This page is part of the IEC 62443 compliance hub.
IEC 62443 is the international standard for securing industrial automation and control systems. It is the framework that UK manufacturers, utilities, system integrators and product vendors are increasingly required to align with, whether by regulators, customers or certification bodies.
This guide explains what IEC 62443 is, how it is structured, who it applies to and why it has become the defining standard for operational technology cyber security across the UK and globally.
In This Guide
What IEC 62443 Is
IEC 62443 is a series of international standards that define requirements and processes for securing industrial automation and control systems, commonly referred to as IACS. It was developed by the International Society of Automation and adopted by the International Electrotechnical Commission for global publication.
The standard covers the full industrial ecosystem. It addresses the people, processes and technology involved in designing, building, integrating, operating and maintaining industrial control systems. It applies across the supply chain, placing different but complementary obligations on product vendors, system integrators and asset owners.
What distinguishes IEC 62443 from general IT security frameworks is its focus on operational technology environments where the priorities are different. In OT, safety and availability often take precedence over confidentiality. Systems run legacy protocols that were never designed with security in mind. Downtime can have physical, safety and economic consequences that have no equivalent in IT. IEC 62443 is built around these realities.
Where IEC 62443 Came From
IEC 62443 has its origins in work begun by the ISA99 committee of the International Society of Automation in 2002. The committee was established in response to growing recognition that industrial control systems were increasingly connected to corporate networks and the internet, creating cyber security risks that existing IT standards were not equipped to address.
The initial standards were published under the ANSI/ISA-99 designation. Around 2010 ISA strengthened its collaboration with the IEC, and the standards were adopted and republished as IEC 62443. The two organisations continue to develop the series jointly, with ISA publishing under the ANSI/ISA-62443 designation in the US and IEC publishing internationally as IEC 62443.
In 2021 the IEC recognised IEC 62443 as a horizontal standard, meaning it applies across all industry sectors that use operational technology rather than being limited to a specific sector. This recognition has accelerated its adoption globally and increased its relevance in UK regulatory discussions.
Who IEC 62443 Applies To
IEC 62443 defines obligations for three principal roles within the industrial ecosystem. Understanding which role applies to your organisation is the starting point for any IEC 62443 programme.
Asset owners are the organisations that own and operate IACS environments. Manufacturers, utilities, water companies, energy operators and critical infrastructure organisations fall into this category. Asset owners are primarily accountable to the system-level requirements in IEC 62443-3-3 and the policies and procedures requirements in IEC 62443-2-1.
System integrators design, build and commission IACS environments for asset owners. They are accountable to IEC 62443-2-4, which defines security requirements for IACS service providers, and to IEC 62443-3-3 for the systems they integrate.
Product vendors develop and supply the components, devices and software that make up IACS environments. They are accountable to IEC 62443-4-1, which governs secure development processes, and IEC 62443-4-2, which defines the technical security requirements that components must meet.
In practice, many organisations occupy more than one role. A manufacturer that also develops proprietary control system components is simultaneously an asset owner and a product vendor. Understanding the obligations that apply to each role is important for scoping a compliance programme correctly.
How IEC 62443 Is Structured
IEC 62443 is a multi-part series rather than a single document. The parts are organised into four groups, each addressing a different aspect of IACS security.
The General group (Part 1) covers foundational concepts, terminology, security metrics and the overall framework. It provides the common language and models that all other parts of the series build on. Part 1-1 defines terminology and concepts. Part 1-3 defines the security compliance metrics used across the series.
The Policies and Procedures group (Part 2) addresses the governance, management and operational requirements for asset owners and service providers. Part 2-1 covers the requirements for an IACS cyber security management system. Part 2-4 covers security requirements for IACS service providers including system integrators.
The System group (Part 3) addresses system-level security requirements and the processes for designing secure IACS architectures. Part 3-2 covers security risk assessment for system design. Part 3-3 defines system security requirements and security levels and is the part most commonly referenced in regulatory and procurement contexts.
The Component group (Part 4) addresses the requirements for product vendors. Part 4-1 defines secure product development lifecycle requirements. Part 4-2 defines technical security requirements for IACS components. Together these two parts form the foundation for product certification under IEC 62443.
For a detailed breakdown of each group and how the parts relate to each other in practice, see the IEC 62443 framework guide
Security Levels Explained
One of the most important concepts in IEC 62443 is the Security Level framework. Security Levels define the degree of protection that a system or component is designed to provide against different threat capabilities. There are four levels.
Security Level 1 provides protection against casual or unintentional violations. This is the baseline level and represents the minimum acceptable security for any IACS component or system. It addresses threats from users who might inadvertently cause security issues rather than deliberate adversaries.
Security Level 2 provides protection against intentional violation using simple means with low resources and generic skills. This is the level most commonly required for components and systems deployed in operational critical infrastructure. It addresses the threat from motivated adversaries using widely available tools and techniques.
Security Level 3 provides protection against intentional violation using sophisticated means with moderate resources and IACS-specific skills. This level is relevant for critical national infrastructure environments and addresses more capable, targeted adversaries.
Security Level 4 provides protection against intentional violation using sophisticated means with extended resources, IACS-specific skills and high motivation. This level applies to the most sensitive environments and is rarely required for commercial components.
Security Levels apply both as targets, defining what level of protection a system or component is designed to achieve, and as capabilities, defining what level of protection it has been assessed to actually provide. The gap between target and capability is what compliance testing is designed to close.
Zones and Conduits
IEC 62443 introduces the concepts of zones and conduits as the architectural basis for securing IACS environments. These concepts are central to system-level compliance under IEC 62443-3-2 and IEC 62443-3-3.
A zone is a grouping of assets that share common security requirements. Assets within the same zone are subject to the same security controls and have a defined security level target. Zones are defined based on the criticality of the assets they contain, their connectivity to other zones, and the consequences of a security failure.
A conduit is the mechanism that controls and monitors communication between zones. Conduits include network connections, firewalls, data diodes and protocol gateways. Every flow of data between zones must pass through a defined conduit, and the security controls applied to that conduit must be appropriate for the security levels of the zones it connects.
The zone and conduit model drives network segmentation decisions and determines which communication paths require the most rigorous security testing. Protocol testing at zone boundaries, particularly where industrial protocols cross between zones with different security levels, is a direct consequence of applying the zone and conduit model in practice.
IEC 62443 in the UK
IEC 62443 is not a statutory requirement in the UK but its practical significance in the UK regulatory and procurement landscape has grown substantially in recent years.
The Network and Information Systems Regulations place obligations on operators of essential services to manage cyber security risk proportionately and demonstrably. IEC 62443 is the recognised technical framework for meeting those obligations in operational technology environments. UK regulators and auditors increasingly expect alignment with IEC 62443 as evidence of proportionate risk management in IACS contexts.
The NCSC Cyber Assessment Framework, which applies to operators of essential services, aligns closely with IEC 62443 at the technical level. Organisations that can demonstrate IEC 62443 compliance have a strong foundation for CAF assessments.
Beyond regulation, IEC 62443 appears with increasing frequency in UK procurement contracts and supply chain security requirements across energy, water, transport, defence and critical manufacturing sectors. For product vendors and system integrators, demonstrating IEC 62443 alignment is becoming a commercial necessity as well as a regulatory expectation.
For a detailed guide to how IEC 62443 applies specifically in the UK regulatory context, see the IEC 62443 UK compliance guide.
Why IEC 62443 Matters Now
The convergence of IT and OT networks has fundamentally changed the threat landscape for industrial organisations. Systems that were once isolated are now connected. Protocols that were designed for reliability in closed networks are now exposed to adversaries with sophisticated tools and clear motivation.
The consequences of a security failure in an IACS environment are different in kind from IT security failures. A compromised PLC does not just mean lost data. It can mean lost production, physical damage, safety incidents or disruption to critical services that affect communities and national infrastructure.
IEC 62443 exists because this threat is real and growing, and because the industrial sector needed a framework that addressed its specific characteristics rather than adapting IT security frameworks that were never designed for OT environments. Its adoption is accelerating because regulators, customers and insurers are all moving in the same direction: requiring demonstrable, evidence-based security assurance rather than accepting documented intent.
Organisations that build IEC 62443 compliance into their products and operations now are better positioned commercially, better protected operationally, and better prepared for the regulatory direction of travel than those that treat it as a future consideration.
Getting Started with IEC 62443
The starting point for any IEC 62443 programme is understanding which parts of the standard apply to your organisation and which role or roles you occupy within the industrial supply chain.
For product vendors, the immediate priorities are IEC 62443-4-2 for component technical requirements and IEC 62443-4-1 for secure development lifecycle processes. Start by understanding the Component Requirements that apply to your product type and security level target, then assess which SVV testing activities you need to put in place to generate compliance evidence.
For system integrators, the immediate priorities are IEC 62443-2-4 for service provider requirements and IEC 62443-3-3 for system-level security requirements. Start by understanding the security level targets for the systems you integrate and what testing evidence is required to support those claims.
For asset owners, the immediate priorities are IEC 62443-2-1 for cyber security management system requirements and IEC 62443-3-3 for system security requirements. Start by defining zones and conduits, establishing security level targets, and identifying the testing and assurance activities needed to support those targets.
Across all roles, protocol security testing is a consistent requirement. ProtoCrawler generates the empirical evidence of protocol robustness that IEC 62443 demands, producing structured, audit-ready outputs that map directly to the relevant clause requirements.
Explore the full IEC 62443 compliance hub for detailed guides covering every aspect of the standard, from certification and component requirements to compliance testing and protocol security
Book a demo
Ready to start your IEC 62443 programme? Book a demo to see how Cytal and ProtoCrawler support organisations across the full IEC 62443 compliance journey.