ISA/IEC 62443

What Is ISA/IEC 62443?
The ISA/IEC 62443 series constitutes the only globally consensus-driven, end-to-end standards suite dedicated to safeguarding industrial automation and control systems (IACS). Jointly authored by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC), this portfolio of standards and technical reports establishes a unified vocabulary, risk model, and control framework for industrial cybersecurity across various sectors, including manufacturing, energy, building automation, medical devices, and transportation.

ISA/IEC 62443 addresses the full security life cycle of industrial systems, from initial risk assessment and secure design, through integration and operation, to ongoing maintenance and improvement. The series recognizes that IACS resilience is a socio-technical issue encompassing technology, personnel competencies, and organizational processes.

The ISA/IEC 62443 series delivers a multi-tiered control framework for securing an IACS. Its structure spans four major categories but with clearly defined sub-parts and requirement flows:

Part 1 establishes the common lexicon, foundational requirements, and reference models (zones, conduits, security levels) that underpin the entire standard series.
Part 1-1 introduces the concepts and models used throughout the series.
Part 2 defines how asset owners and service providers must govern, implement, and sustain industrial cybersecurity programs.
Part 2-1 defines how asset owners must establish and implement an effective IACS cybersecurity management program, forming the anchor for all other standards.
Part 2-3 gives guidance on patch-management processes to reduce vulnerabilities in IACS.
Part 2-4 prescribes requirements for integration and maintenance service providers supporting the IACS life cycle.
Part 2 is essential for establishing the governance, policies, and continuous improvement processes that drive downstream technical and procurement requirements.

Part 3 translates programmatic policy into system-level design and engineering controls.
Part 3-2 guides asset owners and system integrators to segment the SuC into zones and conduits, assess risks, and record Target Security Levels (SL-T) and measures in a Cybersecurity Requirements Specification.
Part 3-3 defines the system security requirements linked to each security level to show what an IACS must achieve.
Part 3 is key to ensuring automation solutions are architected and integrated “secure by design.”

Part 4 specifies both supplier development practices and component-level technical requirements.
Part 4-1 requires product suppliers to establish and sustain a secure development life cycle (SDL) for control systems and components.
Part 4-2 defines the technical security capabilities that individual components (controllers, embedded devices, software modules) must provide.
Part 4 creates a procurement and certification baseline for component suppliers aligning with system-level needs.