The IEC 62443 series was developed to secure industrial automation and control systems (IACS) throughout their lifecycle. It currently includes nine standards, technical reports (TR) and technical specifications (TS).
IEC 62443 was initially developed for the industrial process sector but IACS are found in an ever-expanding range of domains and industries, such as power and energy supply and distribution, and transport. IACS technologies are central to critical infrastructure.
IT standards are not appropriate for IACS and other OT (operational technology) environments. For example, they have different performance and availability requirements, and equipment lifetime. Moreover, cyber-attacks on IT systems have are essentially economic consequences, while cyber-attacks on critical infrastructure can also be heavily environmental or even threaten public-health and lives.
International standards are based on industry best practices and reached by consensus. Implementing IEC 62443 can mitigate the effects and often prevent successful cyber-attacks. It can bolster security throughout the lifecycle and reduce costs.
IEC 62443 addresses not only the technology that comprises a control system, but also the work processes, countermeasures, and employees. The standard takes a holistic approach because not all risks are technology-based: the staff responsible for an IACS must have the required training, knowledge and skills to ensure security.
IEC 62443 takes a risk-based approach to cyber security, which is based on the concept that it is neither efficient nor sustainable to try to protect all assets in equal measure. Instead, users must identify what is most valuable and requires the greatest protection and identify vulnerabilities.
They must then erect defence-in-depth architecture that ensures business continuity.
The IEC 62443 series of standards is organized into four parts:
Part 1 covers topics that are common to the entire series:
- 1-1 (TS): Terminology, concepts and models
Policies and procedures
Part 2 focuses on methods and processes associated with IACS security:
- 2-1: Establishing an IACS security program
- 2-3 (TR): Patch management in the IACS environment
- 2-4: Security program requirements for IACS service providers
Part 3 is about requirements at the system level:
- 3-1: Security technologies for IACS
- 3-2: Security risk assessment for system design
- 3-3: System security requirements and security levels
Components and requirements
Part 4 provides detailed requirements for IACS products:
- 4-1: Secure product development lifecycle requirements
- 4-2: Technical security requirements for IACS components
In addition, IEC conformity assessment verifies that standards are properly applied in real-world technical systems. To this end, the IECEE Industrial Cyber Security Programme tests and certifies cyber security in the industrial automation sector.
It includes a programme that provides certification to standards within the IEC 62443 series.