IEC 62443

Structure of IEC 62443

The standard is organised into four groups, each addressing a different stakeholder in the industrial security chain:

Part 1 – General (1-1 to 1-5): Concepts, models, and terminology. Defines the zone and conduit model for segmenting industrial networks – the architectural foundation that all other parts build on.

Part 2 – Policies and procedures (2-1 to 2-5): Requirements for the asset owner’s security management system. Covers security policies, patch management, risk assessment, and organisational measures. This is the governance layer. What the operating organisation must have in place.

Part 3 – System (3-1 to 3-3): Requirements for system integrators. Defines security levels (SL 1-4), security risk assessment methodology, and requirements for designing secure industrial systems. This is where the Purdue Model’s zone-based architecture meets formal security requirements.

Part 4 – Component (4-1 to 4-2): Requirements for product suppliers. Defines secure development lifecycle (SDL) requirements for industrial components – PLCs, HMIs, SCADA servers, network devices. Manufacturers must demonstrate that their products meet specified security levels.

Security levels

IEC 62443 defines four security levels (SLs) that represent increasing protection against more capable attackers:

Security Level	Protection Against	Typical Environment
SL 1	Casual or coincidental violation	Basic office-connected systems, low-risk processes
SL 2	Intentional violation using simple means	General manufacturing, building automation
SL 3	Sophisticated attack using moderate resources	Critical infrastructure, energy, water treatment
SL 4	State-sponsored attack using extensive resources	Defence, nuclear, national security systems

Each zone in an industrial network is assigned a target security level based on risk assessment. The gap between the current security level and the target security level drives the remediation roadmap.

Why IEC 62443 matters in 2026

Three trends are driving IEC 62443 adoption:

• OT/IT convergence – industrial systems that were once isolated (air-gapped) are now connected to corporate IT networks, cloud platforms, and remote access tools. The attack surface has expanded dramatically, and IT security controls alone are insufficient for OT environments
• Regulatory pressure – the NIS2 Directive explicitly covers essential services sectors (energy, transport, water, health) that rely on industrial control systems. DORA covers ICT risk in financial services infrastructure. Both regulations expect organisations to demonstrate control over their OT security
• Targeted attacks – state-sponsored groups and ransomware operators increasingly target OT environments. Attacks on Colonial Pipeline, JBS Foods, and multiple European energy providers have demonstrated that OT compromise has real-world consequences beyond data

IEC 62443 vs ISO 27001

	IEC 62443	ISO 27001
Focus	Industrial control systems and OT	Information security and IT
Risk model	Safety + availability + integrity	Confidentiality + integrity + availability
Architecture	Zones and conduits (Purdue Model)	ISMS (policies, controls, risk register)
Priority	Availability first – systems must keep running	Confidentiality first – data must be protected
Certification	Product, system, and process certification	Organisation-level certification

Most organisations with both IT and OT environments need both standards. ISO 27001 covers the corporate IT environment; IEC 62443 covers the industrial control systems. The overlap is in governance and risk management processes.

Cyberfort and IEC 62443

We assess OT security maturity against IEC 62443 through our OT/IoT security review service. Our assessment covers network discovery, OT asset inventory, zone and conduit mapping, security level gap analysis, and recommendations aligned to IEC 62443 requirements. We work with organisations in manufacturing, energy, utilities, transport, and defence – sectors where OT security is not optional. Our cyber resilience audit includes OT-specific assessment components for organisations with converged IT/OT environments. Discuss your OT security requirements →

Related glossary terms

• NCSC CAF – the UK framework for assessing critical national infrastructure security, often applied alongside IEC 62443
• NIS2 Directive – EU regulation covering essential services sectors that rely on industrial control systems
• MITRE ATT&CK – includes ICS-specific tactics (MITRE ATT&CK for ICS) for mapping threats to industrial environments
• Zero Trust – the security architecture principle increasingly applied to OT network segmentation

External references

• Wikipedia: IEC 62443 – overview, structure, and history
• Wikidata: Q103033303 – canonical entity identifier
• ISA: ISA/IEC 62443 series – official ISA standards page
• IEC: IEC 62443 – IEC’s industrial cybersecurity standards portal

Frequently asked questions