IEC 62443 is the international standard for industrial cybersecurity, structured in 4 parts (general, policies, system, component). Defines Security Levels SL1 (casual) to SL4 (state-sponsored). Mandatory for NIS2 EU 2022/2555 compliance in critical industrial sectors. Aligns with NIST SP 800-82r3 (Sep 2023) and Purdue/ISA-95 model. Implementation 12-24 months typical.
IEC 62443 is the international standard family for cybersecurity in industrial automation and control systems (IACS), developed jointly by ISA99 and IEC TC65. As of 2026, it is the de facto reference for industrial cybersecurity worldwide, mandated explicitly or implicitly by the EU NIS2 directive (EU 2022/2555) for essential and important entities in 18 critical sectors. This guide covers the standard structure, Security Levels (SL1-4), implementation roadmap, alignment with NIST SP 800-82r3 (revised September 2023), Purdue/ISA-95 segmentation, and certification options.
IEC 62443 family structure: 4 parts, 14 documents
The IEC 62443 family is organized into 4 parts covering progressively narrower scopes:
| Part | Scope | Key documents |
|---|---|---|
| Part 1: General | Terminology, concepts, models | 62443-1-1 (concepts), 62443-1-2 (glossary), 62443-1-3 (system requirements), 62443-1-4 (security life cycle) |
| Part 2: Policies & procedures | Asset owner cybersecurity program | 62443-2-1 (CSMS), 62443-2-3 (patch mgmt), 62443-2-4 (service provider reqs) |
| Part 3: System | System integrator requirements | 62443-3-1 (technologies), 62443-3-2 (risk assessment), 62443-3-3 (system security requirements SR1-7) |
| Part 4: Component | Product supplier requirements | 62443-4-1 (secure dev lifecycle), 62443-4-2 (technical security requirements for components CR1-7) |
Security Levels SL1 to SL4: progressive resistance
The standard defines four Security Levels (SL) representing progressively stronger resistance to threat actors:
| SL | Resistance to | Threat actor profile | Typical sector |
|---|---|---|---|
| SL1 | Casual violation | Curious employee, accidental misconfiguration | Low-criticality discrete manufacturing |
| SL2 | Intentional violation with simple means | Disgruntled insider, low-skill external | Most discrete and process manufacturing (default target) |
| SL3 | Intentional violation with sophisticated means, moderate resources, IACS-specific skills | Organized crime, hacktivists | Critical manufacturing, food & beverage, pharmaceutical |
| SL4 | State-sponsored attacks with significant resources and IACS-specific expertise | Nation-state actors | Energy, transportation, water, defense |
Each SL is decomposed into 7 Foundational Requirements (FR1-7): identification & authentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, resource availability. Each FR has 1-4 SR (system requirements) per SL level in IEC 62443-3-3.
IEC 62443 alignment with NIS2 directive (EU 2022/2555)
The NIS2 directive, in force across the EU since October 2024, applies to 18 critical sectors and an estimated 160,000+ entities in the EU (vs ~10,000 under NIS1). Article 21 requires that essential and important entities implement “appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems”. While NIS2 is technology-agnostic, the European Commission and ENISA reference IEC 62443 as a primary mapping standard for industrial environments.
Practical alignment:
- NIS2 art. 21(2)(a) – risk analysis policies → IEC 62443-2-1 CSMS + 62443-3-2 risk assessment
- NIS2 art. 21(2)(b) – incident handling → IEC 62443-2-1 incident response procedures
- NIS2 art. 21(2)(c) – business continuity → IEC 62443 FR7 resource availability
- NIS2 art. 21(2)(d) – supply chain security → IEC 62443-2-4 service provider + 62443-4-1 secure dev
- NIS2 art. 21(2)(e) – secure acquisition → IEC 62443-4-2 component certification
- NIS2 art. 21(2)(f) – effectiveness assessment → IEC 62443-2-1 management review
- NIS2 art. 21(2)(g) – cyber hygiene → IEC 62443 FR1, FR2 (identification, use control)
- NIS2 art. 21(2)(h) – cryptography → IEC 62443 FR4 (data confidentiality)
- NIS2 art. 21(2)(i) – HR security → IEC 62443-2-1 personnel security
- NIS2 art. 21(2)(j) – MFA + encrypted comms → IEC 62443 SR1.5 (multi-factor), SR4.1 (encryption)
Penalties for non-compliance: up to €10M or 2% of worldwide annual turnover (essential entities) and €7M or 1.4% (important entities). National competent authorities (ANSSI in France, BSI in Germany, NCSC in Netherlands) audit and enforce.
Download the white paper
Enter your email address to receive our White Paper
IEC 62443 vs NIST SP 800-82r3 (September 2023)
The NIST Special Publication 800-82 Revision 3 “Guide to Operational Technology (OT) Security” was published in September 2023, replacing r2 (May 2015). NIST SP 800-82r3 is the U.S. federal reference for OT cybersecurity, mandatory for U.S. government industrial systems and widely adopted by private sector aligned with NIST CSF 2.0.
Differences and complementarity:
| Aspect | IEC 62443 | NIST SP 800-82r3 |
|---|---|---|
| Origin | International (IEC TC65 + ISA99) | U.S. federal (NIST) |
| Scope | IACS-focused, deeper technical SR | Broader OT incl. IIoT, building automation |
| Levels | SL1-4 progressive resistance | Tier-based per NIST CSF 2.0 (Partial → Adaptive) |
| Certification | Certifiable by ISA Secure, TÜV, etc. | Not directly certifiable (used as framework) |
| Adoption | De facto in EU, Asia, LATAM | Dominant in U.S., influential globally |
| Update cadence | 5-7 years per document | 5-10 years per revision |
Best practice in 2026 is to align with both: IEC 62443 for technical IACS implementation + certification, NIST SP 800-82r3 for risk management framework + U.S. federal alignment. The 80% overlap in technical content makes dual compliance achievable with marginal additional effort.
Purdue / ISA-95 model and IEC 62443 zones & conduits
IEC 62443-3-2 mandates network segmentation using the concept of zones and conduits. The Purdue Enterprise Reference Architecture (PERA) aligned with ISA-95 / IEC 62264 structures the network into 6 levels: Level 0 (physical process), Level 1 (basic control PLCs), Level 2 (supervisory SCADA/HMI), Level 3 (MES/MOM/historian), Level 3.5 DMZ (isolation zone), Level 4 (site business ERP), Level 5 (enterprise corporate).
IEC 62443 implementation typically requires: asset inventory across all Purdue levels (L0-5), zone definition (per L1 group, L2 group, L3 area, DMZ, L4 enterprise), conduit identification with security requirements (firewall, IDS/IPS, application whitelisting), risk assessment per zone (FR1-7 mapping to SL target), compensating controls where SR cannot be met, documentation and ongoing monitoring.
Implementation roadmap: 12-24 months typical
| Phase | Duration | Activities |
|---|---|---|
| 1. Gap assessment | 2-3 months | Asset inventory, current state, risk assessment, SL target definition |
| 2. Architecture design | 2-3 months | Zones & conduits design, network segmentation plan, technology selection |
| 3. Quick wins implementation | 3-6 months | MFA, patching, hardening, DMZ deployment, IDS/IPS |
| 4. Deep controls | 6-12 months | SIEM/SOC OT, OT-IT segmentation, vulnerability management, supply chain |
| 5. CSMS operationalization | 3-6 months | Incident response procedures, training, tabletop exercises, audit prep |
| 6. Certification (optional) | 3-6 months | ISA Secure System / Component, TÜV, third-party audit |
Total: 12-24 months for SL2 target on a mid-sized manufacturing site; 24-36 months for SL3 on critical infrastructure.
Certifications and accreditation bodies
Three main certification schemes exist as of 2026: ISA Secure (ISCI – ISA Security Compliance Institute) – SDLA (process), CSA (component), SSA (system), SDLPA (people), most widely recognized internationally; TÜV Süd, TÜV Rheinland, TÜV Nord – IEC 62443 certifications for components and systems, strong in Europe; Bureau Veritas, DNV – audit and certification, particularly in energy and maritime sectors.
FAQ: IEC 62443 industrial cybersecurity
What is the difference between IEC 62443 and ISA/IEC 62443?
None — the standard family is jointly published by ISA (International Society of Automation) and IEC (International Electrotechnical Commission). The “ISA/IEC 62443” naming reflects this joint development.
Is IEC 62443 mandatory in 2026?
Indirectly yes for EU critical sectors under NIS2 directive (EU 2022/2555), which references IEC 62443 as the primary mapping. Some sectors mandate it directly: power grid in Germany (BSI KRITIS), gas pipelines in France (ANSSI). Most other industrial sectors treat it as best practice with strong commercial pressure.
What Security Level should I target?
SL2 is the realistic default target for most discrete and process manufacturing. SL3 is recommended for food & beverage, pharmaceutical, automotive Tier 1 critical, and aerospace. SL4 only for energy, transportation, water, defense critical infrastructure (nation-state threat model).
How does IEC 62443 relate to NIST CSF 2.0?
NIST CSF 2.0 (Feb 2024) is a higher-level risk management framework with 6 functions (Govern, Identify, Protect, Detect, Respond, Recover). IEC 62443 provides the technical OT implementation detail. Best practice: use NIST CSF for governance, IEC 62443 for technical controls.
What is the typical cost of IEC 62443 SL2 implementation?
For a mid-sized manufacturing site (300 IACS assets), expect €500k-1.5M total: 30% consulting/audit, 40% technology (segmentation, IDS, SIEM), 20% process/training, 10% certification. Multi-site groups achieve 30-50% economies of scale after first site.
How does TeepTrak comply with IEC 62443?
TeepTrak Pulse is documented compliant with IEC 62443 SL2 (manufacturer self-declaration with third-party audit pending 2026). Architecture: zone-isolated cloud, encrypted comms (TLS 1.3), MFA, audit logging, role-based access control (RBAC), no incoming connections to OT network (data only egresses via DMZ).
What is IEC 62443-3-3 and why is it critical?
IEC 62443-3-3 specifies System Security Requirements (SR) for IACS, organized by the 7 Foundational Requirements with 1-4 SR per FR per SL. It is the most commonly referenced document for system integrators and asset owners as it directly maps security level targets to implementable technical controls.
How long does ISA Secure certification take?
Component (CSA): 6-12 months from application to certification. System (SSA): 9-18 months. Process (SDLA): 6-12 months for vendor secure development lifecycle. Costs €50-200k depending on complexity.
What is the Purdue Model and is it still relevant?
The Purdue Enterprise Reference Architecture (PERA) defines 6 hierarchical levels of industrial networks. It remains the de facto reference for IEC 62443 zone segmentation, despite criticism for not handling cloud and IIoT well. Modern updates: IEC 62443-3-2 zones & conduits + ISA-95 / IEC 62264 alignment + Zero Trust principles for IIoT.
What is the difference between IEC 62443-4-1 and 4-2?
IEC 62443-4-1 specifies the Secure Development Lifecycle (SDL) requirements for product suppliers (process). IEC 62443-4-2 specifies the Technical Component Requirements (CR) for the components themselves (product). A component vendor needs both: a certified SDL process (4-1) AND certified components (4-2).
Conclusion
IEC 62443 is the international reference standard for industrial cybersecurity in 2026, mandatory or quasi-mandatory across most critical sectors via NIS2 directive in the EU and aligned with NIST SP 800-82r3 in the U.S. Implementation requires 12-24 months for SL2 target on a mid-sized manufacturing site, with €500k-1.5M typical investment. Multi-site groups achieve 30-50% economies of scale after the first site through architecture template reuse.
Next step: download the TeepTrak IEC 62443 implementation whitepaper or request a free maturity assessment on your IACS environment.
0 Comments