Question 1

What is IEC 62443?

Accepted Answer

IEC 62443 is an international standard series for securing Industrial Automation and Control Systems (IACS). Originally developed by the ISA99 committee and co-published by IEC and ISA, it defines a risk-based framework covering the people, processes, and technology required to establish and maintain a defensible operational technology (OT) security posture across the entire IACS lifecycle.

Question 2

What is the difference between IEC 62443 and ISA 62443?

Accepted Answer

IEC 62443 and ISA 62443 refer to the same standard series. The documents are co-developed by the ISA99 committee and co-published by both ISA (as ISA/IEC 62443) and IEC (as IEC 62443). The numbering and technical content are identical; the difference is only in the publishing body. Both designations are used interchangeably in industry.

Question 3

Who does IEC 62443 apply to?

Accepted Answer

IEC 62443 applies to three primary groups: asset owners (organisations that operate IACS, primarily addressed by Series 2), system integrators (companies that design and commission IACS solutions, primarily addressed by Series 3), and product manufacturers (vendors supplying hardware, software, and firmware components such as PLCs, RTUs, and HMIs, primarily addressed by Series 4).

Question 4

What industries does IEC 62443 apply to?

Accepted Answer

IEC 62443 applies to any sector that uses Industrial Automation and Control Systems (IACS), including energy and utilities, water and wastewater, manufacturing, oil and gas, transportation, pharmaceuticals, and building automation. It is particularly relevant to critical infrastructure operators.

Question 5

What are the IEC 62443 security levels?

Accepted Answer

IEC 62443 defines five security levels (SL 0–4) that describe a zone or component's ability to resist attacks of increasing sophistication. SL 0 means no specific requirements. SL 1 protects against unintentional or accidental violations. SL 2 protects against deliberate attacks using simple, generic means. SL 3 protects against sophisticated, IACS-aware threat actors. SL 4 protects against nation-state level adversaries using advanced techniques over prolonged campaigns.

Question 6

Which parts of IEC 62443 are currently published?

Accepted Answer

The key normative standards currently published are: IEC 62443-2-1 (IACS Security Management System), IEC 62443-2-4 (Requirements for IACS Solution Suppliers), IEC 62443-3-2 (Security Risk Assessment for System Design), IEC 62443-3-3 (System Security Requirements and Security Levels), IEC 62443-4-1 (Product Security Development Lifecycle), and IEC 62443-4-2 (Technical Security Requirements for IACS Components). Additional Technical Reports, Technical Specifications, and Publicly Available Specifications are also published, while some parts remain in development.

Question 7

What is the most important part of IEC 62443?

Accepted Answer

IEC 62443-3-3 is widely regarded as the normative core of the series. It specifies 51 system requirements across seven foundational requirement categories (including identification and authentication, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability) and defines how each scales to Security Levels 1–4. IEC 62443-4-1 is equally critical for product manufacturers, as it defines secure development lifecycle requirements.

Question 8

How does IEC 62443 differ from ISO/IEC 27001?

Accepted Answer

ISO/IEC 27001 is a general-purpose information security management system standard focused on IT environments. IEC 62443 is specifically designed for operational technology (OT) and industrial control systems, where availability, safety, and real-time constraints differ fundamentally from IT. IEC 62443-2-1 is the OT counterpart to ISO/IEC 27001 for IACS security management. The two standards are complementary rather than competing.

Question 9

What certifications are based on IEC 62443?

Accepted Answer

Several globally recognised certification schemes are underpinned by IEC 62443, including ISASecure (operated by the ISCI consortium), TÜV, and BSI schemes. These cover both product certifications (assessing components against IEC 62443-4-1 and 4-2) and management system certifications for service providers (based on IEC 62443-2-4). Evaluation methodologies for conformity assessment are defined in the IEC 62443 Series 6 documents.

Question 10

Which regulations reference IEC 62443?

Accepted Answer

In Australia, IEC 62443 is the preferred technical standard for OT cybersecurity and directly supports compliance with the Security of Critical Infrastructure (SOCI) Act 2018, the Australian Energy Sector Cybersecurity Framework (AESCSF), and the ACSC Essential Eight for OT environments. Internationally it is referenced by the EU NIS2 Directive, NERC CIP (North American energy sector), and various other national critical infrastructure protection regulations.

Question 11

What is a security zone in IEC 62443?

Accepted Answer

A security zone is a grouping of logical or physical IACS assets that share common security requirements. The process of partitioning a system into zones and conduits (communication paths between zones) is defined in IEC 62443-3-2 as part of the security risk assessment for system design. Each zone is assigned a target security level (SL-T) that drives countermeasure selection.

Question 12

What are the main phases of the IACS security lifecycle in IEC 62443?

Accepted Answer

IEC 62443 is structured around a continuous security lifecycle with six main phases: (1) Risk Assessment — identifying assets, defining security zones, and determining target security levels per IEC 62443-3-2; (2) Policy and Governance — establishing a Security Management System per IEC 62443-2-1; (3) Design and Procurement — selecting components and qualifying suppliers; (4) Implementation — deploying countermeasures and hardening configurations; (5) Verification and Validation — testing against security requirements; and (6) Operations and Maintenance — continuous monitoring, patch management (IEC 62443-2-3), and periodic risk reviews.

Industrial Cybersecurity
Standards Framework

What is IEC 62443?

Scope

Structure

Risk-Based

Multi-Stakeholder

Certification

Regulatory Alignment

Three Primary Audiences

Asset Owners

System Integrators

Product Manufacturers

Industrial CybersecurityStandards Framework

What is IEC 62443?

Scope

Structure

Risk-Based

Multi-Stakeholder

Certification

Regulatory Alignment

Three Primary Audiences

Asset Owners

System Integrators

Product Manufacturers

Industrial Cybersecurity
Standards Framework