IEC 62443 Security Guide and Standards: Understanding the IEC 62443 Standard and Security Levels

What Is IEC 62443 and Why Does It Matter?

The IEC 62443 series is a widely used international framework that defines technical and procedural requirements for securing Industrial Automation and Control Systems (IACS) and Operational Technology (OT).
This OT security standard reduces risk, improves resilience, and strengthens industrial security posture.

The IEC 62443 framework is used across sectors such as energy, manufacturing, transport, healthcare and water utilities.

Specifically, this industrial cybersecurity standard applies to hardware and software, processes, preventive measures, and employees. It provides requirements and guidance to reduce cyber risk across the system lifecycle and can reduce incident-related costs.

IACS enable critical infrastructures, such as oil and gas pipelines and power grids, or power generation (nuclear, thermal, renewables), to monitor and control industrial processes remotely. OT is a hardware and software category that monitors and controls the performance of physical devices.
The IEC 62443 standard is developed by the International Electrotechnical Commission (IEC) and the International Society of Automation (ISA). 

The standard-related technical requirements include Identification and Authentication (IAC) and System Integrity (SI).

IAC ensures users, such as humans and devices, can’t access the system without being identified and authenticated. SI protects data, software, and hardware integration so that “Man-in-the-Middle” attacks can’t alter sensor readings or control commands.

Did you know the global cyber threat detection intelligence market is anticipated to exceed $54 billion by 2034?

The IEC 62443 framework provides a structured way to assess growing risks and apply controls in industrial environments. Why does it matter?

• Secures critical operations by preventing downtime resulting from cyber attacks on manufacturing, energy, and utility systems.
• Helps IT and OT Teams Work from a Shared Security Model by providing a common methodology to bridge IT (information technology) security teams with OT operators and vendors.
• Provides a risk-based approach using concepts such as “Zones and Conduits” (segregating networks) and Security Levels (from SL1 to SL4). SLs are specific threat levels, from casual errors to sophisticated attacks. Zones group cyber assets with the same cybersecurity requirements. Conduits refer to communication between zones with the same cybersecurity requirements.
• Delivers regulatory compliance in jurisdictions, reducing legal liability. This boosts the safety and reliability of industrial systems.

IEC 62443 is especially critical in Industry 4.0 (the Fourth Industrial Revolution), where digital technologies become integrated into industries.

Digital systems increasingly affect physical operations. Many asset owners use IEC 62443 to structure OT security programs and procurement requirements.

Asset owners are responsible for the operation, security, and maintenance of IACS. Asset owners can choose the most suitable requirements for their needs, based on specific risks and operational requirements.

What is the scope and origin of the IEC 62443 standard?

IEC 62443 provides a comprehensive, lifecycle-based framework for IACS and OT. It dates back to the early 2000s.

Here’s the evolution of this OT security standard from local industrial guidelines to a structured global defense strategy for critical infrastructure:

The ISA99 Committee (2002): The International Society of Automation established the ISA99 committee in 2002.

The “Horizontal” Shift (around 2010): Around 2010, ISA99 partnered with the International Electrotechnical Commission to create a global, “horizontal” standard.

“Horizontal” Standard (2021): In 2021, the IEC officially designated the series as a horizontal standard. Its requirements referred to any sector-specific OT security standards (e.g., energy, rail, or health).

A “Secure by Design” Philosophy: The IEC 62443 series focused on the security built into product development based on the Security by Design approach. This approach suggests continuous testing, authentication safeguards, and compliance with the best programming practices from day one.

IEC 62443 refers to the following roles: Asset Owners (operators), System Integrators (builders), Maintenance Service Provider (responsible for maintenance and decommissioning), and Product Suppliers (manufacturers).

This industrial cyber security standard encompasses organizational policies, procedures, risk assessment, and security of hardware and software components.

Specifically, it covers:

Operational Technology: The IEC 62443 framework targets systems that prioritize availability and safety, such as programmable logic controllers (PLCs), human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems, and sensors.

The “Cyber-Physical” Link: The IEC 62443 series targets digital systems that can change the physical state of equipment. As of 2026, this now explicitly includes Industrial IoT (IIoT) and cloud-based analytics that interact with field devices.

Defense-in-Depth (DiD): The DiD approach mandates a layered architecture through zones and conduits for network segmentation. The aim is to prevent a single breach from taking down the whole plant.

Cyber-attacks on critical infrastructure have economic, environmental, political and even life-threatening consequences. Applying IEC 62443 can reduce risk and improve resilience, but it does not eliminate all threats

Why is a dedicated cybersecurity standard needed for operational technology (OT)?

OT needs a dedicated cybersecurity standard to directly manage physical processes and infrastructure. Why? OT security prioritizes system availability and physical safety, and  IT security focuses on data confidentiality and integrity.

A specialized standard like IEC 62443 is an operational requirement for modern infrastructure in terms of:

Safety, Reliability, Productivity (SRP): The industrial cyber security standard supports availability and helps reduce unplanned downtime. For example, shutting down a controller in a chemical plant or a power grid can result in a catastrophic explosion or a city-wide blackout.

Legacy Lifespans and Compensating Controls: The standard extends the safe, usable lifespan of legacy industrial assets, such as turbines, compressors, and pumps. Standard-based “Compensating Controls” restrict direct access to the vulnerable system from corporate IT or the internet. Compensating Controls are also called Compensating Countermeasures.

Deterministic OT Networks (DetNet): DetNets provide high reliability and real-time communication. A machine might not stop on time to prevent an accident because of

50 milliseconds of delay. The IEC 62443 framework avoids “delay that hurts” by design using external controls, such as firewalls, monitoring, and strict access gateways.

Specialized Protocols: OT uses protocols (Modbus, PROFINET, EtherNet/IP) that traditional IT firewalls don’t understand. Dedicated standards mandate Deep Packet Inspection (DPI) specifically for these industrial “languages.” DPI is data processing that thoroughly inspects the data (packets) sent over a computer network.

The limits of Relying on Air Gaps and IIoT Convergence: OT was protected by being “offline” (the air gap). Air gapping physically isolates computer systems or networks. For example, even if the corporate network is hacked in a factory, IEC 62443-based segmentation keeps the most critical control zone of a factory plant isolated.

Did you know manufacturing is one of the top targeted industries by cyber attacks? In 2025, data compromise affected about 45 million individuals in the US utilities.

How does IEC 62443 differ from IT-focused standards like ISO/IEC 27001?

ISO 27001 protects data in Information Technology, while IEC 62443 protects physical industrial processes and safety from  Operational Technology threats, such as insecure access and configuration.

IEC standards provide globally adopted electrotechnical regulations (e.g., IEC 60617 for symbols).

ISO/IEC 27001 is an international standard for information security management, recognized in 150+ countries.

Top differences include:

“Security Triad”: In IT, the priority is confidentiality (ISO 27001). For instance, when a bank detects a breach, it might shut down the server to protect data.

In OT, the priority is availability (IEC 62443). For example, if a digital glitch causes a power plant to shut down its cooling system, a meltdown can occur. The standard keeps the system running safely.

Risk to Life and Environment: ISO 27001 deals with financial loss, identity theft, and reputation damage. IEC 62443 deals with physical explosions, environmental contamination such as oil spills and chemical leaks, and loss of human life.

Because of this, IEC 62443 is often mapped to Functional Safety standards like IEC 61508. IEC 61508 is the international standard for functional safety that controls electrical, electronic, and programmable electronic (E/E/PE) systems across industries.

Lifecycle and Patching Paradox: Hardware, such as laptops and servers, is replaced every 3–5 years. Patching is frequent and often automated.

Industrial assets like turbines and pumps last 20-30 years and usually run on legacy operating systems like Windows XP & 7 and Linux/Unix. They can’t be patched without stopping a multi-million dollar production line. IEC 62443-based Compensating Controls protect these assets through network segmentation, virtual patching, and protocol sanitization or filtering.

Technical Architecture: ISO 27001 focuses on information security management systems (ISMS) and policies that systematically manage an organization’s sensitive data. IEC 62443 uses a physical and logical architecture called “Zones and Conduits” for segmentation.

For example, in a standard IT network, once a hacker is “inside,” they can often move laterally. In an IEC 62443-compliant network, the hacker would be contained within one zone, unable to reach the critical safety controllers.

Performance Requirements (Real-Time vs. Non-Real-Time): Regarding ISO 27001, high latency (delays) in an office network could mean annoyingly slow video calls.

As for the IEC 62443 standard, high latency in a control network can create safety or operational risk. If a “Stop” command is delayed by 100 milliseconds due to a heavy encryption process, a robotic arm could strike a human worker.

How is IEC 62443 organized and what are its core components?

The IEC 62443 industrial cyber security standard is organized into General, Policies and Procedures, System, and Component parts that secure IACS. These parts cover people, processes, and technology across the entire lifecycle in IACS.

What are the main parts and series within the IEC 62443 family?

IEC 62443 series is a set of international standards that secure IACS throughout their lifecycle.

Each document within that series is called a part: General, Policies and Procedures, System, and Component.

These individual technical documents, called parts, are written for a specific audience, e.g., a vendor, a plant owner, or an engineer. And each part is meant for a specific task, e.g., risk assessment or product design.

The IEC 62443  is the umbrella term for the entire framework.

The IEC 62443 parts:

1. General (62443-1-x): Provides foundations, terminology, and concepts

• 62443-1-1 – Terminology, concepts, and models
• 62443-1-2 – Glossary of terms
• 62443-1-3 – System security compliance metrics
• 62443-1-4 – IACS security lifecycle and use cases

Purpose: Establish a common language and conceptual model for continuous improvement.

2. Policies and Procedures (62443-2-x): Focuses on

• 62443-2-1 – Security program requirements for asset owners
• 62443-2-2 – IACS security program implementation guidance
• 62443-2-3 – Patch management in industrial environments
• 62443-2-4 – Requirements for service providers

Purpose: Define how organizations manage cybersecurity operationally.

3. System-Level Security (62443-3-x): Focuses on

• 62443-3-1 – Security technologies for IACS
• 62443-3-2 – Risk assessment and system design (zones and conduits)
• 62443-3-3 – System security requirements (SL 1–4 controls)

Purpose: Define how to architect and secure entire systems

4. Component-Level Security (62443-4-x): Focuses on

• 62443-4-1 – Security in the development lifecycle
• 62443-4-2 – Technical security requirements for components

Purpose: Ensure products themselves are secure by design.

What roles do the General, Policies and Procedures, System and Component levels play?

1. General Level: Defines terminology, concepts, and models, such as Zones and Conduits, that are common for the entire series of standards. This level includes the foundational documentation that covers the overall framework.
2. Policies and Procedures: Define the policies, methods, and processes associated with IACS security. They focus on cybersecurity management systems. This level deals with the requirements for the end user or asset owner.
   1.  IACS security program setup
   2.  Patch management in the IACS environments
   3. Security program requirements for IACS service providers
3. System: Defines the requirements for complete systems. This helps design and implement secure IACS.
   1. Security technologies for IACS
   2. Security risk assessment for system design
   3. System security requirements and security levels
4. Component: Defines detailed requirements for IACS products, ensuring every component meets the security standard.
   1. Requirements concerning the security in the product development lifecycle
   2. Technical security requirements for IACS components

How do concepts like zones, conduits, and security levels fit into the framework?

The zones, conduits and security-level concepts structure industrial cybersecurity. Specifically, these concepts group assets into zones based on risk, regulate the traffic between zones via conduits, and define required protection strengths through security levels.

Zones and Conduits: IEC 62443 uses the segmented OT architecture concept as its core architecture model. Zones group assets with similar security requirements. Conduits manage the communication pathways between them to secure data flow.

This network segmentation model is more flexible than the hierarchical, structural Purdue model for ICS. Purdue represents systems based on response time and function. The IEC 62443 framework uses the Purdue Reference Model to describe how data flows through industrial networks.

Security Levels (SLs): IEC 62433 uses levels to measure the required security robustness of IACS against cyber threats. SLs range from SL 1 (casual accidents) to SL 4 (nation-state actors).

SLs set targets for zones and conduits based on risk assessments, measuring technical capabilities (SL-C), and verifying achieved performance (SL-A).

Why the IEC 62443 Standard and Architecture Matter in Modern Industrial Environments

Cyber security IEC 62443 standard and architecture in modern, interconnected industrial environments secure industrial automation and control systems against growing cyber threats.

This OT security standard:

• Secures the Connected Landscape Through a Structured Approach: Addresses the unique risks posed to PLCs and HMIs to prevent costly shutdowns and safety hazards.
• Provides Operational Resilience and Continuity: Minimizes downtime and prevents financial losses or safety incidents throughout the entire system lifecycle.
• Provides Regulatory Compliance: This internationally recognized standard complies with regulations like NIS2 and the European Cyber Resilience Act.
• Offers a Risk Mitigation Strategy: Uses “Compensating Controls” for segmentation, which are vital for difficult-to-update legacy systems.
• Provides Standardized Security Levels (SLs): Enables organizations to define, achieve, and verify the appropriate security level.

The IEC 62443 architecture, specifically the concepts of Zones and Conduits, modernizes industrial systems through network segmentation.

• Provides IT/OT Convergence Safety: Enables organizations connected to the cloud via IIoT and 5G to unite traditional IT security and OT.
• Protects Legacy Systems: Properly implemented conduits and compensating controls secure older, vulnerable equipment within a zone without immediate replacement.
• Offers a Defensive-in-Depth Approach: Implements multiple security layers. If one control fails, others are in place to stop threats.

Cybersecurity is increasingly becoming a strategic economic priority. The growing interdependence of actors within industries makes IEC 62443 more significant as the standard prevents disruptions across industries.

How do security levels (SL 0–4) work and how should they be applied?

IEC 62443 security levels are a risk-based way to set how much protection each industrial zone or conduit needs. These risk-based protection levels consider the attacker’s resources, skills, and motivation. To apply IEC 62443 SLs, organizations assess the risk, set SL targets for zones and conduits, and implement security requirements to meet them.

SLs range from basic protection (SL1) to high-sophistication defense (SL4) .

The World Economic Forum’s Global Cybersecurity Outlook shows that not many organizations adopt advanced resilience measures against cyber threats. But the importance of fighting increasing cyber threats is on the rise.

<h3>What do the different security levels represent in terms of attacker capability?

Cybersecurity IEC 62443 levels are based on increasing attacker capability, motivation, and resource availability:

Security Level (SL) 0: No formal cybersecurity strategy or consistent approach to managing threats is applied.

Security Level (SL) 1: Basic protection against non-malicious threats, e.g., unintentional human errors.

Security Level (SL) 2: Protection against intentional violation targeting basic tools and techniques, e.g., public exploit tools, social engineering, or password cracking.

Security Level (SL) 3: Protection against intentional violation from skilled and motivated attackers using sophisticated means, e.g., customized malware, multi-vector attacks, or network intrusion.

Security Level (SL) 4: The highest level of protection against intentional violation from nation-state level adversaries or threats that could have severe consequences. These can include critical infrastructure destruction, widespread data loss, or threats to human safety.

How do you perform a risk assessment to select an appropriate security level?

Risk assessment means identifying the system under consideration (SUC), segmenting it into zones and conduits, and analyzing the threats and their impact to set a target security level from 1 to 4.
Here is a step‑by‑step security‑risk assessment (SRA) workflow:

Assemble a Cross-functional Team: Include OT engineers, IT security specialists, production and operations managers, and subject matter experts (SMEs).

Define the System Under Consideration (SuC): Understand the system in place and how it relates to the given ICS environment.

Review the Documents: Review policies, procedures, network diagrams, standard operating procedures (SOPs), previous assessments, and asset inventories.

Logically Isolate Critical System Segmentation (Zones and Conduits): Define zones based on your asset inventory and urgency. For instance, a “Safety Instrumented System (SIS) Zone” and a “Production Management Zone.”

Identify conduits by documenting the communication paths between the zones. For example, an Ethernet cable conduit or a firewall conduit.

Identify Vulnerabilities, Explore Threats, and Worst-Case Scenarios: Compare the initial risk vs. the tolerable risk to prevent a potential attack.

Evaluate the Risk: Determine threats and their physical, operational, and business damage. This can include safety, financial, operational, reputational and regulatory risks.

Evaluate the Likelihood and Impact of the Threat: Consider the system exposure, the difficulty of vulnerability exploitation, and the sophistication of potential threat actors.

Assign Security Levels: Set SL1-SL4 for each zone and conduit, considering the potential impact of attacks.

Define a Strategy to Treat and Mitigate the Risk: Reduce the risk to an acceptable level through:

• Dedicated firewalls
• Multi-factor authentication (MFA)
• A secure and controlled patch management
• Specialized OT intrusion detection systems (IDS) to monitor network traffic for anomalous behavior.
• Raised employee awareness so they respond to incidents properly. For example, implement regular, OT-specific training and conduct phishing simulations.

Document and Report the Results: Document the urgency level, the zone and conduit determination for each SuC, risk comparison, proposed countermeasures, assigned responsibilities, and anticipated completion dates.

Receive the Asset Owner’s Approval on Risk Posture and Its Countermeasures: Use this legitimate knowledge to manage the risk and improve the situation continuously.

How do security levels translate into technical and procedural requirements?

IEC 62443 SLs translate into system- and process-related requirements by improving security controls against growing threats.

Here is the technical and procedural requirement breakdown by IEC 62443 security level:
SL1 – Accidental or Casual Violations: Requires protection against careless handling of sensitive data, such as emailing the wrong person and ignoring safety protocols. Or it can be a violation of trust, such as unauthorized access to information.

Requirements: Basic authentication, e.g., passwords, physical access restriction and simple unauthorized software prevention.

SL2 – Simple Intentional Attacks: Requires protection against attacks via low-motivated, generic tools, and limited resources on non-critical infrastructure, such as building management systems.

Requirements: Unique user identification, session management, encrypted data transfer, and malware protection.

SL3 – Sophisticated Intentional Attacks: Requires protection against sophisticated attacks with moderate, automation-specific knowledge and resources. These can be attempts to breach, disrupt, or manipulate critical control systems, such as safety instrumented systems.

Requirements: Strict network segmentation (segmentation between zones), logging and audit logs, intrusion detection systems like integrated enterprise tools (e.g., IBM QRadar), “Zero Trust” access policies that enforce strict identity verification, and hardened devices like firewalls and encrypted disks.

SL4 – High-Resource or Nation-State Attacks: Requires protection against advanced attacks via ransomware or wipers on critical infrastructure, such as the power grid or transportation.

Requirements: Advanced cryptography, secure booting, near-real-time anomaly detection, fully audited access, and advanced forensic capabilities, such as Full Traffic Capture and Packet Analysis, and Automated Incident Response Logging.

How do we understand cyber security IEC 62443 architecture and threats?

Cyber security IEC 62443 architecture provides a structured framework based on security requirements for products, systems, and processes across the IACS and OT lifecycle, from design and implementation to maintenance and decommissioning.

Cybersecurity IEC architecture employs the zone-and-conduit model to segment IACS and OT networks and assigns target security levels (SL 1–4) to specific zones to manage threats.

The core pillars include:

 System Under Consideration (SuC): The defined perimeter of the industrial system being analyzed and protected, including hardware, software and networks.

Zones and Conduits: The foundational segmentation method of IACS to manage cybersecurity risks, as mentioned earlier in the article. Segmentation ensures that even if one zone is breached, the attacker can’t easily move to critical, more secure areas.

• Zones: Groups of logical or physical assets, e.g., PLCs or HMIs, with similar security requirements. Each has a defined security level and boundary. When compromised, the threat remains within that zone, without causing harm to others. Examples include a production line zone, a safety system zone, or a controller network zone.
• Conduits: Logical groups of communication channels between zones. They come restricted by boundary devices like firewalls or diodes to control traffic. Examples include a firewall managing traffic between the “Supervisory Zone” and the “Basic Control Zone.”

Defense-in-Depth: Implementation of multiple layers of security instead of one, as mentioned earlier in the article. When one fails, others protect the system. DiD can include firewalls and Intrusion Prevention or Detection Systems (IDS/IPS).

IEC 62443 Maturity Levels: Help organizations evaluate their cybersecurity capabilities and identify areas for improvement.

• Level 0 (Non or Informal): There is no formal cybersecurity strategy or consistent approach to managing threats.
• Level 1 (Initial or Structured): The organization applies basic cybersecurity practices and procedures, which may not be consistent. These can include ad-hoc password management, occasional software updates, and informal employee training.
• Level 2 (Managed or Integrated): Consistent cybersecurity practices that are among daily operations. They’re regularly reviewed and updated. Examples include routine multi-factor authentication and data backups.
• Level 3 (Defined or Optimized): The organization applies a mature cybersecurity approach based on continuous improvement processes to improve resilience against new threats.

IEC 62443 Security Levels (SL): SLs help measure whether the SuC, zone, or conduit has zero vulnerabilities and functions appropriately, as mentioned earlier in the article. They define the required strength of security controls:

• SL-T (Target): The desired security level needed for a specific zone based on risk assessment.
• SL-C (Capability): The security level that IACS  or components can provide.
• SL-A (Achieved): The actual, measured security level of zones and conduits in a particular automation solution.

Who are the stakeholders and what are their responsibilities under IEC 62443?

Stakeholders are asset owners, maintenance service providers, integration service providers, and product suppliers who collaborate to ensure IACS security under the ISA/IEC 62443 standards. They collaborate throughout the system lifecycle, from component design and risk assessment to operational maintenance.

Stakeholders and Their Responsibilities:

Asset Owner: The individual or organization responsible for the overall security of the IACS and the Equipment Under Control (EUC).

Responsibilities: Performs risk assessment, defines required security levels, manages operational risks, and ensures compliance with regulations.

Maintenance Service Provider: The individual or organization responsible for the secure, ongoing maintenance and decommissioning of IACS.

Responsibilities: Handles patch management, system updates, and responds to incidents to maintain security posture.

Integration Service Provider: The individual or organization responsible for integrating activities for an automation solution.

Responsibilities: Integrates components according to IEC 62443 standards and performs risk assessments for integration. Validates that the system meets the asset owner’s security requirements, including design, installation, configuration, testing and commissioning.

Product Supplier: The individual or organization responsible for developing, distributing, and supporting hardware and/or software products.

Responsibilities: Develops and supports components, such as networks, supporting software, hosted and embedded devices, and control systems.

What Does the IEC 62443 Standard Establish for Industrial Cyber Security Architecture?

IEC 62443 builds a comprehensive, flexible, risk-based framework for industrial cybersecurity architecture. How? Through key pillars: segmentation, defined security levels (SL1-4), and the Zone and Conduit model.

The  IEC 62443 series benefits for industrial cybersecurity architecture:

• Reliability
• Availability
• Safe digital transformation
• System integrity
• Enhanced security levels
• Reduces cyber and operational risks
• Operational continuity and resilience
• Regulatory compliance
• Common language for stakeholders
• Minimized downtime

How does the Zone and Conduit Model work in IEC 62443?

The Zone and Conduit model creates a cybersecurity network architecture through zones and conduits. Specifically, it segments a production network into protected areas (zones), as already mentioned in this article.

These zones group assets with similar security requirements. Assets can be a machine (physical) or a software application (intangible).

The zone-based segmentation of the ICS environment stops a breach in one zone from compromising the entire system.

Such segmented OT architecture also defines the allowed communication pathways or interfaces (conduits) between those zones. Conduits enable data to flow securely between zones.

Zones have clear boundaries. The model defines strict security rules at zone boundaries to prevent threats. It also tailors protection levels (SL1-4) to each zone based on risk assessment and validates the traffic crossing between zones.

This network segmentation model helps reduce vulnerabilities and implement targeted security measures, such as deep packet inspection and firewall-based access controls. As a result, they help protect the most significant assets and communication channels.

Example: Imagine a water treatment plant. Zone A (General Operations): Contains HMIs and operator workstations. This zone needs moderate security (SL 2) and may allow certain remote access for maintenance.

Zone B (Chemical Dosing): Contains critical PLCs that manage chlorine levels. This zone needs the highest security (SL 4) as tampering here could cause an environmental or public safety disaster.

Conduit C: The single communication path between the General Operations Zone and the Chemical Dosing Zone. The firewall in this conduit is configured to allow “Read” commands that check chlorine levels from Zone A. Any “Write” commands that change chlorine settings from Zone A are immediately blocked and logged.

What Are the Real-World Attack Scenarios Addressed by Cyber Security IEC 62443?

Modern societies depend on the effective operation of critical infrastructures. Cybersecurity IEC 62443 is designed to mitigate risks and protect industries against possible incidents. Here are real-world examples of cyber attacks and how they relate to the standard.

Credential Compromise and Unauthorized Access

In 2021, attackers used the DarkSide ransomware to target the Colonial Pipeline, an American oil pipeline system. The attackers targeted the billing department. They accessed the system via a compromised password for an inactive virtual private network (VPN) account. The account lacked multi-factor authentication.

The company shut down its entire OT because. They didn’t know how far the malware had spread. This was the largest cyber attack on oil infrastructure in US history.

The incident caused the US Federal Government to issue a new Directive. It orders pipeline operators to check and report on the cybersecurity of their pipeline systems within a month.

Remote Exploitation of Industrial Systems

In 2015, 225,000 people lost power in western Ukraine because of the Ukrainian power grid attack. The BlackEnergy (BE) malware was used to attack computer networks and remotely operate the system.

The attackers might have used the existing remote administration tools. Or they might have used remote industrial control system (ICS) client software via virtual private network (VPN) connections.

IEC 62443 controls, such as segmentation, remote access control, and monitoring, could have reduced exposure. Sentryo, an industrial cybersecurity firm, reported that two key controls within the IEC 62443 series and network zone boundary protection were not adequately met by impacted facilities.

Supply Chain Attacks in OT Environments

In 2019, attackers identified as the “Nobelium” group hacked the software development environment of SolarWinds, a software development company. The attackers wanted to penetrate the system of a third-party supplier (SolarWinds) to go after their victims indirectly.

SolarWinds released patches to protect its performance-monitoring solution Orion customers used.. This is how SolarWinds protected customers who needed to allow Orion to access their IT systems.

Privilege Misuse and Trust Exploitation

In 2021, during the Oldsmar Water Plant attack in Florida, the attacker exploited an authorized remote access tool. The hacker started controlling the levels of sodium hydroxide (lye) in the water.

A water treatment plant employee noticed his mouse cursor moving across the screen on its own. An attacker had gained access to the plant’s TeamViewer software used for legitimate remote maintenance.

The system “trusted” the remote user completely because the attacker was using a legitimate administrative tool. The system neither flagged the change as malicious nor required a secondary authorization for such a dangerous set-point change. People could have gotten sick or died because of this attack.

The plant no longer uses a remote-access system to avoid attacks. It’s vital for engineering and OT teams to evaluate remote access risks.

What Makes Industrial Threat Landscapes Unique Under IEC 62443?

IEC 62443 prioritizes safety, resilience, and system availability over mere data confidentiality, making the industrial threat landscape unique. This OT security standard applies segmentation through zones and conduits instead of perimeter defense.

The uniqueness is more apparent through the comparison of the traditional IT security and OT security:

What Does IEC 62443 Security Level Guidance Provide?

The IEC 62443 security level guidance provides a structured, risk-based framework based on SLs to measure and implement cybersecurity in IACS.

How Does the IEC 62443 Security Level Framework Work?

The IEC 62443 security level framework assigns risk-based levels to IACS based on the zone-and-conduit model to secure Industrial IoT and OT environments.

The key aspects of the SL framework include SLs 1-4, methodology, structure and the roles involved.

Key aspects of the SL framework:

4 Security Levels:

SL 1: Protection against casual non-malicious or accidental errors, such as improper maintenance or accidental malware introduction.

SL 2: Protection against intentional violation using simple means, such as standard, open-source hacking tools, or password guessing.

SL 3: Protection against intentional violation using sophisticated means, such as specific IACS skills, or tailored malware.

SL 4: Protection against highly motivated, nation-state-level attacks using advanced means, such as deep network infiltration (unauthorized access), or manipulation of industrial processes.

Methodology:

Zones and Conduits: The system is segmented into zones, which are groups of assets with similar security requirements, and conduits, which are communication pathways between zones, as you already know.

Risk Assessment: Organizations determine the target security level (SL-T) for zones based on risk. Then, they define the current capabilities of a product or component (SL-C). Finally, they compare it to the current level achieved (SL-A).

System Requirements: IEC 6244 provides technical requirements to meet the desired SL, such as identification, authentication and data integrity.

Structure:

General (62443-1-X): Terminology, concepts, and models.

Policies and Procedures (62443-2-X): Implementation for asset owners.

System (62443-3-X): Technical requirements for networks.

Component (62443-4-X): Requirements for product suppliers.

Roles Involved:

The IEC 62443 series applies to asset owners, system integrators, maintenance service providers and product suppliers to ensure security throughout the lifecycle.

What Are the Critical Security Requirement Categories in IEC 62443?

IEC 62443 security levels ensure proper security through role-based access control, industrial logging and monitoring, session management and authentication architecture.

Role-Based Access Control

Authenticated users must have privileges such as role-based access control (RBAC) or least privilege access to perform requested actions like “Read-Only.”

RBAC ensures every user has access only to the information and resources necessary for their roles.

SL 1: Simple password protection and fundamental role mapping. Specifically, user identities must be associated with pre-defined functional roles (e.g., operator, engineer, administrator) within an IACS to manage access rights.

SL 2: Authorized roles are properly segmented. Unauthorized access is prevented via simple methods. For example, the person who writes the logic for a PLC can’t be the same person who authorizes its deployment. At SL 4, “Dual Authorization” is often required for high-risk actions.

SL 3: Multi-factor authentication (MFA) is mandated for all remote access. Cryptographically protected access control and strong authentication for all user roles.

SL 4: Hardware-based security mechanisms such as trusted platform modules (TPM) and hardware security modules (HSM) are used for authentication. MFA is applied across all networks, not just remote access.

A TPM is a specialized chip on a computer’s motherboard to enhance security. An HSM is a device providing extra security for sensitive data.

Industrial Logging and Monitoring

Systems must generate timestamped audit records for all security-relevant events without disrupting sensitive industrial processes. This audit is under the IEC 62443 foundational requirement “Timely Response to Events.” It reconstructs a timeline of how a system was accessed or changed.

Systems must protect logs against tampering and send them to a central, secure repository, such as a security information and event management (SIEM) system. A SIEM system collects, aggregates, and analyzes large amounts of data in real time.

In OT, actions must happen within a specific microsecond window, or the entire physical process fails. For instance, if logging causes a safety instrumented system (SIS) controller to freeze for even a moment, an explosion could occur.

Session Management

The IEC 62443 standard requires an automatic session lock after a period of inactivity and limits the number of concurrent sessions. Reauthentication is required. This way, it protects systems from physical, local, or remote hijacking.

This requirement limits the number of concurrent sessions, preventing attackers from flooding or hijacking the system. The system prevents a Denial-of-Service (DoS) scenario. In this case, an attacker or a faulty application opens excessive sessions, consuming computing resources, such as memory and the central processing unit (CPU). This prevents legitimate users from logging in.

Session management also requires unique user logins and termination of remote sessions to ensure previous users can’t leave sessions open. This helps prevent unauthorized access and changes, securing remote access.

Authentication Architecture

This IEC 62443 requirement refers to user identification and authentication when accessing an ICS system. Users can include humans, software processes, and devices.

The requirement mandates that users implement role-based access to enforce strong authentication, such as multi-factor, where required. Role-based access ensures users have access only to the specific zones and functions related to their role. It also requires unique, non-shared accounts for all users to establish accountability.

What Zone-Specific Security Implementations Are Recommended by the IEC 62443 Standard?

The IEC 62443 standard recommends the following for zone-specific security implementation:

SL 0: No Requirements

SL 1: Basic Protection for Casual/Unintentional Violation or Misuse 

• Basic authentication (usernames/passwords)
• Network segmentation (separate OT from IT)
• Disable unused ports/services (basic hardening)
• Basic logging

SL 2: Protection Against Low-Skill or Common Attacks

• Role-based access control (RBAC)
• Strong password policies
• Secure remote access (VPN)
• Basic integrity protection (file/config checks)
• Event logging and alerting
• Controlled use of removable media

SL 3: Protection Against Sophisticated and Targeted Attacks with System Knowledge

• Multi-factor authentication (MFA)
• Application whitelisting
• Intrusion detection/prevention (IDS/IPS)
• Encryption of data in transit
• Centralized security monitoring (SIEM)
• Strict least privilege enforcement

SL 4: Protection Against Advanced and Well-funded Attacks

• Strong cryptography and key management
• Hardware-based security (e.g., secure boot, trusted platform module (TPM) technology)
• Highly restricted, verified communications only
• Continuous monitoring and anomaly detection
• Redundant and resilient architecture
• Advanced incident response and recovery capabilities

How Do Organizations Implement Cyber Security IEC 62443 in Practice?

To implement cyber security IEC 62443, organizations apply a practical governance model, practical security rules of thumb, focus on performance-aware security, and use risk-based security checklists.

What Is the Practical Governance Model for IEC 62443 Implementation?

Practical governance of the IEC 62443 standard is about establishing a cybersecurity management system (CSMS) that integrates people, processes, and technology. This helps organizations secure IACS throughout their lifecycle.

A practical governance model includes:

• Defined roles, such as asset owner, system integrator, maintenance service provider, and product supplier
• Security policies and procedures, such as role-based access control and zone definitions (IT, SCADA, PLC, Safety).
• Asset inventory and zone definition
• Change management and patch governance
• Audit and compliance tracking

Example: A manufacturing company:

• Defines a security governance board
• Maintains a zone inventory (e.g., PLC zone, SCADA zone, IT zone)
• Requires approval before any change to firewall rules.

As a result, security becomes managed and auditable (not ad hoc).

What Are the Practical Security Rules of Thumb?

When engineers move from theory to the factory floor, they rely on “rules of thumb” to ensure security doesn’t break production.

Zones and Conduits Segmentation: Break systems into security zones based on risk.  Control the communication between zones.

Default “Deny, Allow Only What Is Needed”:Only explicitly required traffic is permitted. All other communication is blocked.

Never Trust Remote Access: Use jump servers and MFA. No direct access to critical assets.

Assume Legacy Systems Are Vulnerable:Apply compensating controls instead of patching.

Defense-in-depth Is Mandatory:Combine firewalls, monitoring, and access control. No reliance on a single control layer.

Example: At a water treatment plant, specialists place the “Chemical Dosing” in a high-security zone. The rule of thumb applied is that no data can move from the office network directly to these controllers. Data must pass through a “Jump Host” in a demilitarized zone (DMZ) first. A DMZ protects and provides added security to an organization’s internal local-area network.

What Performance-Conscious Security Approaches Work in Industrial Environments?

Performance-conscious approaches like passive monitoring, segmentation, virtual patching, prioritized traffic engineering and lightweight encryption help  OT maintain real-time performance while adding security.

1. Passive Monitoring Instead of Inline Inspection

Consider using network test access points (TAPs) instead of inline firewalls for critical traffic. TAPs let mirror traffic from a specific source to a target, enabling troubleshooting, security analysis, and data monitoring.

2. Segmentation Instead of Deep Inspection

Protect systems by controlling where traffic can go (architecture) instead of deep packet inspection (DPI). Because in OT, even milliseconds can affect safety or operations. DPI is a contemporary method of network traffic analysis. It analyzes the payload (the actual data content) of a packet instead of the packet header (source, destination, port).

3. Virtual Patching

Use intrusion prevention systems (IPSs) or firewalls to block exploits.

Avoid modifying fragile systems.

4. Prioritized Traffic Engineering

Security control mustn’t delay safety signals.

5. Lightweight Encryption

Use encryption where appropriate without breaking latency constraints.

Example: An oil refinery uses unidirectional gateways (UGWs) to send sensor data to its cloud analytics platform. UGWs prevent cyberattacks from traveling back into the protected network. This helps predict maintenance needs and stop hackers.

Risk-Based Security Checklist for IEC 62443 Environments

A risk-based security checklist emphasizes that organizations should prioritize security controls based on risk impact (safety, production, environment).

Organizations shouldn’t apply security controls uniformly to move from inconsistent controls to a defined security baseline.

Critical/High-Risk Items (Immediate Action Required)

Critical or high-risk items requiring immediate action under cybersecurity IEC 62443. They threaten the safe and continuous operation of IACS. Immediate action is mandated within 24–72 hours.

Flat or Unsegmented Networks

Activity: Design and implement zones and conduits architecture. Deploy firewalls between IT, SCADA, and PLC networks.

Direct Remote Access to OT (No Jump Server or Multi-factor Authentication)

Activity: Introduce a secure jump server with MFA and disable all direct remote connections to OT assets.

Default or Shared Credentials

Activity: Replace with unique user accounts. Use strong passwords. Implement RBAC.

“Allow Any” Firewall Rules

Activity: Perform a firewall rule review. Use “default-deny” with strict allowlisting.

No OT Monitoring or Logging

Activity: Deploy centralized logging and IDS or monitoring for critical zones. Define alert thresholds, e.g., an authentication threshold like “Alert if >5 failed login attempts in 2 minutes,” to detect brute-force or credential misuse. Common IDS examples include network-based (NIDS) systems like Snort and Suricata. Host-based systems (HIDS) can include Wazuh or OSSEC.

Medium Risk Items (Address Within 3-6 Months)

Medium-risk items don’t usually cause immediate catastrophic impact. But they weaken resilience, visibility, and control if unresolved. They should be addressed within 3-6 months under cyber security IEC 62443.

Incomplete Asset Inventory

Activity: Build and maintain a comprehensive asset inventory, including firmware, owners, and criticality.

Weak Patch and Vulnerability Management

Activity: Establish a risk-based patching process with testing and compensating controls.

Poorly Documented Zones and Conduits

Activity: Create and maintain network diagrams and communication matrices for all zones.
Inconsistent Remote Access Controls

Activity: Standardize remote access policies, using MFA everywhere. Enable session logging.

Weak Change Management

Activity: Implement a formal change control process with approval, testing, and rollback procedures.

Lower Risk Items (Ongoing Maintenance Activities)

Low-risk items don’t pose immediate threats. But they’re vital for sustaining long-term security, compliance, and resilience. Low-risk items require continuous maintenance under cybersecurity IEC 62443.

Outdated Documentation

Activity: Schedule periodic documentation reviews and align diagrams with actual configurations.

Irregular Log Review

Activity: Define a routine log review process, such as weekly or monthly analysis.

Limited OT Security Training

Activity: Conduct regular cybersecurity awareness training tailored for OT staff.
Backup Testing Not Performed

Activity: Perform scheduled backup restoration tests and validate recovery procedures.

Overly Permissive Non-Critical Rules

Activity: Gradually tighten firewall rules using least-privilege principles.

What Are the Necessary Software Security and Supply Chain Considerations for IEC 62443?

The IEC 62443 standard requires organizations to secure both industrial systems and the software.

The IEC 62443 series also requires securing development processes and supply chains that create and sustain them.

This OT security standardcarries out software engineering and supply chain governance through parts like 62443-4-1 (secure development lifecycle) and 62443-4-2 (component security).

As a result, organizations ensure security by design, transparency of dependencies, and continuous vulnerability management across the entire lifecycle.

Let’s go through the necessary software security and supply chain considerations step by step.

How Do You Secure Complex Industrial Software Stacks?

Industrial software stacks are collections of independent components working in tandem to support the execution of an application. They typically combine components like real-time operating systems (RTOS) and proprietary firmware.

To protect software stack vulnerabilities, apply practical measures:

Secure Development Lifecycle (SDL): Integrate threat modeling for risk assessment, secure coding, and testing.

Component validation: Assess third-party software before integration.

Defense-in-depth at the software level: Apply authentication, integrity checks, and least privilege.

Continuous vulnerability scanning: Track common vulnerabilities and exposures (CVEs), such as error coding, that expose a system to malware access.

What Are the CI/CD and Workflow Security Challenges?

The continuous integration (CI) / continuous delivery/deployment (CD) and workflow challenges include access to repositories, process manipulation, poorly controlled access, and an unclear record of actions.

CI/CD is an automated DevOps workflow streamlining the software delivery process. Industrial vendors increasingly rely on CI/CD pipelines. CI/CD deals with new attack surfaces because attackers are now targeting build systems, repositories, and pipelines instead of runtime systems.

Key CI/CD and Workflow Security Challenges:

Attackers can gain access to repositories (e.g., Git) and modify source code directly.

Hackers can manipulate processes or attack external libraries.

Too many people or systems have unrestricted or poorly controlled access.

No clear record of who changed what, when, and how.

Actions: 

Ensure code signing to integrate software artifacts, such as software updates and patches.

Use controlled build environments, a critical security measure in modern DevOps. This helps isolate and harden CI/CD pipelines against supply chain attacks.

Separate duties, e.g., developers vs. release managers.

Keep a complete record of every action during the software build and release process. This helps trace, verify, and prove the creation and delivery of a software artifact.

How Do You Implement Software Bills of Materials (SBOM) in IEC 62443 Environments?

A software bill of materials (SBOM) is a complete inventory of software components and dependencies in a system. It ensures transparency and vulnerability management. According to industry guidance, an IEC 62443-aligned SBOM should include:

Software components: Operating system or real-time operating system, protocol stacks, libraries, and middleware.

Firmware elements: Bootloaders and device firmware.

Dependency depth: Direct and nested dependencies.

Standard formats: Software package data exchange (SPDX) or CycloneDX. SPDX is an open standard representing systems with digital components as bills of materials (BOMs). CycloneDX is a standard regarding advanced supply chain capabilities to reduce cyber risk.

Actions: 

Generate SBOMs automatically during build processes.

Continuously update them with each release.

Link components to vulnerability databases.

Require SBOMs from suppliers and vendors.

Why Are Data Protection and Backup Critical in IEC 62443 Environments?

Data protection and backup provide operational continuity, system integrity, and safety in industrial control systems.

Specifically, they protect systems against virus attacks, human error, misconfigurations, manipulation, corruption, power and hardware failure.

Data protection and backup also help recover information, ensuring resilience for OT environments. And IEC 62443 requires availability, integrity and recoverability as core security objectives.

What Makes OT Backup Different from Traditional Enterprise Backup?

Traditional enterprise or IT backup focuses on high-volume storage and long-term archival when protecting databases, emails, and documents, while OT backup is hardware-centric and time-sensitive.

What Are the Unique Data Protection Requirements in IEC 62443 Environments?

Data protection is based on the following foundational requirements (FRs):

FR1: Identification and Authentication Control: All users, including humans, software, and devices, must be identified and authenticated before accessing systems.

FR2: Use Control: Authenticated users are restricted to assigned privileges, e.g., “Read-Only” access. Or they can perform requested actions, e.g., create/delete user accounts.

FR3: System Integrity: Protects data, software, and firmware from unauthorized changes.

FR4: Data Confidentiality: Protects sensitive information, e.g., configurations, recipes, from unauthorized access.

FR5: Restricted Data Flow: Segments networks into zones to prevent data leakage.

FR6: Timely Response to Events: Implements logs, audits, and anomaly detection to immediately respond to security incidents.

FR7: Resource Availability: Ensures system operations continue during an incident, preventing service impairment.

How Does Bacula Enterprise Support IEC 62443-Aligned Data Protection?

Bacula Enterprise boosts security through FIPS 140-3 compliance, immutable storage targets, advanced ransomware detection, multi-factor authentication and granular role-based access control.

Trusted by the highest-profile government and military organizations, Bacula Enterprise provides unmatched security, reliability and flexibility for OT environments, aligning with IEC 62443.

Bacula Enterprise offers an exceptional enterprise backup and restore solution to protect IEC 62443-aligned environments. This OT security standard helps modern manufacturing environments, such as automotive and chemical, secure and maintain IACS.

These environments deal with enormous amounts of data, including production recipes and batch records. The IEC 62443 series helps them integrate and rapidly recover data. As a result, this industrial cyber security standard enables IACS to avoid costly downtime, boost security, and become regulatory compliant.

And that’s where Bacula Systems’ Bacula Enterprise steps in to help manufacturing environments reliably back up and recover IT and OT data. This data covers both structured and unstructured pieces like logs and configuration files and industrial datasets like historian data and ICS-related information.

Importantly, Bacula Enterprise also secures lower-level operational technology devices and edge systems, protecting embedded or distributed components. Thanks to Bacula’s granular recovery, production environments avoid losing data. Moreover, Bacula restores control systems, reconnects data flows, and helps assembly lines run without major interruptions.

Bacula Enterprise Offers:

1. Exceptional Backup Software Compatible Across Most Virtualization Technologies

• Enterprise data backup management tools.
• Backup works for various hypervisors, VMware and Hyper-V.
• Outstanding universal data backup deduplication software.
• Runs the client/agent in read-only mode and supports tape encryption, which many backup solutions lack.

2. Extremely Powerful Disaster Recovery Options

• Ultra-fast data restoration to minimize downtime and avoid data loss.
• Cross-system recovery.
• Application-level protection to restore functional states of user data.
• File-level protection from any operating system.
• File-level protection from any architecture, on-premise, hybrid or cloud-based.
• System-level protection, including snapshots of only the data that has changed, to provide seamless backup and avoid operational workload.
• Granular recovery of only the data that needs to be restored, which is critical for tight point objectives and short recovery time objectives.

3. Comprehensive Data Protection to Make Data Resilient, Independent, and Available

• Bacula Enterprise provides broader compatibility for diverse data sources and destinations, including VMVs, containers, SaaS, databases and cloud infrastructures.
• Bacula Enterprise makes proprietary PLC configurations and modern SCADA databases protected under a single umbrella, meeting cyber security IEC 62443 requirements.

4. Broader Availability

Bacula Enterprise is certified and runs on 34+ operating systems, including Debian 11.

5. Advanced Security Protocols and Unique Architecture Against Unauthorized Access

For example, Bacula’s modular architecture eliminates 2-way communication between its individual elements. This eliminates security vulnerabilities typical of most of its competitors.

The critical components of the software run on Linux, making it a highly reliable source.

6. Extreme Flexibility Through Seamless Integration Across Multiple Database Systems

Bacula Enterprise supports MySQL, PostgreSQL, Oracle, SQL Server, SAP and SAP HANA to meet the IEC 62443 security level.

7. Industry-leading Security Features that Make the Software Exceptional

Bacula Enterprise offers 30+ robust security features, such as the FIPS 104-3 standard compliance. Such compliance provides end-to-end encryption even if the backup media is physically stolen. It also provides advanced Role-based access controls and comprehensive logging and auditing.

8. Full Regulatory Compliance

Bacula Enterprise provides GDPR, HIPAA and SOX compliance, meets all relevant legal requirements and minimizes compliance breaches. Bacula also enables organizations to be IEC 62443 compliant.

9. Lower Costs

Bacula’s open core data backup software eliminates high license fees and license-based maintenance costs. No data volume costs. No license fees.

The global enterprise data management market is expected to reach $294.99 billion by 2034 from $123.04 billion in 2026. Bacula Enterprise helps improve backup and recovery without challenges.

Key Takeaways

• IEC 62443 serves as the essential global framework for securing operational technology (OT). It prioritizes physical safety and system availability over data confidentiality.
• The standard is a structured, four-tier framework designed to provide Defense-in-Depth. It addresses the specific security needs of different stakeholders.
• The architecture of the IEC 62443 framework is centered on the System Under Consideration (SuC) and the granular segmentation of networks into Zones and Conduits.
• IEC 62443 Security Levels (SL 0–4) provide a risk-based roadmap for industrial resilience. They scale protection from “unintentional errors” (SL 1) to “nation-state adversaries” (SL 4) based on an attacker’s motivation and resources.
• The IEC 62443 series establishes a specialized, risk-based architecture that prioritizes Availability, Safety, and Physical Integrity over traditional IT data privacy.
• Practical implementation of the industrial cyber security standard requires shifting from theoretical compliance to an operational, performance-conscious strategy. Such implementation prioritizes physical safety and system availability.
• The standard extends cybersecurity beyond the network perimeter into the Software Development Lifecycle (SDL) and the Supply Chain. It ensures that industrial components are “Secure by Design” and their origins are fully transparent.
• Data Protection and Backup in an IEC 62443 environment are not just administrative IT tasks. They’re operational requirements for physical safety and operational resilience.
• Bacula Enterprise serves as a leading industrial data protection platform. Bacula bridges the gap between diverse OT assets and IEC 62443 compliance requirements through a unique, high-security architecture.