IEC 62443-4-2 component security requirements (2026): CR1-7, EDR/HDR/NDR/SAR categories, ISA Secure CSA

IEC 62443-4-2:2019 “Technical security requirements for IACS components” is the product certification standard for industrial automation components. Where IEC 62443-3-3 specifies system-level requirements (the integrated IACS), IEC 62443-4-2 specifies component-level technical requirements for individual products: PLCs, HMIs, embedded devices, network equipment, host-based systems, and software applications. This is the document component vendors (Siemens, Rockwell Automation, Schneider Electric, ABB, Honeywell, Yokogawa, Emerson, Mitsubishi Electric, Omron, Beckhoff Automation, B&R Industrial Automation, IFM Electronic) and software vendors (TeepTrak, Aveva, Siemens Opcenter, AVEVA, AspenTech, GE Digital) certify against via ISA Secure CSA. This guide details the 4 component categories, Component Requirements (CR), Requirement Enhancements per Security Level, and ISA Secure CSA certification process.

The 4 component categories in IEC 62443-4-2

IEC 62443-4-2 organizes components into 4 categories, each with category-specific Component Requirements (CR) in addition to the 7 common Foundational Requirements:

Component Requirements (CR) common across all 4 categories

The 7 Foundational Requirements from IEC 62443-3-3 are inherited at component level as Component Requirements (CR). Each CR has a base requirement and Requirement Enhancements (RE) for higher Security Levels. Mapping:

Embedded Device Requirements (EDR) specifics

Embedded devices (PLCs, RTUs, IEDs, IIoT sensors) have specific security challenges due to constrained resources, long operational lifespan (15-25 years), and direct physical access in industrial environments. Key EDR-specific requirements:

• EDR 2.4: Mobile code restrictions — prevent execution of unauthorized code (firmware updates only via signed packages)
• EDR 2.13: Use of physical diagnostic interface — JTAG, UART, USB physical ports must be protected against unauthorized access (sealed, password-protected, disabled in production)
• EDR 3.10: Support for updates — firmware update mechanism with cryptographic signature verification, rollback capability, secure boot chain
• EDR 3.11: Physical tamper resistance — detection of physical case opening, security seals, tamper-evident enclosure
• EDR 3.12: Provisioning product supplier roots of trust — embedded keys/certificates for component authentication during deployment
• EDR 3.13: Provisioning asset owner roots of trust — capability for asset owner to install own root of trust (replace factory defaults)
• EDR 3.14: Integrity of the boot process — secure boot from immutable bootloader through measured boot to OS

Network Device Requirements (NDR) specifics

Industrial network devices (firewalls, switches, routers, protocol gateways) implement network segmentation per IEC 62443-3-2 zones & conduits model. Vendors: Cisco Industrial (Catalyst IE, IR series), Fortinet (FortiGate Rugged 60F, 70F), Palo Alto Industrial (PA-220R), Belden Hirschmann (RX series), Moxa Industrial (EDR series), Phoenix Contact (mGuard), Siemens (SCALANCE S, M, X), Westermo Industrial. Key NDR-specific requirements:

• NDR 1.6: Wireless access management — strong authentication, encryption, monitoring of wireless connections
• NDR 1.13: Access via untrusted networks — VPN, IPSec, secure remote access architecture
• NDR 2.4: Mobile code restrictions — prevent unauthorized code execution on network devices
• NDR 3.10: Support for updates — secure firmware updates, certificate-based signing
• NDR 5.2: Zone boundary protection — stateful firewall, deep packet inspection for industrial protocols (Modbus TCP, Ethernet/IP, PROFINET, OPC UA)
• NDR 5.3: General purpose person-to-person communication restrictions — block social network, web mail, instant messaging on OT network

Software Application Requirements (SAR) for MES, SCADA, OEE software

Software applications (SCADA, MES, OEE specialists like TeepTrak Pulse, engineering tools) have fewer hardware-specific requirements but more emphasis on secure development lifecycle (covered separately in IEC 62443-4-1). Key SAR-specific requirements:

• SAR 2.4: Mobile code restrictions — sandbox, code signing for plugins/extensions, allowlisting
• SAR 3.2: Malicious code protection — antivirus integration, application allowlisting, integrity checking on installation
• Common CR inherited: MFA support (CR 1.1), audit logging (CR 6.1), encryption in transit (CR 4.1), RBAC (CR 2.1), input validation (CR 3.5), secure session management (CR 2.5, 2.6, 2.7)

Software applications must also align with IEC 62443-4-1 (Secure Product Development Lifecycle) for the development process itself. A SAR-certified product means: the product implements technical requirements (4-2 SAR) AND the vendor implements a certified Secure Development Lifecycle (4-1 SDL). Both certifications required for full ISA Secure CSA / SDLA recognition.

Mapping IEC 62443-4-2 to product procurement

Asset owners (industrial manufacturers) use IEC 62443-4-2 in procurement to specify cybersecurity requirements for new components. Standard procurement language:

• Mandatory: “Component shall be certified ISA Secure CSA (Component Security Assurance) at Security Level SL2 minimum, evidenced by certificate from ISA Secure-accredited certification body.”
• Recommended: “Vendor shall demonstrate IEC 62443-4-1 SDLA (Secure Development Lifecycle Assurance) certification for the product development organization.”
• Optional: “Component shall meet additional Requirement Enhancements RE1-RE3 per Security Level SL3 in specific FR categories (e.g., FR1 IAC, FR3 SI) for critical infrastructure deployments.”

ISA Secure CSA certification process

ISA Secure CSA (Component Security Assurance) is the certification scheme operated by the ISA Security Compliance Institute (ISCI). Process:

Total: 9-15 months from application to certification. Cost: €50-200k depending on component complexity. Surveillance: €15-30k annually.

Major component vendors with ISA Secure CSA certification (2026 status)

• Siemens: SIMATIC S7-1500 PLC (CSA SL2), SIMATIC HMI (CSA SL2), SCALANCE network devices (CSA SL2-SL3), SIMATIC PCS 7 (SSA SL2)
• Rockwell Automation: ControlLogix L8x PLC (CSA SL2), CompactLogix L3x (CSA SL1), FactoryTalk (SSA SL2), Stratix industrial switches (CSA SL2)
• Schneider Electric: Modicon M580 (CSA SL2), Modicon M580 HSBY (CSA SL2), EcoStruxure (SSA SL2)
• ABB: System 800xA (SSA SL2), AC 800M PLC (CSA SL2), Ability ICSS
• Honeywell: Experion PKS (SSA SL2), C300 controllers (CSA SL2)
• Yokogawa: CENTUM VP (SSA SL2), ProSafe-RS SIS (SSA SL3), STARDOM controllers (CSA SL2)
• Emerson: DeltaV (SSA SL2), DeltaV SIS (SSA SL3), Ovation
• Phoenix Contact: mGuard industrial firewalls (CSA SL2-SL3), AXIOLINE I/O (CSA SL2)
• Belden Hirschmann: RX/MACH industrial switches (CSA SL2)

FAQ: IEC 62443-4-2 component security requirements

What is the difference between IEC 62443-4-2 and IEC 62443-3-3?

IEC 62443-3-3 specifies system-level requirements (the integrated IACS deployment). IEC 62443-4-2 specifies component-level requirements (individual products: PLCs, HMIs, network devices, software). System integrators certify per 3-3 (SSA); component vendors certify per 4-2 (CSA). Both required: a system can only achieve SL2/SL3 if its components also achieve at least matching Security Level.

What are the 4 component categories in IEC 62443-4-2?

EDR (Embedded Device Requirement) for PLCs/RTUs/IEDs/IIoT sensors. HDR (Host Device Requirement) for engineering workstations/HMIs/servers. NDR (Network Device Requirement) for firewalls/switches/routers/gateways. SAR (Software Application Requirement) for SCADA/MES/OEE/engineering software. Each category inherits the 7 FR + has category-specific additional requirements.

How does IEC 62443-4-2 relate to IEC 62443-4-1?

IEC 62443-4-1 specifies the Secure Development Lifecycle (SDL) requirements for product suppliers (the development process). IEC 62443-4-2 specifies the Technical Component Requirements for the components themselves (the product). A component vendor needs both: a certified SDL process (4-1 SDLA) AND certified components (4-2 CSA). ISA Secure certifications: SDLA (process), CSA (component product), SSA (system).

What is the cost of ISA Secure CSA certification?

€50-200k initial certification depending on component complexity (PLC simpler than full SCADA application). Process duration 9-15 months. Annual surveillance €15-30k. Recertification every 3 years. Includes documentation review, vulnerability assessment (FRADL), Communication Robustness Testing (CRT), penetration testing.

Which PLC vendors have ISA Secure CSA certification?

Major PLC vendors with CSA certification 2026: Siemens (SIMATIC S7-1500 CSA SL2), Rockwell Automation (ControlLogix L8x CSA SL2), Schneider Electric (Modicon M580 CSA SL2), ABB (AC 800M CSA SL2), Honeywell (C300 CSA SL2), Yokogawa (STARDOM CSA SL2), Emerson (DeltaV controllers). Other vendors progressing: Mitsubishi Electric, Omron, Beckhoff, B&R, Phoenix Contact.

How does TeepTrak comply with IEC 62443-4-2?

TeepTrak Pulse software application (SAR category) is architected to align with IEC 62443-4-2 SL2: SAR 2.4 (mobile code), SAR 3.2 (malicious code protection), CR 1.1 (MFA), CR 2.1 (RBAC), CR 3.1 (TLS 1.3 communications), CR 4.1 (AES-256 at rest), CR 6.1 (audit logging). ISA Secure CSA certification audit planned 2026. Pulse hardware sensor (EDR category) implements secure boot, signed firmware updates, tamper detection.

What about legacy components that cannot be certified?

Legacy components (pre-IEC 62443, often 15-25 years old) often cannot achieve CSA certification. Approach: implement compensating controls at system level per IEC 62443-3-2 risk assessment — network segmentation isolates legacy zone (FR5), jump host enforces MFA externally (FR1), SIEM monitors legacy zone egress (FR6). Document compensating controls in System Security Assurance dossier.

What is FRADL in the CSA certification process?

FRADL = Functional Requirements per Architectural Decomposition Layer. The certification lab decomposes the component into architectural layers (hardware, firmware, OS, application, network) and verifies each Functional Requirement (CR) is implemented at the appropriate layer with adequate strength. Combined with Communication Robustness Testing (CRT) and penetration testing.

What is Communication Robustness Testing (CRT)?

CRT is mandatory testing for ISA Secure CSA certification. It evaluates component resilience to malformed/malicious network traffic: protocol fuzzing (Modbus TCP, Ethernet/IP, PROFINET, OPC UA), stress testing (high traffic volume), invalid packet handling, denial of service resistance. Specialized tools: Wurldtech Achilles (acquired by GE Digital), Codenomicon Defensics, Beyond Security beSTORM.

How does CRA (Cyber Resilience Act) EU 2024 relate to IEC 62443-4-2?

The EU Cyber Resilience Act (Regulation EU 2024/2847, applicable from December 2027) mandates cybersecurity requirements for “products with digital elements” placed on EU market. For industrial components, IEC 62443-4-2 + 4-1 compliance provides primary alignment with CRA essential cybersecurity requirements. Manufacturers selling into EU should target ISA Secure CSA/SDLA certification by end 2026 to ensure CRA readiness.

Conclusion

IEC 62443-4-2:2019 is the foundational standard for industrial component cybersecurity, organized into 4 categories (EDR, HDR, NDR, SAR) with Component Requirements derived from the 7 Foundational Requirements. ISA Secure CSA certification (9-15 months, €50-200k) is the primary recognition scheme. Major vendors (Siemens, Rockwell, Schneider, ABB, Honeywell, Yokogawa) have certified flagship products at SL2 minimum. EU Cyber Resilience Act 2024/2847 (applicable Dec 2027) reinforces IEC 62443-4-2 importance for products sold into EU. Component-level cybersecurity is the foundation for system-level (IEC 62443-3-3) and ultimately enterprise-level (NIS2 EU 2022/2555) compliance.

Next step: download the TeepTrak IEC 62443-4-2 component compliance whitepaper or request technical security architecture review.