IEC 62443
The joint ISA/IEC family for cyber-security of Industrial Automation and Control Systems — the OT cyber-security framework that introduced zones, conduits, and Security Levels.
Also: 62443, ISA/IEC 62443, ISA 62443
IEC 62443 is the joint ISA/IEC family for cyber-security of Industrial Automation and Control Systems (IACS). It is what the OT world reaches for when the question is “how do we secure this thing?” — the OT counterpart to the IT-flavoured ISO/IEC 27000 family.
How the family is organised
The standard is grouped into four part-groups by audience:
| Group | Audience | Key parts |
|---|---|---|
| 1-x General | All | 1-1 Terminology and concepts; 1-5 Security profiles |
| 2-x Policies & Procedures | Asset owners and service providers | 2-1 Security programme; 2-3 Patch management; 2-4 Service-provider requirements |
| 3-x System | System integrators | 3-2 Risk assessment and system design; 3-3 System security requirements and Security Levels |
| 4-x Component | Product suppliers | 4-1 Secure product development lifecycle; 4-2 Component requirements |
Parts 3-3 and 4-2 are the two that operationally define what an SL claim means.
The two big exports from 62443
Two ideas have spread far beyond the standard itself:
- Zones and conduits — partition a system into zones (assets sharing the same security requirement) and conduits (the communication paths between zones). The unit of security analysis is no longer the device or the network; it is the zone and the conduit.
- Security Levels (SL 1-4) — scale required protection to the capability of the threat actor the asset must repel. SL 1 stops typos; SL 4 stops nation-states.
Almost every OT framework written since 2010 borrows the zone-and-conduit vocabulary from 62443-3-2.
What 62443 does not specify
The standard tells you what security controls a system must implement; it does not tell you how the underlying protocols carry those controls on the wire. That’s the job of IEC 62351, the protocol-specific complement: TLS profiles for TCP-based protocols, embedded HMAC for multicast GOOSE/SV, key management, RBAC vocabularies.
A typical substation procurement satisfies, for example, 62443-3-3 SR 3.1 (communication integrity) on an MMS link by mandating IEC 62351-3/-4 TLS — 62351 supplies the mechanism that ticks the 62443 box.
Relationship to mandatory regimes
62443 is voluntary. The mandatory regimes that sit above it map onto it differently:
- NERC CIP (North America) — outcome-based reliability standards. ISA’s published comparison claims approximately 95% of CIP technical controls can be validated through 62443 assessments.
- NIS2 Directive (EU) — outcome-based; ENISA treats 62443-2-1 as a reference framework for ISMS-type controls.
- NCSC Cyber Assessment Framework (UK) — principles-based; CAF outcomes B2/B4/C1 map onto FRs 1/2/3 and 6.
UK utilities cite 62443 as the control catalogue used to satisfy CAF outcomes; the regulator does not explicitly endorse the standard but accepts it as evidence.
ISASecure
Third-party conformance is via the ISA Security Compliance Institute:
- SDLA — supplier process against 62443-4-1.
- CSA (Component Security Assurance) — components against 62443-4-2 at SL 1-4.
- SSA (System Security Assurance) — integrated systems against 62443-3-3.
Notable absence in the substation context: as of the time of writing, no protection relay from SEL, Siemens, GE/Alstom, or ABB/Hitachi Energy appears in the public ISASecure CSA register. Vendors widely advertise “designed to 62443-4-2”, which is not the same thing as third-party CSA certification.