We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / IEC 62443
IEC / ISA · Global

IEC 62443 (OT/ICS Security)

The standard for cybersecurity of industrial automation and control systems.

Introduction: IEC 62443 for OT and Industrial Control System Security

IEC 62443 is the pre-eminent international series of standards for the cybersecurity of Industrial Automation and Control Systems (IACS), commonly referred to as Operational Technology (OT) or Industrial Control Systems (ICS). Originally developed by the ISA99 committee of the International Society of Automation (ISA) and subsequently adopted and expanded by the International Electrotechnical Commission (IEC), the series provides a structured, risk-based framework that spans people, processes and technology across the entire lifecycle of an industrial control environment. Unlike enterprise IT security frameworks, IEC 62443 is purpose-built for the constraints of the OT world: legacy equipment that cannot be patched at will, real-time deterministic control loops, safety-critical processes, decades-long asset lifespans, and the paramount priority of availability and safety over confidentiality.

This deep-dive is written for asset owners, system integrators, product suppliers and their auditors who need an auditor-grade understanding of how to scope, assess, implement and evidence conformity against IEC 62443. It walks through the full structure of the series, the roles it defines, the concepts of zones and conduits, Security Levels (SL), Foundational Requirements (FR), System Requirements (SR) and Requirement Enhancements (RE), and it provides a master assessment checklist enumerating every foundational requirement group with the specific artefacts an auditor should expect to see. Throughout, the emphasis is on defence-in-depth, risk-based security levels and demonstrable, evidence-backed conformity.

Copyright and licensing note
IEC 62443 is a copyrighted, licensed set of standards published by the International Electrotechnical Commission (IEC) and the International Society of Automation (ISA). The normative text, requirement wording and control catalogues must be obtained through an official IEC or ISA licence (or an authorised national body such as BIS in India). This guide is an original, plain-English interpretation authored for educational purposes; it paraphrases concepts and does not reproduce the copyrighted normative text of the standard. Always work from a licensed copy of the relevant parts when performing a formal assessment or certification.

What is IEC 62443?

IEC 62443 is a multi-part series (not a single document) that collectively defines requirements and processes for implementing and maintaining electronically secure IACS. It addresses cybersecurity from four complementary perspectives, mapping to the four categories of the series: General concepts and terminology, Policies and Procedures for the asset owner's security programme, System-level technical and process requirements, and Component-level product development and technical requirements. The framework is deliberately role-aware: it recognises that security is a shared responsibility across the Asset Owner (the operator of the plant), the System Integrator (who designs and commissions the automation solution) and the Product Supplier (who manufactures the control components, devices and software).

At the heart of IEC 62443 sit several defining concepts. Defence-in-depth requires multiple, independent layers of protection so that the failure of one control does not lead to compromise of the whole system. Zones and Conduits provide a segmentation model that groups assets with common security requirements into zones, connected by controlled communication channels called conduits. Security Levels (SL 0 to SL 4) express the strength of protection required against increasingly capable adversaries, ranging from casual/incidental exposure (SL 1) up to a sophisticated, well-resourced, IACS-specific attacker (SL 4). Seven Foundational Requirements (FR) organise every technical requirement in the series into coherent security objectives. Together these concepts allow risk to be assessed, target security levels to be set per zone, and controls to be selected and verified in a consistent, auditable manner.

IEC 62443 is closely related to, but distinct from, the older ANSI/ISA-99 numbering and the NIST frameworks. It is horizontal (sector-agnostic) and is applied across power generation and distribution, water and wastewater, oil and gas, chemicals, pharmaceuticals, manufacturing, building automation, transport, and increasingly to medical devices and the broader Industrial Internet of Things (IIoT).

Who must comply with IEC 62443?

IEC 62443 is not, in most jurisdictions, a legally mandated standard in its own right; rather it is a widely adopted benchmark that is increasingly referenced by regulation, procurement contracts and sector authorities. Compliance may be voluntary (best practice), contractual (required by a customer or asset owner), or effectively mandatory where a regulator cites it. The series explicitly recognises three principal roles, each with distinct obligations.

Stakeholder / RoleApplicability and obligation
Asset Owners (operators)Organisations that own and operate the IACS/OT environment (utilities, plants, refineries, manufacturers). Responsible for the Cyber Security Management System (CSMS) per IEC 62443-2-1, risk assessment, zone/conduit definition, patch and operational security. Primary accountable party for the operating system.
System Integrators / Service ProvidersFirms that design, configure, integrate and commission automation solutions and their security. Governed by IEC 62443-2-4 (service provider security capabilities) and must deliver systems meeting the required Security Level per IEC 62443-3-3.
Product Suppliers / VendorsManufacturers of control products, devices, embedded software and applications. Must develop products under a secure development lifecycle per IEC 62443-4-1 and meet component technical requirements per IEC 62443-4-2 (component certification such as ISASecure CSA/SDLA).
Maintenance / Support ProvidersThird parties providing remote support, patching or on-site maintenance. Bound by the asset owner's CSMS and service-provider requirements; a frequent source of conduit and remote-access risk.
Regulated critical infrastructure operatorsEntities under regimes such as the EU NIS2 Directive, the US NERC CIP (power), sector CERT directives, and India's CERT-In / NCIIPC critical information infrastructure guidance, which frequently point to IEC 62443 as an accepted control baseline.
OEMs and machine buildersManufacturers embedding IACS into machinery who must supply secure, certifiable subsystems to downstream integrators and asset owners, increasingly required to meet EU Cyber Resilience Act (CRA) and Machinery Regulation expectations aligned to 62443-4-1/4-2.

Structure of the IEC 62443 series

The series is organised into four groups of documents. Part numbers follow the pattern 62443-X-Y where X denotes the group (1 General, 2 Policies and Procedures, 3 System, 4 Component) and Y the specific document. The table below summarises the principal published and in-development parts and the audience each addresses.

PartTitle / focusPrimary audience
IEC 62443-1-1Terminology, concepts and models (foundational definitions, zones/conduits, SL model)All
IEC TR 62443-1-2Master glossary of terms and abbreviationsAll
IEC 62443-1-3System security compliance metrics (in development)All
IEC TR 62443-1-4IACS security lifecycle and use casesAll
IEC 62443-2-1Establishing an IACS security programme / Cyber Security Management System (CSMS) requirementsAsset Owner
IEC TR 62443-2-2IACS security protection ratings / programme evaluationAsset Owner
IEC TR 62443-2-3Patch management in the IACS environmentAsset Owner / Integrator
IEC 62443-2-4Security programme requirements for IACS service providers (integrators & maintenance)System Integrator / Service Provider
IEC TR 62443-3-1Security technologies for IACS (survey of countermeasures)Integrator / Asset Owner
IEC 62443-3-2Security risk assessment and system design (zones, conduits, target SL)Asset Owner / Integrator
IEC 62443-3-3System security requirements and security levels (7 FRs, SR/RE, SL 1-4)Integrator / Asset Owner
IEC 62443-4-1Secure product development lifecycle requirements (SDLA)Product Supplier
IEC 62443-4-2Technical security requirements for IACS components (CR/EDR/HDR/NDR/SAR)Product Supplier

Two dimensions run vertically through the technical parts. The seven Foundational Requirements (FR1-FR7) group all technical controls, and the four Security Levels (SL 1-4) scale the rigour of those controls. In 62443-3-3 the requirements are expressed as System Requirements (SR) with optional Requirement Enhancements (RE); in 62443-4-2 the analogous component requirements are expressed as Component Requirements (CR) with type-specific variants for Embedded Devices (EDR), Host Devices (HDR), Network Devices (NDR) and Software Applications (SAR).

Master assessment checklist: the seven Foundational Requirements

This is the core of any IEC 62443 assessment. The 62443-3-3 (system) and 62443-4-2 (component) requirements are organised under seven Foundational Requirements. For each FR below, an auditor should verify that the target Security Level (SL-T) has been set for each zone, that the achieved capability (SL-C) of components and the deployed configuration (SL-A) meet or exceed it, and that objective evidence exists. Every FR group is enumerated below with the base System Requirements and, in the tables, what to verify and the typical evidence expected. Do not skip any FR.

FR1 - Identification and Authentication Control (IAC)

FR1 ensures that all human users, software processes and devices are reliably identified and authenticated before being granted access to the IACS. It covers SR 1.1 (human user identification and authentication), SR 1.2 (software process and device identification and authentication), SR 1.3 (account management), SR 1.4 (identifier management), SR 1.5 (authenticator management), SR 1.6 (wireless access management), SR 1.7 (strength of password-based authentication), SR 1.8 (public key infrastructure certificates), SR 1.9 (strength of public key authentication), SR 1.10 (authenticator feedback), SR 1.11 (unsuccessful login attempts), SR 1.12 (system use notification) and SR 1.13 (access via untrusted networks).

What to verifyTypical evidence
Unique identification and authentication of all human users on all interfaces (HMI, engineering workstations, remote access)User account listings, IdP/Active Directory exports, authentication policy, screenshots of login enforcement
Software processes and devices are identified and authenticated (device certificates, machine accounts)Device inventory with credentials, certificate store exports, 802.1X / device authentication configuration
Account management lifecycle: provisioning, review, disabling and removal of accountsJoiner-mover-leaver procedure, periodic access-review records, disabled-account reports
Identifier and authenticator management: no shared accounts where avoidable, credential rotation, secure storagePassword policy, secrets-vault records, evidence of default-credential change on all devices
Wireless access is uniquely identified, authenticated and encryptedWireless survey, WPA2/3-Enterprise config, wireless access register
Password strength, PKI certificate use and public-key authentication strength meet target SLPassword complexity settings, CA hierarchy and certificate policy, key length standards
Authenticator feedback obscured, lockout after unsuccessful attempts, system-use banner, controls for access via untrusted networks (MFA)Screenshots of masked entry and lockout, banner text, MFA configuration for remote/DMZ access

FR2 - Use Control (UC)

FR2 enforces that authenticated entities are permitted to perform only the actions for which they are authorised, and that those actions are constrained and logged. It comprises SR 2.1 (authorisation enforcement), SR 2.2 (wireless use control), SR 2.3 (use control for portable and mobile devices), SR 2.4 (mobile code), SR 2.5 (session lock), SR 2.6 (remote session termination), SR 2.7 (concurrent session control), SR 2.8 (auditable events), SR 2.9 (audit storage capacity), SR 2.10 (response to audit processing failures), SR 2.11 (timestamps), SR 2.12 (non-repudiation) and SR 2.13 (use of physical diagnostic and test interfaces).

What to verifyTypical evidence
Role-based authorisation enforced on all assets; least privilege applied and separation of duties for engineering vs operator rolesRole-permission matrix, RBAC configuration exports, privileged-access register
Portable/mobile device and removable-media use is controlled and scanned; mobile code restrictedUSB/removable-media policy, endpoint control config, mobile-code (scripts/macros) restriction settings
Session lock on inactivity, remote session termination, and concurrent-session limitsTimeout configuration, remote-session termination procedure, session policy
Comprehensive auditable events defined, sufficient audit storage, defined response to logging failuresAudit/logging policy, event catalogue, SIEM/log storage sizing, alarm on log failure
Reliable, synchronised timestamps and non-repudiation for critical actionsNTP/time-source configuration, sample logs with UTC timestamps, digital-signature/non-repudiation evidence
Physical diagnostic and test interfaces (JTAG, service ports) are controlled or disabledHardening standard, port-lock records, physical-interface inventory

FR3 - System Integrity (SI)

FR3 protects the integrity of the IACS against unauthorised manipulation of software, firmware, configuration and information, both at rest and in transit. It includes SR 3.1 (communication integrity), SR 3.2 (malicious code protection), SR 3.3 (security functionality verification), SR 3.4 (software and information integrity), SR 3.5 (input validation), SR 3.6 (deterministic output), SR 3.7 (error handling), SR 3.8 (session integrity) and SR 3.9 (protection of audit information).

What to verifyTypical evidence
Integrity of communications protected (message authentication, cryptographic integrity where feasible)Protocol security configuration, TLS/IPsec settings, integrity-check design notes
Malicious-code protection appropriate to OT (allow-listing/application control preferred over signature AV on critical assets)Application allow-listing config, AV coverage matrix, exception register for un-protectable legacy assets
Security functionality is periodically verified to be operating correctlySecurity self-test records, verification procedure and results
Software, firmware and information integrity assured (signed updates, checksums, change control)Signed-firmware evidence, hash baselines, configuration change-control records
Input validation, deterministic output on failure, safe error handling and session integrityDesign documentation, fuzz/robustness test results, fail-safe behaviour specification
Audit information is protected from unauthorised access, modification and deletionLog-immutability controls, access controls on log stores, WORM/forwarding configuration

FR4 - Data Confidentiality (DC)

FR4 ensures the confidentiality of information on communication channels and in data stores where required. In OT, confidentiality is often lower priority than availability and integrity, but it remains essential for credentials, keys, configuration and sensitive process data. It covers SR 4.1 (information confidentiality), SR 4.2 (information persistence) and SR 4.3 (use of cryptography).

What to verifyTypical evidence
Confidential information (credentials, keys, sensitive process/recipe data) is protected at rest and in transitData classification, encryption inventory, TLS/at-rest encryption configuration
Information persistence controlled: sensitive data is purged/sanitised from decommissioned or repurposed devicesMedia sanitisation procedure, decommissioning records, sanitisation certificates
Cryptography is standards-based, correctly implemented, with sound key managementCrypto standard (approved algorithms/key lengths), key-management procedure, cipher configuration

FR5 - Restricted Data Flow (RDF)

FR5 is where the zones-and-conduits model is enforced technically: segmenting the IACS into zones and controlling all communication through defined conduits. It includes SR 5.1 (network segmentation), SR 5.2 (zone boundary protection), SR 5.3 (general-purpose person-to-person communication restrictions) and SR 5.4 (application partitioning).

What to verifyTypical evidence
Network is segmented into zones aligned to risk and target SL; OT is separated from IT and from the internetNetwork architecture diagram, zone/conduit register, VLAN/firewall segmentation config
Zone boundaries protected by firewalls, data diodes or equivalent; all conduits documented and controlledFirewall rule base with justification, conduit inventory, data-diode/DMZ design
General-purpose messaging (email, web, chat) is not permitted from control-zone assetsEgress-filtering rules, proxy configuration, host-hardening standard prohibiting general communication
Applications are partitioned so that a compromise in one does not propagate across zonesApplication-partitioning design, micro-segmentation evidence

FR6 - Timely Response to Events (TRE)

FR6 ensures the IACS supports monitoring, detection, and forensic capability so that security events can be detected and responded to in a timely manner. It covers SR 6.1 (audit log accessibility) and SR 6.2 (continuous monitoring).

What to verifyTypical evidence
Audit logs are accessible in a usable form to authorised personnel for analysis and forensicsLog-review procedure, SIEM access records, sample forensic query outputs
Continuous monitoring for security events, intrusion and anomalous behaviour with alertingOT-IDS/anomaly-detection deployment, monitoring architecture, alert runbooks, incident tickets
Incident response process exists, is tested and integrates OT and IT/SOC teamsIR plan for OT, tabletop/exercise records, defined escalation and reporting lines

FR7 - Resource Availability (RA)

FR7 protects the availability of the IACS against denial-of-service and resource exhaustion, and ensures resilience and recoverability - reflecting that availability and safety are the top priorities in OT. It comprises SR 7.1 (denial-of-service protection), SR 7.2 (resource management), SR 7.3 (control system backup), SR 7.4 (control system recovery and reconstitution), SR 7.5 (emergency power), SR 7.6 (network and security configuration settings), SR 7.7 (least functionality) and SR 7.8 (control system component inventory).

What to verifyTypical evidence
Protection against denial-of-service and resource exhaustion; partitioning of critical resourcesDoS protection design, rate-limiting/QoS config, resource-management settings
Regular, tested backups of control-system software, configuration and data; documented recovery and reconstitutionBackup schedule and logs, restore-test records, recovery runbook and RTO/RPO targets
Emergency/backup power for critical control and security functionsUPS/generator inventory, power-test records, load calculations
Network and security configuration settings are managed to a secure baseline (hardening)Hardening standards, configuration baselines, drift-detection reports
Least functionality: unused ports, services, protocols and software are disabled or removedService/port inventory, hardening checklists, before/after configuration evidence
Accurate, maintained inventory of all control-system components (hardware, firmware, software versions)Asset register / CMDB, automated OT asset-discovery output, firmware version list

Programme and process requirements (62443-2-1 CSMS and 62443-2-4)

Beyond the seven technical FRs, an asset owner must demonstrate a Cyber Security Management System (CSMS) per 62443-2-1, and service providers must demonstrate the capabilities of 62443-2-4. These process areas are equally auditable.

What to verifyTypical evidence
A documented, risk-based CSMS covering scope, policy, organisation and management commitmentCSMS documentation, security policy, RACI, management sign-off
Risk identification, classification and assessment methodology applied to the IACSRisk-assessment methodology and register, high-level and detailed risk assessments
Organisational security: roles, training, awareness and staffing for OT securityTraining records, competency matrix, awareness programme
Selection and implementation of countermeasures mapped to risk and target SLControl selection rationale, risk-treatment plan, SL-T determination records
Conformance, monitoring, review and continual improvement of the CSMSInternal audit reports, management-review minutes, corrective-action log
Service-provider security capabilities (staffing, architecture, wireless, patching, malware, backup, handover) per 62443-2-4Integrator/maintenance contracts, capability attestations, handover documentation

Secure product development lifecycle (62443-4-1)

Product suppliers must operate a secure development lifecycle. 62443-4-1 defines eight practices that an auditor evaluates for maturity.

What to verifyTypical evidence
Practice 1 - Security management: defined SDL process, roles and expertiseSDL policy, RACI, developer security training records
Practice 2 - Specification of security requirements and threat modellingSecurity requirements specifications, threat models per product
Practice 3 - Secure by design (defence-in-depth in the product architecture)Architecture reviews, security design documents
Practice 4 - Secure implementation and secure codingCoding standards, static analysis (SAST) results, code-review records
Practice 5 - Security verification and validation testingTest plans, fuzz/robustness/penetration test reports, SL-C claims
Practice 6 - Management of security-related issues (defect/vulnerability handling)Vulnerability triage records, CVSS scoring, remediation SLAs
Practice 7 - Security update management (patch delivery to the field)Patch policy, advisory/PSIRT process, signed-update delivery evidence
Practice 8 - Security guidelines (hardening and secure-deployment documentation for the field)Product security hardening guides, secure-configuration documentation

Scoping the assessment

Scoping is the decisive early activity because IEC 62443 is applied per system-under-consideration (SuC), not to an entire organisation at once. The scope must be defined precisely before any assessment or design work begins.

  • Define the System-under-Consideration (SuC): the specific IACS, plant, line or facility being assessed, including its physical and logical boundaries.
  • Identify the applicable role(s): are you assessing as asset owner (62443-2-1/3-2/3-3), integrator (62443-2-4/3-3) or product supplier (62443-4-1/4-2)?
  • Establish the relevant parts of the series that apply to the role and lifecycle stage (design, procurement, operation, decommissioning).
  • Enumerate all zones and conduits within the SuC and their interfaces to external systems (IT network, cloud, remote access, vendors).
  • Identify the safety, availability and business-criticality of the processes, since these drive the target Security Level (SL-T).
  • List all assets: controllers (PLC/DCS/RTU/SIS), HMIs, engineering workstations, historians, network devices, and any IIoT/edge devices.
  • Determine the target SL per zone using 62443-3-2 risk assessment, and document assumptions, exclusions and interdependencies.
  • Agree the assessment basis: capability (SL-C), target (SL-T) and achieved (SL-A) levels, and whether certification (e.g. ISASecure, IECEE CB) is sought.

Implementation approach (phased)

A pragmatic IEC 62443 programme follows the 62443-3-2 risk-assessment and design workflow, then implements and operationalises controls. The following phased approach aligns to that workflow and to the CSMS lifecycle.

Phase 1 - Initiation and high-level risk assessment

  • Activities: secure management sponsorship; define the SuC and boundaries; build/validate the OT asset inventory; perform an initial high-level cyber risk assessment to determine whether detailed assessment is warranted.
  • Deliverables: programme charter, SuC definition, asset register, initial (high-level) risk assessment report.

Phase 2 - Zone and conduit partitioning

  • Activities: group assets into zones with common security requirements; identify all conduits between zones and to external systems; document data flows and trust boundaries.
  • Deliverables: zone-and-conduit model and diagram, data-flow inventory, conduit register.

Phase 3 - Detailed risk assessment and target SL determination

  • Activities: for each zone and conduit, assess threats, vulnerabilities and consequences; determine the target Security Level (SL-T 1-4); identify the gap versus current state.
  • Deliverables: detailed risk assessment per zone/conduit, documented SL-T per zone, cybersecurity requirements specification (CRS), gap analysis.

Phase 4 - Design and countermeasure selection

  • Activities: select technical and procedural countermeasures across the seven FRs to achieve SL-T; specify component SL-C requirements for procurement; design segmentation, secure remote access and monitoring.
  • Deliverables: security design specification, procurement requirements (SL-C), architecture and network diagrams, control mapping to FRs.

Phase 5 - Implementation and integration

  • Activities: deploy and configure countermeasures; harden components; implement segmentation, IAM/MFA, monitoring and backups; validate integrator capabilities per 62443-2-4.
  • Deliverables: hardened configurations, deployed segmentation/monitoring, updated CSMS procedures, factory/site acceptance test (FAT/SAT) security records.

Phase 6 - Verification, validation and certification

  • Activities: verify achieved SL (SL-A) against SL-T through testing, assessment and audit; remediate gaps; pursue certification if in scope (ISASecure SSA/CSA/SDLA, IECEE).
  • Deliverables: verification/validation report, SL-A determination, gap-remediation log, certification evidence.

Phase 7 - Operate, maintain and improve

  • Activities: operate the CSMS; patch management (62443-2-3); continuous monitoring and incident response; periodic re-assessment as the SuC and threat landscape change.
  • Deliverables: operational security records, patch and vulnerability logs, monitoring/incident reports, management-review and continual-improvement records.

Security Levels and maturity model

IEC 62443 uses two distinct scales. Security Levels (SL 0-4) describe the strength of protection required or achieved against increasingly capable adversaries and apply to zones, systems and components. Maturity Levels (ML 1-4), drawn from CMMI and used in 62443-4-1 and 62443-2-4, describe the maturity of an organisation's processes. Both are summarised below.

Security LevelAdversary / protection intent
SL 0No specific security requirements or protection necessary.
SL 1Protection against casual or coincidental violation (unintentional exposure, accidental misuse).
SL 2Protection against intentional violation using simple means, low resources, generic skills and low motivation.
SL 3Protection against intentional violation using sophisticated means, moderate resources, IACS-specific skills and moderate motivation.
SL 4Protection against intentional violation using sophisticated means, extended resources, IACS-specific skills and high motivation (e.g. nation-state).
Maturity Level (process)Description
ML 1 - InitialAd hoc and inconsistent; security activities performed but not documented as a repeatable process.
ML 2 - ManagedProcesses are documented and repeatable; personnel have requisite expertise; performed with discipline.
ML 3 - Defined (Practiced)Processes are practised across the organisation, evidenced by records demonstrating consistent use.
ML 4 - ImprovingMetrics are collected and used to continually measure and improve the security processes.

For any zone the assessment distinguishes SL-T (target, from risk assessment), SL-C (capability of the components/system as designed or certified) and SL-A (achieved, as actually deployed and operated). A conformant design requires SL-C and SL-A to meet or exceed SL-T for every FR in every zone.

Assessment and audit approach

  1. Confirm scope and role: agree the SuC, boundaries, the applicable parts of the series and whether the objective is a gap assessment, conformity assessment or formal certification.
  2. Collect documentation: obtain the CSMS, risk assessments, zone/conduit model, network diagrams, asset inventory, policies, procedures and prior audit reports.
  3. Review the zone-and-conduit model and target Security Levels: validate that SL-T is justified by the documented risk assessment (62443-3-2).
  4. Assess technical controls against the seven FRs: for each zone verify SR/CR coverage and determine SL-C from component certifications and design.
  5. Perform on-site and technical validation: inspect configurations, sample firewall rules, review logs, witness backups/restores and interview operators and engineers.
  6. Determine achieved Security Level (SL-A): compare deployed and operated state against SL-T for every FR, recording conformities and non-conformities.
  7. Evaluate process maturity (ML 1-4) for supplier/integrator practices under 62443-4-1 and 62443-2-4 where in scope.
  8. Document findings: classify each gap by severity and affected FR/SR, and record objective evidence supporting each conclusion.
  9. Produce the report and remediation plan: state SL-A vs SL-T per zone, prioritised remediation, owners and timelines.
  10. Re-test and, where applicable, recommend for certification (ISASecure, IECEE) or schedule the periodic re-assessment cycle.

Evidence request list

The following categorised evidence list is what an auditor should request in advance and validate during the engagement.

  • Governance and CSMS: security policy, CSMS scope and documentation, organisation chart/RACI, management-review minutes, risk-assessment methodology and registers.
  • Architecture and scope: system-under-consideration definition, network and data-flow diagrams, zone-and-conduit register, target SL determination records.
  • Asset management: OT asset inventory/CMDB, firmware and software version lists, automated discovery outputs, end-of-life register.
  • Identity and access (FR1/FR2): account listings, IdP/AD exports, RBAC/least-privilege matrices, MFA configuration, joiner-mover-leaver and access-review records.
  • System integrity and confidentiality (FR3/FR4): hardening standards, application allow-listing/AV coverage, signed-update evidence, encryption and key-management documentation, media-sanitisation records.
  • Network and segmentation (FR5): firewall rule bases with justification, DMZ/data-diode designs, remote-access architecture, egress-filtering configuration.
  • Monitoring and response (FR6): OT-IDS/SIEM deployment, logging policy, alert runbooks, incident register, IR plan and exercise records.
  • Availability and recovery (FR7): backup schedules and logs, restore-test evidence, RTO/RPO definitions, UPS/emergency-power records, least-functionality configuration.
  • Supply chain and products: 62443-4-1 SDL evidence, product certifications (SL-C), PSIRT/advisory process, integrator 62443-2-4 capability attestations, contracts and SLAs.
  • Operations: patch-management records (62443-2-3), change-control logs, vulnerability-management reports, training and competency records, prior audit and penetration-test reports.

Roles and responsibilities

RoleKey responsibilities under IEC 62443
Executive sponsor / Plant leadershipOwns risk acceptance, funds the programme, chairs management review, sets risk appetite and target SL policy.
OT / IACS Cybersecurity ManagerOwns the CSMS, coordinates risk assessments, maintains the zone/conduit model and drives remediation.
Control / Automation EngineersImplement and maintain hardening, segmentation and secure configuration on controllers, HMIs and networks.
IT Security / SOC teamProvides monitoring, SIEM/IDS, incident response and identity services in partnership with OT.
System IntegratorDesigns and delivers the solution to the specified SL; complies with 62443-2-4 service-provider requirements.
Product Supplier / VendorDelivers components with declared SL-C; operates 62443-4-1 SDL and PSIRT; issues signed patches and hardening guides.
Maintenance / Remote-support providerOperates within controlled conduits and the asset owner's CSMS; follows least-privilege remote access.
Internal Audit / AssessorIndependently verifies conformity, determines SL-A vs SL-T, and reports non-conformities and residual risk.
Process Safety / HSEEnsures cybersecurity controls do not compromise functional safety (alignment with IEC 61511 SIS).

KPIs to track

  • Percentage of zones with a documented target Security Level (SL-T) derived from formal risk assessment.
  • Percentage of zones where achieved SL-A meets or exceeds SL-T across all seven FRs.
  • OT asset inventory accuracy and coverage (percentage of assets discovered and version-tracked).
  • Percentage of IACS components with default credentials changed and hardened to baseline.
  • Mean time to detect (MTTD) and mean time to respond (MTTR) for OT security events.
  • Patch/vulnerability remediation rate and mean time to remediate critical OT vulnerabilities.
  • Percentage of remote-access sessions using MFA and passing through controlled conduits.
  • Backup success rate and successful restore-test rate against defined RTO/RPO.
  • Percentage of procured components carrying declared/certified SL-C meeting requirements.
  • Number of open non-conformities by FR and their ageing against remediation SLAs.
  • Security awareness/training completion rate for OT engineering and operations staff.
  • Number of unauthorised conduits or unmanaged IT-OT crossings detected per period.

Readiness checklist

  • System-under-Consideration and role (asset owner/integrator/supplier) are formally defined.
  • A documented, management-approved CSMS (62443-2-1) is in place.
  • A complete, maintained OT asset inventory exists with firmware/software versions.
  • Zones and conduits are defined, diagrammed and registered for the whole SuC.
  • A 62443-3-2 risk assessment has set a justified target SL for every zone.
  • IT and OT networks are segmented; all conduits are documented and controlled.
  • Identification, authentication and least-privilege access (FR1/FR2) are enforced, with MFA for remote access.
  • System integrity controls (FR3): hardening, allow-listing/AV, signed updates and change control are operating.
  • Restricted data flow (FR5): zone-boundary protection and egress filtering are in place.
  • Continuous monitoring and an OT incident-response plan (FR6) are deployed and tested.
  • Backups are performed and restores are periodically tested (FR7) against RTO/RPO.
  • Procurement requires declared SL-C; integrators/vendors evidence 62443-2-4 / 62443-4-1 capability.
  • Patch and vulnerability management (62443-2-3) processes are documented and operating.
  • OT staff training, competency and awareness records are current.
  • An internal audit / self-assessment has determined SL-A versus SL-T with a remediation plan.

Common gaps

  • Flat or poorly segmented networks with direct IT-to-OT or internet connectivity and no defined conduits.
  • Incomplete or outdated OT asset inventories, leaving unmanaged and unpatched devices in scope.
  • Default or shared credentials on controllers, HMIs and network devices, and absence of MFA for remote access.
  • Target Security Levels never formally determined, so controls are selected without a risk basis.
  • Unmanaged remote access by vendors and maintenance providers through uncontrolled conduits.
  • Little or no OT-specific monitoring; reliance on IT SIEM that does not understand industrial protocols.
  • Backups that are not tested, not offline/immutable, and no rehearsed recovery/reconstitution procedure.
  • Weak patch and vulnerability management due to fear of disrupting availability, leaving known CVEs unaddressed.
  • Procurement that does not specify SL-C, resulting in components incapable of meeting the target SL.
  • Cybersecurity treated as a one-off project rather than an operating CSMS with continual improvement.
  • Poor separation of duties between engineering and operations roles, and excessive standing privilege.
  • Cybersecurity controls implemented without coordinating with functional safety (IEC 61511), risking safety-integrity impact.

IEC 62443 mapped to other frameworks

IEC 62443 concept / areaRelated framework equivalents
Seven Foundational Requirements (FR1-FR7)NIST CSF functions (Identify/Protect/Detect/Respond/Recover); NIST SP 800-82 (OT) control families
CSMS (62443-2-1)ISO/IEC 27001 ISMS; ISO/IEC 27019 (energy utilities); NIST SP 800-53 programme controls
Risk assessment and target SL (62443-3-2)ISO/IEC 27005 risk management; NIST SP 800-30/800-39; NIST CSF Identify
Zones and conduits / restricted data flow (FR5)NIST SP 800-82 network segmentation; Purdue/ISA-95 model; NERC CIP-005 electronic security perimeter
Secure development lifecycle (62443-4-1)ISO/IEC 27034 application security; NIST SSDF SP 800-218; EU Cyber Resilience Act
Component technical requirements (62443-4-2)Common Criteria (ISO/IEC 15408); IECEE / ISASecure component certification
Monitoring and response (FR6)NIST CSF Detect/Respond; ISO/IEC 27035 incident management; MITRE ATT&CK for ICS
Availability and recovery (FR7)ISO 22301 business continuity; NIST CSF Recover; NERC CIP-009 recovery plans
Regulatory alignmentEU NIS2 Directive; US NERC CIP; India CERT-In / NCIIPC CII guidelines; EU Machinery Regulation
How CyberSigma helps
CyberSigma brings CERT-In empanelled and PCI QSA-grade rigour to IEC 62443 and OT/ICS security engagements. We define your system-under-consideration, build an accurate OT asset inventory, and deliver 62443-3-2 risk assessments that establish justified target Security Levels for every zone and conduit. Our engineers design and validate zones-and-conduits segmentation, secure remote access and OT-native monitoring, and assess your components and suppliers against 62443-3-3, 62443-4-1 and 62443-4-2. We run gap assessments, determine achieved versus target Security Levels across all seven Foundational Requirements, produce prioritised remediation roadmaps, and support you through to ISASecure or IECEE certification - operationalising a living CSMS that keeps your industrial environment secure, safe and available.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

How is IEC 62443 different from ISO 27001?
ISO 27001 is a general information-security management system; IEC 62443 is purpose-built for industrial control systems (OT), addressing safety, availability and process constraints that IT frameworks do not.
Official documents

Need help with IEC 62443?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.