Definition and purpose

IEC 62443 focuses on the security of industrial automation and control systems throughout their lifecycle. The purpose of these standards is to offer a systematic and practical approach to secure IACS in various sectors, ensuring the safety and reliability of systems that are integral to the world's industrial infrastructure.

Governing Body

The standards are developed and maintained by the International Electrotechnical Commission (IEC) in conjunction with the International Society of Automation (ISA).

Last updated

ISA/IEC 62443 was published in 2018.

Applies to

IEC 62443 applies to industrial automation and control systems across a range of industries. This includes manufacturing, oil and gas, energy utilities, water treatment, and other sectors that employ automation and control systems.

Controls and requirements

IEC 62443 is comprised of multiple parts, with each part addressing different aspects of IACS security. Some notable parts include:

• IEC 62443-2-1: Establishes requirements for implementing an IACS security management system.
• IEC 62443-3-3: System security requirements and security levels.
• IEC 62443-4-1: Secure product development lifecycle requirements.

Key requirements and controls cover areas such as:

• Security policies and procedures
• System patch management
• Security risk assessments
• Defense-in-depth strategies
• Incident response planning
• Security training and awareness
• Secure system design and architecture
• Access control measures
• Secure coding practices for IACS software
• Regular system monitoring and logging

Please refer to the official ISA/IEC 62443 standard documentation for a detailed list of controls and requirements.

Audit type, frequency, and duration

Depending on the context, audits can be conducted by internal teams or third-party assessors. The audits typically involve a combination of documentation review, interviews, system testing, and vulnerability assessments. While the standard itself does not dictate a fixed frequency, best practices suggest an annual audit or assessment, with additional reviews following significant system changes or identified vulnerabilities.

The duration of the audit varies depending on the size and complexity of the IACS in question, the scope of the audit, and the specific parts of the IEC 62443 standard being addressed.