In today's interconnected world, the security of industrial control systems (ICS) and operational technology (OT) is of top importance. These systems are the backbone of critical infrastructure, including energy, water, transportation and manufacturing. As cyber threats continue to evolve, securing these systems has become a priority. ISO 62443 is a series of standards developed to address this need, providing a framework for securing ICS and OT environments.
This blog provides a broad understanding of ISO 62443 and provides inputs on what developers need to do to comply with these standards during the development process.
What is ISO 62443?
ISO 62443 is an international standard developed by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). It provides guidelines and requirements for the security of industrial automation and control systems (IACS). The standard is designed to address the unique security challenges faced by these systems. These systems mostly operate in safety and critical environments.
Structure of ISO 62443
ISO 62443 is divided into four main parts, each focused on different aspects of IACS security:

ISO 62443
General (62443-1-x)
This category provides foundational information, including terminology, concepts, and models that are essential for understanding and implementing the other parts of the standard.
- 62443-1-1: It establishes the fundamentals of cybersecurity for industrial automation and control systems, outlining essential concepts, terminology, and foundational principles to enhance system security.
- 62443-1-2: It outlines foundational concepts for industrial cybersecurity, focusing on defining security levels, key terms, and principles essential for safeguarding automation and control systems.
- 62443-1-3: System Security Compliance Metrics.
- 62443-1-4: It defines the principles and requirements for cybersecurity in industrial automation, focusing on secure design, operation, and lifecycle management of systems and components.
Policies and Procedures (62443-2-x)
This category focuses on the establishment and maintenance of security programs and policies.
- 62443-2-1: It provides guidelines for performing security risk assessments and designing secure systems for Industrial Automation and Control Systems (IACS), ensuring robust cybersecurity measures.
- 62443-2-2: It focuses on assessing and managing security risks in industrial control systems. It provides guidelines for identifying threats, evaluating risks, and defining security requirements for system design.
- 62443-2-3: Patch Management in the IACS Environment.
- 62443-2-4: It focuses on security program requirements for IACS. It provides guidelines for establishing and maintaining a robust security management program, ensuring comprehensive protection of systems.
System (62443-3-x)
This category addresses security requirements for system-level activities, including risk assessment and system design.
- 62443-3-1: It focuses on security technologies for industrial automation, providing guidelines on selecting and implementing security measures like firewalls, encryption, and intrusion detection systems.
- 62443-3-2: It focuses on assessing and defining security requirements for industrial control systems. It guides the risk assessment process and helps establish security measures for system design.
- 62443-3-3: It defines system security requirements for industrial control systems, focusing on achieving specific security levels through detailed technical controls and risk management practices.
Component (62443-4-x)
This category defines security requirements for individual system components, including software development and hardware design.
- 62443-4-1: It defines secure development lifecycle requirements for industrial control systems, focusing on secure software development practices and lifecycle management to protect against cyber threats.
- 62443-4-2: It specifies security requirements for industrial automation and control system components, focusing on secure design, implementation, and maintenance of system components to ensure robust cybersecurity.
This category maps specific security controls and capabilities to corresponding security levels, ensuring that components support the desired SLs.
Security Levels
These security levels gauge the robustness of an IACS against cybersecurity threats. These levels range from SL 0 to SL 4, with each level representing a progressively higher degree of security.
- SL 0 (No Special Security Protection): This baseline level implies no specific cybersecurity measures are in place, and the system is vulnerable to any threat.
Example: Anyone can access the control system and modify settings without any authentication or logging. - SL 1 (Protection Against Casual or Coincidental Violation): At this level, basic measures are implemented to guard against unintentional breaches or low-skill attackers, such as basic access control and simple authentication mechanisms.
Example: An operator must log in with a username and password to access the control system, preventing accidental modifications by unauthorized personnel. - SL 2 (Protection Against Intentional Violation Using Simple Means): Enhanced measures are in place to protect against deliberate but unsophisticated attacks. This includes stronger authentication, user management, and more rigorous access controls.
Example: Only specific IP addresses are allowed to connect to the control system, and operators have roles with defined permissions (e.g., read-only access for some users). - SL 3 (Protection Against Intentional Violation Using Sophisticated Means): This level involves advanced security mechanisms to defend against highly skilled attackers. Measures include detailed auditing, anomaly detection, and robust encryption.
Example: All data transmitted between the control system and operators is encrypted. The system logs all access attempts and changes. - SL 4 (Protection Against Intentional Violation Using Highly Sophisticated Means): The highest security level, SL 4, offers protection against highly sophisticated threats. It involves thorough security practices, such as multi-factor authentication, comprehensive encryption, and real-time threat monitoring.
Example: Developers must use multi-factor authentication to access the control system. The system is continuously monitored for threats, with immediate response mechanisms in place to mitigate any detected risks.
Key Principles of ISO 62443
Before diving into what developers need to know, it's important to understand the key principles underlying ISO 62443:
- Defense in Depth: Implement multiple layers of security controls to protect against threats.
- Zone and Conduit Model: Segment the network into zones with similar security requirements and define tools for secure communication between zones.
- Risk Assessment: Regularly assess risks to identify and mitigate potential threats.
- Security by Design: Integrate security practices throughout the development lifecycle, from design to deployment.
What Developers Need to Do
Developer involvement to add necessary support for ISO 62443 applicable to ISO 62443-3 sub-standard. For example,
Security Technologies for IACS:
Evaluate various security technologies, such as firewalls, intrusion detection systems, and secure communication protocols. Configure robust firewalls to segment the network and prevent unauthorized access and implement intrusion detection systems to monitor for suspicious activities.
Security Risk Assessment for System Design:
Conduct a comprehensive risk assessment for a product critical assets or modules. Map potential threats, such as unauthorized access to modules (PLCs, etc) and data interception between sensors and control systems. Implement encrypted communication between modules and sensors.
System Security Requirements and Security Levels:
Harden the operating systems of the product control systems, disabling unnecessary services and applying the latest security patches. Installed robust logging/audit mechanisms to track all access and changes, ensuring any suspicious activity could be swiftly identified and addressed.
Conclusion
ISO 62443 provides a comprehensive framework for securing industrial control systems and operational technology. For developers, adhering to these standards requires a commitment to integrating security practices throughout the development lifecycle. By understanding the key principles of ISO 62443 and implementing secure coding practices, threat modeling, robust access controls, and security testing, developers can significantly enhance the security of their systems.