.
Defines a rigorous process for identifying and partitioning an IACS into security zones and conduits based on risk. Drives the determination of target security levels (SL-T) for each zone and provides the basis for selecting countermeasures during system design.
The normative core of the system series. Specifies 51 foundational requirements (FRs) across seven categories (IAC, UC, SI, DC, RDF, TRE, RA) and defines how each scales to Security Levels 1–4. Used directly in system acceptance testing and certification assessments.
Product-level requirements for hardware, software, and firmware - directed at manufacturers
Specifies secure development lifecycle (SDL) practices that product suppliers must follow. Covers security management, requirements, design, implementation, verification, defect management, patch management, and end-of-life handling. Basis for ISASecure SDLA certification.
Defines component-level technical requirements equivalent to the system requirements in 62443-3-3, scoped to individual embedded devices, host devices, network components, and software applications. Enables component capability security levels (CAP SL) used in product certification programmes.
Evaluation methodologies for conformity assessment against specific parts of the standard
Published as a Technical Specification (IEC/TS 62443-6-1:2024). Specifies a repeatable, reproducible evaluation methodology for assessing service providers against the requirements of IEC 62443-2-4. Intended for use in first-, second-, and third-party conformity assessment activities, including by certification bodies.
Published as a Technical Specification (IEC/TS 62443-6-2:2025). Specifies a repeatable, reproducible evaluation methodology for assessing IACS components against the requirements of IEC 62443-4-2. Companion to 6-1, extending structured evaluation to the product component layer.
IEC 62443 defines five security levels that describe a zone or component's ability to withstand attacks from threat actors of increasing sophistication and motivation. Security levels drive the selection of countermeasures and form the basis of conformance assessment.
No specific security requirements or protections applied. Baseline reference point only.
Protection against unintentional or accidental violations - opportunistic actors with no targeted motivation or specialist skills.
Protection against deliberate attack using simple, generic means - low-resource adversaries with IT skills but limited IACS-specific knowledge.
Protection against sophisticated, IACS-aware threat actors using targeted attack methods - well-resourced adversaries with insider knowledge.
Protection against nation-state level actors using extended resources, advanced techniques, and deep system knowledge over prolonged campaigns.
IEC 62443 is structured around a continuous security lifecycle. Security is not a one-time project but an ongoing programme of assessment, implementation, and improvement.
Identify IACS assets, define security zones and conduits, assess threats, and determine target security levels per 62443-3-2.
Establish the Security Management System (62443-2-1), assign roles, and develop security policies, procedures, and awareness programmes.
Select components with appropriate CAP SLs (62443-4-2), qualify suppliers against 62443-2-4, and design the system to meet SL-T per 62443-3-3.
Deploy countermeasures, harden configurations, apply secure network segmentation, and enforce identity and access management controls.
Test the system against defined requirements, conduct security acceptance testing, and verify that achieved SL meets or exceeds target SL.
Monitor continuously, manage patches (62443-2-3), respond to incidents, conduct periodic risk reviews, and drive improvement.
Need help implementing IEC 62443 in your organisation? Get in touch ↗