Control Signal
CONTROLSIGNAL
INFORM · PROTECT · PREPARE
AboutResourcesSign in
← Resources·Standards Guide

IEC 62443 explained for controls engineers

IEC 62443 is the international cybersecurity standard for Industrial Automation and Control Systems. If you already work with IEC 61511 and functional safety, the structure will feel familiar — same lifecycle thinking, different threat model.

10 min read
·
For controls and OT engineers
Structure

How the standard is organised

IEC 62443 is a series of standards, not a single document. It's divided into four groups, each targeting a different audience — operators, integrators, and component suppliers.

62443-1-x
General
Terminology, concepts, and the overall framework. Start here to understand the vocabulary — Security Levels, zones, conduits, and the IACS security lifecycle.
62443-2-x
Policies & Procedures
Requirements for asset owners operating IACS. Covers security management systems, patch management, and supplier security requirements. The closest equivalent to IEC 61511 Part 1 for operations.
62443-3-x
System
System-level security requirements. Part 3-3 defines the Security Level requirements (SL 1–4) for IACS systems — the part most controls engineers encounter first.
62443-4-x
Component
Requirements for product suppliers building PLCs, HMIs, and other IACS components. If you specify or procure equipment, 62443-4-2 defines what a "secure by design" component looks like.
Security Levels

SL 1–4: the IEC 62443 equivalent of SIL

Security Levels define the capability of an attacker your system must resist. They map directly to the threat model — just as SIL targets map to demand rate and probability of failure. SL 2 is the most common target for process industry IACS.

SL 1
Casual or unintentional
Protection against accidental or unintentional violation. The minimum baseline — relevant to any networked control system.
SL 2
Low motivation attacker
Protection against intentional violation using simple means. Applicable to most process industry environments. Most common compliance target.
SL 3
Sophisticated attacker
Protection against intentional violation using sophisticated means. Required for high-consequence environments — critical national infrastructure, high-SIL systems.
SL 4
State-level attacker
Protection against violation using state-sponsored resources. Relevant to military, nuclear, and highest-consequence critical infrastructure.
Zones & conduits

The core architecture concept

A zone is a logical group of assets with the same security requirements — for example, your Safety Instrumented System, your DCS, and your business network would each be a separate zone.

A conduit is any communication path between zones — a firewall rule, a data diode, a VPN, or even a USB transfer. Every conduit is documented, controlled, and assessed for security level.

Practical analogy

In functional safety, you draw a boundary around your Safety Instrumented System and document every input and output crossing that boundary. Zones and conduits apply the same discipline to cybersecurity — every asset is inside a zone, every communication crossing a boundary is a conduit with defined security properties.

Getting started

Where to begin with IEC 62443

The standard is large. Most organisations start with a gap assessment against 62443-2-1 — the management system requirements — rather than diving into the technical SL requirements first.

01
Read IEC 62443-2-1 first
Start with the security management system requirements, not the technical controls. Like IEC 61511 Part 1, it establishes the lifecycle and process before specifying what the system must do. If you already run a functional safety management system, most of this will feel familiar.
02
Identify your zones and conduits
Zone your IACS into logical groups of assets with similar security requirements — Safety Instrumented System, DCS, historian, engineering workstation. A conduit is any communication path between zones. Document both on a network diagram before you try to meet any SL target.
03
Determine your target Security Level
SL 2 is the appropriate target for most process industry environments. Use a risk assessment (equivalent to LOPA) to justify the target. IEC 62443-3-2 defines the security risk assessment methodology — it maps directly to the PHA/LOPA process you already use.
04
Apply 62443-3-3 requirements to your zones
Part 3-3 lists 51 Foundational Requirements across 7 categories — including access control, use control, data integrity, and resource availability. Each requirement has an SL 1–4 specification. Work through them zone by zone, not all at once.
05
Include your suppliers
IEC 62443-2-4 defines security requirements for IACS service providers; 62443-4-2 for component suppliers. When specifying new PLCs or DCS equipment, requiring 62443-4-2 conformance ensures the product supports your SL target.
Common questions

IEC 62443 — frequently asked

Is IEC 62443 mandatory?
Not universally — it's an international standard, not a regulation. However, it's increasingly referenced in regulations (NIS2 in the EU, NERC CIP in North America), procurement requirements, and insurance policies. In practice, demonstrating alignment is becoming expected.
How does it relate to IEC 61511?
They're complementary, not competing. IEC 61511 protects against process hazards via Safety Instrumented Systems. IEC 62443 protects those same systems from deliberate attack. A cyber attack on your SIS — such as manipulating sensor inputs or blocking a final element — could undermine your SIL. Both standards need to be addressed together.
How long does IEC 62443 compliance take?
A gap assessment against 62443-2-1 typically takes 2–4 weeks for a single site. Full compliance is a multi-year programme for most organisations — the standard is explicitly lifecycle-based, not a point-in-time audit. Start with the gap assessment and prioritise by risk.
Do I need a certification body?
For self-assessment and internal improvement, no. For formal certification — which some customers and regulators require — you'll need an ISASecure-accredited certification body. But most organisations start with self-assessment against 62443-2-1 before pursuing certification.
Related guides
Guide
OT Cybersecurity for Controls Engineers
How functional safety concepts map directly to OT cyber →
Guide
OT Network Segmentation
Zones, conduits, and the Purdue model in practice →
Stay current

Get the daily OT brief — free

IEC 62443 updates, CVE alerts for IACS vendors, and standards changes — curated daily for controls engineers. Under 5 minutes to read.

Get tomorrow's brief free →