IEC 62443: cybersecurity for industrial automation

Security6 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

IEC 62443 is a series of international standards developed specifically for the cybersecurity of Industrial Automation and Control Systems. In a world where operational technology is increasingly connected to IT networks, this standard is essential for protecting industrial processes.

The standard is relevant to a wide range of sectors: energy, water, manufacturing, transport, building automation and any environment where programmable logic controllers, SCADA systems or other industrial control systems are deployed.

IEC 62443 is unique because it divides responsibilities across three roles. Asset owners are the end users of industrial systems. System integrators design and implement the systems. Product suppliers deliver the components. Each role has specific security requirements.

The standard works with security levels from zero to four. Level zero means no specific security requirements. Level four offers protection against advanced, targeted attacks by state actors. Most industrial environments aim for level two or three, depending on their risk profile.

A core principle of IEC 62443 is defence in depth: multiple layers of security that together form a robust defence. This includes network segmentation via zones and conduits, access management, monitoring, patch management and incident response.

Zones and conduits are fundamental in IEC 62443. Zones group assets with similar security requirements. Conduits are the controlled communication channels between zones. By segmenting the network in this way, you limit the impact of a security incident.

The convergence of IT and OT makes IEC 62443 more relevant than ever. Where industrial systems previously operated in isolation, they are now connected to corporate networks and the internet. This significantly increases the attack vectors.

Secure Audit supports industrial organisations in implementing IEC 62443 and carrying out security assessments on OT environments. Get in touch for an exploration.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us