What Is IEC 62443?

IEC 62443 is a series of international standards that provide guidelines for securing industrial control systems (ICS) and operational technology (OT) networks. A key framework for Industry 4.0, it covers a range of security topics, including risk assessment, security policies, network security, access control, and incident management.

Learn more about Zscaler for IoT/OT

Why Is IEC 62443 Important?

Compliance with IEC 62443 cybersecurity standards, while not required, is strongly recommended for any organization implementing digital technologies in an industrial context. Following IEC 62443 can help asset owners keep their IACS secure and resilient against cyberthreats, which is crucial for maintaining the safety and reliability of critical infrastructure as well as ensuring operational continuity.

IEC 62443 and Industry 4.0

Industry 4.0 focuses on the integration of digital technologies into manufacturing and other industries. Cybersecurity is a critical concern for Industry 4.0, as connected devices and systems are vulnerable to data breaches and other cyberattacks. IEC 62443 provides a framework for addressing these concerns in the context of industrial automation and control systems (IACS). The standards cover risk assessment, security policies and procedures, network security, system design and implementation, and security monitoring and maintenance, and more.

The Role of IEC 62443 in Industrial Cybersecurity

In the context of industrial cybersecurity and IEC 62443, an asset owner is an individual, organization, or entity that owns, operates, or controls an IACS or any IACS components. The IACS could be a process control system, a building automation system, or any other system used to control industrial processes or infrastructure.

Asset owners are responsible for ensuring the security and availability of their IACS. This includes identifying and assessing cybersecurity risks, implementing appropriate security controls and countermeasures, and ensuring that the system is maintained in a secure state over its entire life cycle. Asset owners are also responsible for complying with any relevant laws, regulations, and industry standards related to industrial cybersecurity.

Asset owners are among the key stakeholders in the industrial cybersecurity ecosystem, alongside system integrators, suppliers, service providers, and regulatory bodies. Effective collaboration among these stakeholders is essential for ensuring the security and resilience of IACS.

Design Principles of IEC 62443

The design principles of IEC 62443 focus on a holistic approach to IACS security that considers all aspects of the system and promotes continuous improvement and collaboration among all stakeholders. The design principles of IEC 62443 can be summarized as follows:

  1. Security by design: IEC 62443 emphasizes the importance of incorporating security into the design process of IACS, from the initial concept phase through deployment and maintenance.
  2. Defense-in-depth: Multiple layers of security controls—a combination of physical, technical, and procedural security measures—protect IACS from both external and internal threats.
  3. Risk assessment: IEC 62443 emphasizes the importance of conducting security risk assessments to identify potential threats and vulnerabilities and determine their level of risk.
  4. Continuous monitoring and improvement: The standard promotes continuous monitoring of IACS to identify potential security issues and implement improvements.
  5. Integration with business processes: Integrating security management with existing processes throughout the organization helps ensure security is not an afterthought.
  6. Collaboration and information sharing: Partnership between all stakeholders involved in the design, implementation, and maintenance of IACS helps ensure a consistent, comprehensive approach to security.

Elements of the IEC 62443 Standards

The IEC 62443 series of standards is organized into four parts:

  1. General—common to the entire series; deals with terminology, models, and metrics 
  2. Policies and procedures—focused on methods and processes associated with IACS security, divided into four subsections: security management, implementation guidance, patch management, and installation and maintenance
  3. System—system-level requirements; focused on IACS operational security methods
  4. Components—detailed foundational requirements for IACS products, with specific technical security requirements for system components such as embedded devices, network and host components, and software applications

How Does IEC 62443 Break Down IACS Security?

IEC 62443 breaks down IACS security into the maturity levels of an organization's cybersecurity management capabilities and the security levels required of its systems and/or components. In this way, IEC 62443 helps organizations systematically assess and implement cybersecurity measures based on their unique system security requirements.

IEC 62443 Maturity Levels

The IEC 62443 standard defines four maturity levels, designed to help organizations evaluate their cybersecurity capabilities and identify areas for improvement. The maturity levels are:

  • Level 1: Initial: The organization has ad hoc cybersecurity practices and there is little or no formal cybersecurity management.
  • Level 2: Managed: The organization has some formalized cybersecurity practices and a basic cybersecurity management system.
  • Level 3: Established: The organization has a comprehensive cybersecurity management system in place that is regularly reviewed and updated.
  • Level 4: Optimized: The organization has a mature and continuously improving cybersecurity management system that is integrated with other business processes.

IEC 62443 Security Levels

The IEC 62443 series of standards defines security levels to help organizations with assessment and risk management relative to their industrial control systems (ICS). There are four security levels defined in the standard, often referred to as SL1 through SL4:

  1. Security Level 1 (SL1) applies to systems with low potential consequences of a breach, such as those not critical to the operation of the organization or those isolated from other systems.
  2. Security Level 2 (SL2) applies to systems with moderate potential consequences of a breach, such as those critical to the operation of the organization that do not pose a risk to public safety.
  3. Security Level 3 (SL3) applies to systems with high potential consequences of a breach, such as those critical to the operation of the organization that could pose a risk to public safety.
  4. Security Level 4 (SL4) applies to systems with very high potential consequences of a breach, such as those critical to the operation of the organization that could pose a risk to human life or the environment.

Zones and Conduits

In the context of industrial control systems (ICS) security, the concepts of zones, conduits, and cells help organizations implement effective security controls. These concepts are defined and described in the IEC 62443 series of standards.

  1. Zones are logical groupings of devices and systems that have similar security levels and are connected to each other in a network. Zones can be defined based on physical location, function, or other criteria. By segmenting devices into zones, organizations can limit the impact of security breaches and control access to critical systems.
  2. Conduits are logical paths between two zones that allow data or control information to flow between the zones. Conduits can be physical or virtual and may include devices such as routers, switches, and firewalls. By controlling access to conduits, organizations can prevent unauthorized access to critical systems and limit the spread of security breaches.
  3. Cells are collections of devices and systems that work together to perform a specific function within a zone. Cells can be isolated from each other to limit the impact of security breaches and provide a higher level of control over access to critical systems.

IEC 62443 and the Modern Threat Landscape

ISA/IEC 62443 standards remain relevant today, as the threat landscape for industrial control systems has continued to evolve and expand. Industrial organizations increasingly rely on connected devices and networks, which can make them vulnerable to cyberattacks. ISA/IEC 62443 provides a comprehensive framework for addressing these risks and improving the security of IACS systems.

Moreover, many organizations are subject to regulatory requirements and compliance mandates, and ISA/IEC 62443 can help them meet these requirements. For example, the US Cybersecurity and Infrastructure Security Agency (CISA) recommends the use of ISA/IEC 62443 to protect critical infrastructure systems.

In addition, the ISA/IEC 62443 standards continue to be updated and revised to reflect changes in the threat landscape and advances in security technology. This ongoing evolution ensures that the standard remains relevant and effective in addressing the latest cybersecurity challenges faced by industrial sector organizations.

The Zscaler Solution for IEC 62443 Compliance

A zero trust approach is the most effective way to ensure robust ICS and OT security and achieve IEC 62443 compliance with adaptive, context-based application access that doesn’t depend on network access. With an effective zero trust architecture in place, any user can only access the applications and systems they need, with no complex firewall stacks or VPNs required, all while your apps and network stay invisible to the internet.

Zscaler Private Access™ (ZPA™) is the world’s most deployed zero trust network access (ZTNA) platform, providing a powerful alternative to VPN. It eliminates exposed ports, prevents lateral movement and avoids unnecessary traffic backhauling to provide secure, low-latency access to private applications.

Zscaler benefits:

  • Hybrid workforce security: Empower your users to securely access web apps and cloud services from any location or device, with a smooth user experience.
  • Agentless access for third parties: Extend your secure private app access to vendors, contractors, suppliers, and more with support for unmanaged devices, with no endpoint agent.
  • IIoT and OT connectivity: Provide fast, reliable, and secure remote access to industrial IoT and OT devices to facilitate maintenance and troubleshooting.

Ready to learn more about Zscaler Private Access? Visit our product page or schedule a custom demo.

Suggested Resources


What Is the IEC 62443 Standard for Cybersecurity?

The IEC 62443 standard is a globally recognized set of industrial cybersecurity guidelines, designed to protect industrial automation and control systems (IACS) from cyberthreats. The IEC 62443 framework encompasses security measures, risk assessments, security levels, and maturity models to help organizations take a structured approach to protecting critical infrastructure and industrial processes.

What Is the IEC 62443 Series Used For?

The IEC 62443 series is used to enhance and standardize robust cybersecurity in industrial automation and control systems (IACS). Its standards help organizations systematically assess, mitigate, and manage cybersecurity risks in industrial environments, ensuring the reliability and security of critical industrial processes and infrastructure.

What Is the Difference Between ISA99 and IEC 62443?

ISA99 is a committee within the International Society of Automation (ISA) that contributes to the development of the IEC 62443 standards, helps shape its content and guidelines, provides technical reports, and more. IEC 62443, developed by the International Electrotechnical Commission (IEC), is a set of international standards, guidance, and best practices for the resiliency and security of operational technology (OT) and industrial control systems (ICS).

The ISA99 committee is a crucial collaborator in the effort to establish globally applicable cybersecurity standards for industrial environments with IEC 62443.

What Is the Difference Between IEC 62443 and NIST?

IEC 62443 is a series of guidelines and best practices specifically focused on securing industrial environments—in particular industrial automation and control systems (IACS)—whereas NIST is a US federal agency that creates guidelines and standards in many areas, including cybersecurity for various sectors beyond industrial and critical infrastructure. Both provide valuable cybersecurity resources, but IEC 62443 has a highly focused scope, while NIST’s is more broad.

What Is the IEC 62443 Checklist?

The IEC 62443 checklist is a tool for assessing and enhancing IACS cybersecurity. Based on IEC 62443 guidelines and standards, it provides a structured approach to help organizations evaluate their security posture, covering risk assessment, network architecture, access control, incident response, and compliance with IEC 62443 maturity and security levels. The checklist can help organizations identify vulnerabilities, establish more effective security controls, and implement a fit-to-purpose security strategy.