Labs and certification bodies face a specific challenge in IEC 62443 assessment. The standard places explicit testing obligations on product vendors, and assessing whether those obligations have been met requires testing capability that matches the scope and methodology the standard demands. A lab that reviews process documentation and conducts interviews but cannot independently verify protocol security testing evidence is not fully assessing what the standard requires.
The gap appears consistently across the lab ecosystem. IEC 62443 assessment capability has developed faster at the governance and process level than at the protocol testing level. Labs that are strong on IEC 62443-4-1 practice documentation review are often less well equipped to assess the SVV-3 vulnerability testing evidence that Practice 5 requires, or to conduct independent protocol testing where the evidence presented by the vendor is insufficient.
This guide explains what IEC 62443 assessment requires from labs at the protocol testing level, what capability is needed, and how ProtoCrawler supports labs building or expanding their IEC 62443 testing programme.
In This Guide
- What Labs Are Assessing in IEC 62443
- The Protocol Testing Gap in Lab Capability
- What Protocol Testing Capability IEC 62443 Assessment Requires
- Reviewing SVV-3 Evidence: What Assessors Look For
- When Labs Need to Conduct Independent Protocol Testing
- How ProtoCrawler Supports IEC 62443 Lab Assessment
- Common Questions
What Labs Are Assessing in IEC 62443
IEC 62443 assessment for product vendors covers two complementary certifications: IEC 62443-4-1 process certification and IEC 62443-4-2 component certification. Both require third-party assessment by an accredited certification body, and both place demands on lab capability that go beyond documentation review.
IEC 62443-4-1 assessment examines the vendor’s secure development lifecycle against the eight practice areas defined by the standard. At the process documentation level, assessors review defined process documents, conduct staff interviews, and examine records of process application. At the technical level, assessors need to evaluate the quality of the security testing evidence produced under Practice 5, including SVV-3 vulnerability testing evidence. Evaluating whether SVV-3 evidence is adequate requires understanding what good protocol fuzz testing looks like and being able to identify evidence that is insufficient in scope, methodology, or coverage.
IEC 62443-4-2 assessment examines specific product versions against specific component requirements at a stated security level. For requirements like CR 3.5 input validation and CR 7.1 denial-of-service protection, the assessment requires either reviewing adequate vendor-supplied testing evidence or conducting independent testing to verify that the requirements are met. In either case, the assessor needs the capability to understand what the testing should cover and to verify that it has.
The Protocol Testing Gap in Lab Capability
The protocol testing gap in IEC 62443 lab capability is not universal but it is common. It tends to appear in a predictable pattern.
Labs that developed their IEC 62443 capability from an IT security background are typically strong on process assessment, documentation review, and governance evaluation. They understand the management system aspects of IEC 62443-4-1 and can assess Practice 1 through Practice 4 and Practices 6 through 8 competently. Where they often have less depth is in Practice 5, specifically the SVV-3 robustness and vulnerability testing requirement, because this requires protocol-specific testing knowledge and tooling that IT security assessment backgrounds do not typically include.
Labs that developed their IEC 62443 capability from an OT engineering background often have strong protocol knowledge and understand how industrial systems are built and operated. Their gap tends to be in systematic security testing methodology: they understand the protocols but may not have the tooling and structured approach needed to generate protocol-aware fuzz test cases at scale and produce the evidence documentation that SVV-3 requires.
The consequence is that SVV-3 evidence review is the most inconsistently handled part of IEC 62443-4-1 assessment across the lab ecosystem. Vendors with weak SVV-3 evidence sometimes receive certification because the assessing lab lacked the capability to identify the inadequacy. Vendors with strong SVV-3 evidence sometimes face unnecessary friction because the assessing lab did not have a clear framework for evaluating it.
What Protocol Testing Capability IEC 62443 Assessment Requires
For a lab to assess IEC 62443-4-1 Practice 5 SVV-3 credibly, it needs capability across three areas.
The first is protocol knowledge. Assessors need to understand the industrial protocols that the vendor’s products implement: what those protocols do, how their message structures are organised, which fields and functions are security-relevant, and which vulnerability classes are associated with each protocol category. This knowledge is what enables an assessor to evaluate whether a vendor’s SVV-3 test scope is adequate for the protocols their product implements.
The second is testing methodology knowledge. Assessors need to understand what protocol-aware fuzz testing is, how it differs from generic testing, what coverage of the protocol attack surface a credible test programme should achieve, and what the evidence output should contain. This is what enables an assessor to evaluate whether a vendor’s SVV-3 evidence demonstrates adequate methodology and coverage rather than superficial testing activity.
The third is independent testing capability. Where vendor-supplied SVV-3 evidence is absent, inadequate, or contested, the lab needs to be able to conduct independent protocol security testing against the product under assessment. This requires protocol-aware fuzzing tooling that covers the relevant industrial protocols, a test environment for running the target product, and the operational competence to configure tests, interpret findings, and produce evidence in the format that assessment documentation requires.
Reviewing SVV-3 Evidence: What Assessors Look For
SVV-3 evidence review is the practical skill that IEC 62443-4-1 assessors most often need to develop to assess Practice 5 credibly. The review should evaluate four components of the submitted evidence.
Scope adequacy examines whether the testing covered the right protocols and interfaces. A product with Modbus, DNP3, and MQTT interfaces should have SVV-3 evidence covering all three, with test cases addressing the specific attack surfaces of each. Evidence that covers only one of three implemented protocols, or that documents testing of the management interface but not the operational protocol interfaces, has a scope gap that the assessor should raise.
Methodology adequacy examines whether the testing used an approach capable of reaching the application logic where security-relevant vulnerabilities sit. Evidence from a mutation-based fuzzing tool applied to protocols with strict framing requirements, or from a generic network scanner that does not generate protocol-aware test cases, does not demonstrate adequate methodology for industrial protocol testing. The assessor needs to understand the difference and be able to articulate why methodology matters for the protocols in scope.
Finding quality examines whether the findings documented in the evidence are specific, reproducible, and complete. Each finding should identify the exact input that triggered it, the observed behaviour, and the severity classification. Evidence that documents findings at the level of crash observed during Modbus testing without the specific request and response detail is not adequate. If a vendor presents clean evidence with no findings, the assessor should consider whether the absence of findings reflects a robust implementation or inadequate testing depth.
Coverage documentation examines whether the evidence demonstrates that the testing exercised the protocol attack surfaces that matter. Protocol model coverage documentation, showing which message types, function codes, field variations, and state machine paths were tested, is the evidence that distinguishes thorough testing from superficial testing. Its absence is a gap worth raising even if individual findings are well documented.
When Labs Need to Conduct Independent Protocol Testing
There are three situations where a lab conducting an IEC 62443 assessment may need to conduct independent protocol security testing rather than relying solely on vendor-supplied evidence.
The first is absent evidence. If a vendor submits for IEC 62443-4-1 assessment without SVV-3 evidence, or with evidence that covers only a fraction of the product’s protocol surfaces, the lab has two options: fail the assessment for inadequate evidence, or conduct independent testing to fill the gap. The second option produces a more complete assessment and a more useful outcome for the vendor, but it requires the lab to have the capability to conduct the testing.
The second is inadequate evidence quality. If vendor-supplied SVV-3 evidence uses methodology that is not capable of reaching the application layer vulnerabilities the standard requires to be addressed, the lab may determine that the evidence does not satisfy SVV-3 and conduct supplementary independent testing. This is the situation where the protocol testing capability gap most directly affects the quality and consistency of IEC 62443 certifications across the ecosystem.
The third is verification testing for IEC 62443-4-2. Component certification against CR 3.5 and CR 7.1 may require the lab to independently verify that the component handles invalid inputs correctly and maintains availability under adverse conditions. Where the vendor’s testing evidence is adequate, independent verification may not be required. Where it is absent or insufficient, independent testing is the only basis for asserting that the component requirements are met.
How ProtoCrawler Supports IEC 62443 Lab Assessment
ProtoCrawler provides the protocol testing infrastructure that IEC 62443 labs need for both SVV-3 evidence review support and independent protocol testing capability.
For SVV-3 evidence review, ProtoCrawler gives assessors a reference framework for what adequate protocol fuzz testing evidence looks like. The structured evidence output that ProtoCrawler produces, with documented scope, methodology, protocol model coverage, findings with exact reproducing inputs, and requirement traceability, represents the evidence format that SVV-3 should produce. Assessors who understand ProtoCrawler’s output format have a concrete reference point for evaluating whether vendor-supplied evidence meets the same standard.
For independent protocol testing, ProtoCrawler gives labs the generation-based, protocol-aware fuzzing capability to test the industrial protocols that IEC 62443-4-2 component assessments cover. For products implementing Modbus, DNP3, IEC 61850, DLMS, or MQTT, ProtoCrawler generates protocol-aware test cases that reach the application logic and produce findings with the exact specificity that assessment documentation requires.
The reporting output maps findings directly to IEC 62443-4-2 requirements including CR 3.5 and CR 7.1, producing the requirement-traced evidence that component certification assessments need. Labs that build ProtoCrawler into their IEC 62443 assessment workflow gain a repeatable, documented testing capability that applies consistently across every product assessment in those protocol categories.
For the full list of supported protocols, see the protocol models page.
- Modbus → https://cytal.co.uk/protocols/modbus-server/
- DNP3 → https://cytal.co.uk/protocols/distributed-network-protocol-3-dnp3/
- IEC 61850 → https://cytal.co.uk/protocols/iec61850-client-server-mms/
- DLMS → https://cytal.co.uk/protocols/dlms-server/
- MQTT → https://cytal.co.uk/protocols/mqtt-client/
- protocol models page → https://cytal.co.uk/protocols/
- IEC 62443 compliance hub → https://cytal.co.uk/iec-62443/
Common Questions
Which certification bodies currently offer IEC 62443 assessment services?
Several internationally recognised organisations offer IEC 62443-4-1 and 4-2 assessments including exida, TÜV SÜD, TÜV Rheinland, UL Solutions, Intertek, and SGS. The market for IEC 62443 certification services is growing as demand from product vendors increases, and some of these organisations are actively building their protocol testing capability to support more comprehensive assessments.
Does an IEC 62443 lab need to be accredited to a specific standard?
Accreditation requirements for IEC 62443 certification bodies vary by market and customer. ISO 17065 accreditation is the relevant standard for product certification bodies and is required or expected by many customers and procurement frameworks as evidence of assessment quality and independence. Labs building IEC 62443 assessment capability as part of an ISO 17065 accredited service need to demonstrate that their testing methods, including protocol testing capability, meet the quality requirements of the accreditation.
How does a lab demonstrate competence in protocol security testing to customers?
Competence demonstration typically involves documenting the testing methodology used for each protocol category, the tooling deployed and its validation, the qualifications and experience of the assessors involved, and the traceability of assessment findings to specific protocol attack surfaces. Labs that can provide reference assessments showing the depth and structure of their protocol testing output, and that can explain the methodology to technically sophisticated customers, build confidence in the quality of their assessments.
What is the difference between an IEC 62443 lab assessment and a vendor self-assessment?
IEC 62443 certification requires third-party assessment by an accredited or recognised certification body. A vendor self-assessment can be a useful internal preparation tool, identifying gaps and building evidence before a formal assessment, but it does not produce the third-party certification that customers and procurement frameworks require. The independence of the certification body from the vendor being assessed is a requirement of the standard and is what gives the certification its value as a trust signal.
Ready to build IEC 62443 protocol testing capability into your lab assessment programme? Book a demo to see how ProtoCrawler gives certification bodies the generation-based protocol testing infrastructure that IEC 62443 Practice 5 SVV-3 assessment requires.