Beacon Security
Standards

IEC 62443 Explained: A Practical Guide for OT Security Teams

February 10, 202512 min readBy Beacon Security Team

What is IEC 62443?

IEC 62443 is a series of international standards for the security of Industrial Automation and Control Systems (IACS). Developed through collaboration between the International Electrotechnical Commission (IEC) and the International Society of Automation (ISA), it is the most comprehensive and internationally recognized framework for OT cybersecurity.

What makes IEC 62443 unique is that it addresses security from multiple perspectives simultaneously: the asset owner operating the system, the system integrator responsible for design and implementation, and the product supplier developing components. This three-stakeholder approach ensures that security is considered at every level of the industrial control system supply chain.

IEC 62443 has become the de facto reference standard for OT cybersecurity globally, referenced by regulatory frameworks including the Saudi NCA's OTCC, the EU Cyber Resilience Act, NIS2 Directive, and numerous national cybersecurity guidelines.

The Standard Structure

IEC 62443 is organized into four main parts:

Part 1: General - Foundational concepts, terminology, models, and metrics. This part introduces the Security Level concept and the zone and conduit model that underpin the entire standard.

Part 2: Policies and Procedures - Requirements for the security management system operated by asset owners. Covers security policies, organizational security, staff competence, risk assessment methodology, patch management, supply chain security, and protection levels.

Part 3: System Requirements - Security requirements at the system level. Includes the risk assessment methodology, foundational requirements, and the criteria for achieving each Security Level at the system level.

Part 4: Component Requirements - Security requirements for individual IACS components. Covers secure product development lifecycle requirements (IEC 62443-4-1) and technical security requirements for components (IEC 62443-4-2).

The Security Level Framework

One of IEC 62443's most practical contributions is the Security Level (SL) framework, which provides a structured way to define how much security is needed and measure how much is currently achieved.

Security LevelThreat Actor ProfileProtection Level
SL 1Casual or coincidentalProtection against unintentional or accidental violation
SL 2Motivated individual or groupProtection against intentional violation using simple means and low resources
SL 3Sophisticated attackerProtection against intentional violation using sophisticated means and moderate resources
SL 4Nation-state with OT capabilityProtection against state-sponsored attack with extensive resources and OT-specific skills

The framework uses three related concepts:

  • SL-T (Target): The Security Level the zone needs to achieve based on risk assessment
  • SL-C (Capability): The Security Level the system is designed to support
  • SL-A (Achieved): The Security Level currently in place based on assessment

The gap between SL-A and SL-T drives the remediation roadmap.

Most industrial facilities target SL 2 as their baseline for general process control, with SL 3 for critical safety-related systems and high-value targets. SL 4 is relevant for national critical infrastructure and facilities assessed as potential targets for state-sponsored attacks.

Zones and Conduits: The Core Architectural Concept

The zones and conduits model is IEC 62443's primary tool for security architecture design. It provides a structured method for segmenting OT networks that respects operational requirements.

The Zone and Conduit Design Process

  1. Identify and group assets into zones based on their security requirements, operational function, risk profile, and physical location.

  2. Assign a Security Level Target (SL-T) to each zone based on risk assessment considering the consequences of compromise and the threat landscape.

  3. Define conduits - controlled communication paths between zones - and apply security controls appropriate to the connecting zones' security levels.

  4. Assess the current state (SL-A) and identify gaps where achieved security falls below the target.

  5. Implement controls to close gaps, including compensating controls where the ideal solution is not immediately achievable.

Typical Zone Architecture

A typical manufacturing or process facility might define these zones:

  • Enterprise Zone (SL1): IT network, business systems, corporate email
  • Industrial DMZ: Boundary between IT and OT with data diodes, jump servers, and historian replicas
  • Supervisory Zone (SL2): SCADA servers, historian, HMI servers, engineering workstations
  • Control Zone (SL2): PLCs, DCS, RTUs, field controllers
  • Safety Zone (SL3): SIS, ESD systems, fire and gas detection (highest protection level)

Each zone boundary becomes a control point where traffic is filtered, monitored, and logged through the defined conduit.

Conducting an IEC 62443 Gap Assessment

An IEC 62443 gap assessment evaluates your current security posture against the standard's requirements. The process involves five key phases:

Step 1: Scope Definition Define which systems and networks are within scope. For most facilities, this includes all OT devices, networks, applications, and associated IT systems that support OT operations.

Step 2: Current Zone Mapping Document the existing network architecture and map assets into their current logical groupings. Identify all communication paths between groups. In many cases, this reveals that the current architecture is essentially a flat network with no meaningful segmentation.

Step 3: Security Level Assessment For each zone (or proposed zone), assess the current Security Level achieved against the seven foundational requirements:

  1. Identification and authentication control
  2. Use control (authorization and access management)
  3. System integrity (protection against unauthorized modification)
  4. Data confidentiality (protection of sensitive information)
  5. Restricted data flow (network segmentation and filtering)
  6. Timely response to events (monitoring, logging, alerting)
  7. Resource availability (resilience and recovery)

Step 4: Gap Identification Where SL-A falls below SL-T, document the specific gap and identify the controls required to close it. Prioritize based on risk, feasibility, and operational impact.

Step 5: Remediation Roadmap Develop a prioritized remediation plan that accounts for operational constraints, maintenance windows, vendor dependencies, and available resources.

Common Findings in OT Gap Assessments

Based on hundreds of assessments across industrial facilities, the most common gaps against IEC 62443 include:

  • No formal zone and conduit model: IT and OT networks connected without architectural security design. Often a single flat network.
  • Shared or default credentials: Engineering workstations and HMIs using shared passwords, often unchanged since installation.
  • No OT-specific monitoring: Zero visibility into OT network traffic, protocol communications, or anomalous behavior.
  • Uncontrolled remote access: Permanent VPN connections for vendor access without session monitoring, time limits, or individual accountability.
  • No patch management process: Firmware updates never applied due to operational constraints and lack of a structured process.
  • Missing asset inventory: No comprehensive list of OT assets, software versions, firmware levels, or network configurations.
  • No incident response plan for OT: IT incident response plans that do not account for OT-specific constraints including safety considerations.

Implementing IEC 62443 in Practice

The standard provides the framework; implementation requires translating requirements into practical controls suited to your specific environment. Key principles for successful implementation:

Start with visibility: Deploy passive monitoring to establish an asset inventory and network communication baseline before making any architectural changes. You cannot design effective security for an environment you do not fully understand.

Segment incrementally: Implement zone boundaries progressively, starting with the highest-risk boundaries (IT/OT interface and safety system isolation) and working toward more granular segmentation over time.

Design for operations: Every security control must be evaluated against operational requirements and safety implications. A security control that creates a safety risk is never acceptable, regardless of its security value.

Engage vendors early: Many OT security controls require vendor involvement for compatibility testing, firmware updates, and configuration changes. Build vendor security requirements into procurement and service contracts.

Document thoroughly: IEC 62443 compliance requires documented policies, procedures, risk assessments, and architecture diagrams. Evidence gathering and documentation is as important as technical implementation for demonstrating compliance.

Plan for maintenance: Security is not a project with an end date. Build ongoing assessment, monitoring, and improvement into the operational routine from the beginning.

Beacon Security provides IEC 62443 aligned assessments, gap analyses, and implementation support for industrial environments across all sectors. Contact us to discuss your compliance objectives.

Back to All Articles
Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

Generic IT security tools fail in industrial environments. Talk to our OT security team and get a clear picture of your exposure within days, not months.

Book a Free Assessment+91 98259 94220
IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption