IEC 62443-4
The component-and-product-supplier half of IEC 62443. -4-1 specifies a secure development lifecycle for OT product vendors; -4-2 specifies the technical security requirements components must meet at each Security Level. Together they're what 'designed to 62443-4-2' means on a vendor data sheet — and what the absence of certification means.
Also: 62443-4, 62443-4-1, 62443-4-2, ISASecure CSA, ISASecure SDLA
The 4-x sub-family of IEC 62443 addresses the product supplier, where the 3-x sub-family addresses the system integrator and asset owner. -4-1 defines a secure development lifecycle (SDL) the supplier’s organisation must follow; -4-2 defines technical security capabilities the resulting components must implement at each Security Level.
For the substation architect, -4 is the half of 62443 that procurement specifications cite when they want a product to demonstrate it was built securely, not just deployed securely.
-4-1 — Secure Development Lifecycle
-4-1 is process-flavoured. It defines eight practices the supplier organisation must demonstrate:
| Practice | What it covers |
|---|---|
| SM — Security management | Organisational responsibility, training, risk processes |
| SR — Specification of security requirements | Threat modelling, requirement traceability |
| SD — Secure by design | Defence in depth, secure-by-default settings |
| SI — Secure implementation | Coding standards, tooling, code review |
| SVV — Security verification & validation | Testing, fuzzing, penetration testing |
| DM — Defect management | Vulnerability handling, disclosure process |
| SUM — Security update management | Patching cadence, signed updates |
| SG — Security guidelines | Documentation for the integrator and operator |
A supplier certified against -4-1 — typically through ISASecure SDLA — has been audited as having a development lifecycle that produces secure products. It says nothing about whether any specific product is secure; that is what -4-2 is for.
-4-2 — Component requirements at each SL
-4-2 takes the seven Foundational Requirements from 62443-1-1 and decomposes them into Component Requirements (CRs) — concrete technical capabilities a component must implement to claim a given SL on each FR. SL 1 has fewer requirements than SL 2; SL 2 fewer than SL 3; and so on.
A component is certified at a per-FR vector, not a single SL. A protection IED might claim SL-C of {2, 2, 3, 1, 2, 2, 2} — meaning SL-2 capability on FR1 and FR2, SL-3 on FR3 (system integrity, the protection-critical one), SL-1 on FR4 (data confidentiality, less relevant for this device class), and so on.
The certification body for -4-2 is the ISA Security Compliance Institute’s CSA (Component Security Assurance) programme.
What “designed to” actually claims
The procurement-spec phrase that turns up everywhere is “designed to 62443-4-2”. This is not the same as CSA-certified. It typically means the vendor has used -4-2 as an internal design reference but has not had a third-party assessment. Vendors who have done the certification say so explicitly with the certification class and the SL vector.
This is one of the quieter procurement landmines: a substation specification that requires “62443-4-2 compliance” without specifying CSA certification is asking for a vendor self-attestation, not a verified claim. A specification that requires CSA certification at named SL levels per FR is asking for something materially harder to provide — and most protection-relay vendors do not currently offer it.
The public ISASecure CSA register at the time of writing does not include any of the major substation protection-relay product lines from SEL, Siemens, GE Vernova, or Hitachi Energy. This gap matters for any substation specification that wants third-party-verified component security.
Where it lands in Security Level thinking
The full 62443 SL conversation has three levels:
- SL-T (Target) — the SL the asset owner has decided is required, set during 62443-3-2 risk assessment.
- SL-C (Capability) — the SL the component or system can achieve. This is what -4-2 evidences.
- SL-A (Achieved) — the SL the deployed system actually achieves once configured and operating.
A substation deploying a component at SL-C {2, 2, 3, 1, 2, 2, 2} into a zone where SL-T is {2, 2, 2, 1, 2, 2, 2} has SL-C ≥ SL-T on every FR, which is the basic precondition. SL-A then depends on whether the integrator and operator turned on and configured the relevant capabilities — easy to forget on FR2 (use control), where the IED might be capable of strong RBAC but be deployed with a default password.
Why -4-1 and -4-2 are deployed unevenly
-4-1 (the SDL) is increasingly common as a vendor claim because it is achievable for a vendor as a one-time organisational investment that benefits every product. -4-2 (per-component certification) is rarer because each product has to be tested individually, and the testing burden grows with the SL claim. Most vendors offer SDLA but not CSA across their substation product range.
The pragmatic conclusion for the architect is that “62443-4-1 certified” is a meaningful supplier-level signal that the vendor takes security as a process; “62443-4-2 certified at named SLs” is a meaningful product-level signal that the specific box has been independently assessed. Neither is yet ubiquitous in substation kit, and procurement specifications that pretend otherwise will produce an empty bid pile.