Home
By Role

IEC 62443 In Practice

What the standard actually requires from each stakeholder — beyond the specification text.

The standard text is precise but dense. Here is what actually complying with IEC 62443 looks like on the ground — for each of the three stakeholder groups.

🏭

Asset Owners

Operators of IACS — water, energy, transport, manufacturing

  • Commission a formal risk assessment per IEC 62443-3-2: map every security zone, conduit, and threat, and assign a target security level to each zone. This is not background work — it determines every security decision that follows.
  • Build and maintain a Cybersecurity Management System (CSMS) per IEC 62443-2-1: written policies, assigned roles, a supplier qualification process, incident response, and a periodic review cycle.
  • Qualify every integrator and service provider against IEC 62443-2-4. The standard gives you a specific, auditable list of capabilities to require in procurement and contracts.
  • Manage patches in an environment where unplanned downtime is unacceptable. IEC 62443-2-3 provides a framework, but scheduling maintenance windows around production is the hard part.
  • Verify ongoing compliance — not just at commissioning, but as systems age, threats evolve, and new components are introduced.
The bottom line IEC 62443 turns OT security from an ad-hoc activity into a formal management discipline. For most asset owners, that means dedicated budget, assigned ownership, and lasting changes to how you procure and manage IACS.
🔧

System Integrators

Companies designing, building, and commissioning IACS

  • Complete a risk assessment per IEC 62443-3-2 before selecting any security controls. Security architecture follows the risk — not vendor defaults, habit, or last project's design.
  • Design to meet the agreed target security level (SL-T) across all seven foundational requirement categories. SL 2 requires multi-factor authentication for all human-system interfaces. SL 3 significantly raises the bar for communication integrity and session management.
  • Document the achieved security level (SL-A) and explicitly justify any gaps between target and what the installed components can actually deliver.
  • Your obligations to the asset owner under IEC 62443-2-4 cover remote access controls, configuration management, handover documentation, and ongoing support — all subject to contractual verification.
  • Security acceptance testing is part of commissioning scope. You cannot hand over a system without demonstrating it meets the agreed security level.
The bottom line IEC 62443 makes security a first-class engineering requirement alongside functional safety. It changes how you specify components, structure design documentation, and scope commissioning activities — from the very first conversation with the client.
⚙️

Product Manufacturers

Vendors supplying hardware, software, and firmware to IACS

  • Run a documented Secure Development Lifecycle (SDL) per IEC 62443-4-1: security requirements before coding starts, threat modelling during design, security testing as part of QA, and a formal process for responding to disclosed vulnerabilities.
  • Meet the technical requirements in IEC 62443-4-2 at the capability security level (CAP SL) you claim. SL 2 components must provide authenticated users, authorisation controls, encrypted communications, and audit logging — built in by design, not bolted on later.
  • Maintain a vulnerability disclosure and patch program for the full supported life of the product. End-of-support decisions now carry security obligations you must communicate clearly to customers.
  • Third-party certification to ISASecure, TÜV, or BSI schemes underpinned by IEC 62443 is increasingly a hard requirement in critical infrastructure procurement. Waiting until a tender demands it is already too late.
The bottom line IEC 62443 reframes security as a product feature that must be designed in, verified, and supported across the full product lifecycle. For vendors used to treating security as an afterthought, this is a fundamental shift in engineering culture and commercial expectations.

Need help implementing IEC 62443 in your organisation? Get in touch ↗