How the international standard for industrial cybersecurity defines protection levels, assigns responsibilities across the supply chain, and helps organisations secure everything from pumps and motors to critical infrastructure.
The big picture
Industrial control systems run the world around us – from the pumps moving water to your tap, to the motors in manufacturing lines, to the turbines generating electricity. IEC 62443-3-3 is the international standard that tells us how to protect these systems from cyber attacks.
The core idea is simple: components combine to form systems, and systems need security that matches their risk.
Think of it like building a house. Individual bricks, windows, and doors (components) each have their own quality standards. But a house (system) needs more than quality parts – it needs proper architecture, the right locks on the right doors, and different levels of protection for different rooms. You wouldn’t put the same lock on your garden shed as your front door.
IEC 62443-3-3 provides exactly this logic for industrial systems. It defines four Security Levels (SL 1-4) based on who you’re protecting against – from accidental misuse up to state-sponsored attacks. It then specifies 51 technical requirements organised into seven categories covering everything from user authentication to network segmentation to backup and recovery.
The standard creates clear responsibilities:
- Manufacturers must build security into their products and document what security level each product can achieve
- System integrators must select the right products, configure them properly, and fill any gaps with additional measures
- Asset owners must assess their risks, define what security level they need, and maintain security throughout operations
This isn’t just good practice – it’s increasingly mandatory. The EU Cyber Resilience Act, NIS2 Directive, and Machinery Regulation all point toward IEC 62443 as the way to demonstrate compliance. Organisations investing in this standard now are building a foundation that satisfies multiple regulatory requirements at once.
How components become systems
Understanding IEC 62443-3-3 starts with understanding how industrial systems are built.
A water treatment plant contains chemical dosing PLCs, a SCADA server, industrial firewalls, and a historian database. Each of these is a component with its own security capabilities. When connected together – through networks, configured with access controls, deployed in a facility – they become a system.
IEC 62443 handles this through three related standards:
- IEC 62443-4-2 covers components – what security features a PLC, HMI, or network switch must have
- IEC 62443-3-3 covers systems – what the combined, integrated solution must achieve
- IEC 62443-4-1 covers development – how manufacturers must build security in from the start
Each component has a Capability Security Level (SL-C) – what it can achieve when properly configured. The integrated system must meet a Target Security Level (SL-T) based on risk assessment. The actual protection achieved after deployment is the Achieved Security Level (SL-A).
The key insight: you can’t just buy SL-3 certified components and assume you have an SL-3 system. Integration, configuration, and compensating measures all matter.
The four security levels
IEC 62443-3-3 defines four Security Levels, each protecting against a more capable attacker:
Security Level 1 protects against casual or coincidental violation – someone accidentally clicking the wrong button, or an opportunistic outsider who finds an open port. This is the baseline, requiring unique user identification, basic authentication, and audit logging. Suitable for non-critical monitoring systems.
Security Level 2 defends against intentional attacks using simple means – generic hackers, low-skill attackers with limited resources. This adds stronger password policies, session management, and protection of data crossing untrusted networks. Standard manufacturing lines typically need SL-2.
Security Level 3 counters sophisticated attacks by adversaries with moderate resources and specific IACS knowledge – hacktivist groups, industrial espionage actors, organised criminals. This demands multi-factor authentication for remote access, cryptographic protection of data, and automated security verification. Chemical plants, pharmaceutical manufacturing, and public utilities often require SL-3.
Security Level 4 provides maximum protection against state-level attacks with extensive resources and deep expertise. Nuclear facilities, national critical infrastructure, and safety systems protecting against catastrophic consequences need SL-4. This mandates hardware-based security mechanisms and multi-factor authentication across all networks.
Each level builds on the previous – SL-3 includes all SL-2 requirements plus additional ones. You don’t skip levels.
The seven foundational requirements
IEC 62443-3-3 organises its 51 System Requirements under seven Foundational Requirements. Each addresses a specific security domain:
FR1 – Identification and authentication control ensures every user, device, and software process is identified and verified before accessing the system. This covers human user authentication, device authentication, account management, password policies, and access via untrusted networks.
FR2 – Use control constrains authenticated users to only their authorised actions. This includes authorisation enforcement, session management, portable device controls, and audit logging. Importantly, the standard recognises OT constraints – session locks must not govern critical functions where screen locking could create unsafe conditions.
FR3 – System integrity prevents unauthorised modification of system information and software. This covers communication integrity, malware protection, input validation, and error handling. A key requirement: systems must return to predefined safe states when normal operation fails – industrial processes can’t just crash unpredictably.
FR4 – Data confidentiality protects information from unauthorised disclosure. While this has fewer requirements than other areas, it includes protection of data at rest and in transit, and proper handling of information when equipment is decommissioned.
FR5 – Restricted data flow addresses network segmentation through zones and conduits. This drives implementation of industrial firewalls, data diodes, and demilitarised zones between network segments.
FR6 – Timely response to events covers detection and response capabilities – audit log accessibility and continuous monitoring to support incident detection and forensic investigation.
FR7 – Resource availability ensures continued operation during attacks and failures. This includes denial-of-service protection, backup and recovery, emergency power, and component inventory. Systems must operate in predetermined degraded modes during attacks – maintaining essential control even under attack.
Zones and conduits
The zones and conduits model is how IEC 62443 structures network architecture.
A zone groups assets with common security requirements. A water treatment plant might have an Enterprise Zone (business systems), a Supervisory Zone (SCADA servers), multiple Production Cell Zones (PLCs and HMIs), and a Safety Zone (emergency shutdown systems). Each zone gets its own target security level based on what happens if it’s compromised.
A conduit is the communication pathway between zones – every connection crossing a zone boundary passes through a conduit that applies appropriate security controls. Higher security differential between zones means stronger conduit controls.
This isn’t abstract architecture – it drives real decisions. An industrial firewall between your enterprise network and your SCADA systems is a conduit control. A data diode ensuring information only flows one way from your safety systems is a conduit control. Network segmentation using VLANs creates zone boundaries.
The IEC 62443-3-2 standard guides the process of identifying zones, assessing risks, and assigning security levels – producing a Cybersecurity Requirements Specification that becomes the blueprint for implementation.
What manufacturers must deliver
Product suppliers – manufacturers of PLCs, HMIs, network devices, and SCADA software – have specific obligations under IEC 62443.
Secure development lifecycle: IEC 62443-4-1 requires manufacturers to implement security throughout product development – threat modelling, secure design principles, code reviews, security testing, and formal vulnerability management. This isn’t optional good practice; it’s increasingly required for market access.
Component security capabilities: IEC 62443-4-2 specifies over 140 component requirements. Manufacturers must state their product’s Capability Security Level for each Foundational Requirement – declaring what the product can achieve when properly configured.
Documentation: Manufacturers must provide hardening guides with secure configuration instructions, security manuals documenting all security features, expected environmental controls, patch documentation, and Software Bills of Materials listing all software components.
Certification: Third-party certification validates claims. ISASecure SDLA certifies the development process to IEC 62443-4-1. ISASecure CSA certifies products to IEC 62443-4-2. Certification bodies include TÜV Rheinland, Bureau Veritas, UL, and exida.
What asset owners must implement
End users – operators, asset owners, organisations running IACS environments – bear responsibility for governance, risk assessment, implementation, and ongoing maintenance.
Cybersecurity management system: IEC 62443-2-1 requires establishing governance structures, risk management frameworks, documented policies, incident response plans, and personnel security. If you have ISO 27001 certification, you must integrate your OT security programme with existing IT governance.
Risk assessment: IEC 62443-3-2 defines the methodology – identify assets, partition into zones, assess threats and consequences, assign target security levels. The output is a Cybersecurity Requirements Specification documenting what security you need and where.
Implementation: Configure products according to manufacturer hardening guides. Where component capabilities fall below requirements, implement compensating countermeasures – additional technical, procedural, or administrative controls achieving equivalent protection.
Ongoing operations: Continuous monitoring, patch management (following IEC TR 62443-2-3), incident detection and response, and regular programme audits. When achieved security falls below target due to new vulnerabilities, either implement additional measures or accept documented residual risk.
What system integrators must deliver
System integrators bridge the gap between components and systems, governed by IEC 62443-2-4.
They must design security architectures aligned with asset owner requirements, select components with appropriate capability levels, configure everything according to hardening guides, and deploy monitoring capabilities. They verify through Security Acceptance Testing that the integrated system achieves its target security level.
On handover, integrators provide complete documentation: asset inventory, security configurations, zone and conduit diagrams, test results, operational procedures, and maintenance requirements.
Related standards and frameworks
IEC 62443-3-3 exists within an ecosystem of related standards:
The complete IEC 62443 series includes 62443-2-1 (security management), 62443-2-4 (service provider requirements), 62443-3-2 (risk assessment), 62443-4-1 (secure development), and 62443-4-2 (component requirements). These work together as an integrated framework.
ISO/IEC 27001 provides IT security governance infrastructure. IEC 62443 extends this with OT-specific requirements addressing availability, safety, and real-time control constraints. Organisations typically need both – ISO 27001 for IT governance, IEC 62443 for OT technical requirements.
NIST frameworks align structurally. NIST SP 800-82 (Guide to OT Security) explicitly references IEC 62443-2-1 as a suitable cybersecurity programme. The NIST Cybersecurity Framework’s five functions (Identify, Protect, Detect, Respond, Recover) map to corresponding IEC 62443 requirements.
EU regulations increasingly point to IEC 62443:
- The Cyber Resilience Act (effective December 2027) mandates cybersecurity for products with digital elements. IEC 62443-4-1 supports security-by-design requirements; 62443-4-2 and 62443-3-3 provide technical specifications.
- The NIS2 Directive (enforceable July 2025) affects essential and important entities across seventeen sectors. Article 21 requirements map directly to IEC 62443 practices.
- The Machinery Regulation (applicable January 2027) adds mandatory cybersecurity for machinery safety. IEC/TS 63074:2023 references IEC 62443 for threat identification.
For organisations facing multiple regulatory requirements, IEC 62443 provides a unified compliance pathway.
Conclusion
IEC 62443-3-3 is the definitive standard for industrial control system security. Its Security Level framework links threat capabilities to technical requirements, enabling proportionate investment. Its zones and conduits architecture provides flexible network segmentation for any environment – from pumping stations to pharmaceutical plants.
Three actions matter most:
- Invest in IEC 62443 compliance now to prepare for multiple European regulations simultaneously
- Demand certified components from suppliers – ISASecure or equivalent certification validates both product capability and development process maturity
- Treat system security as distinct from component security – even certified components require proper integration, configuration, and compensating measures to achieve system-level protection
The standard applies across all IACS environments. For organisations operating industrial systems, it represents the most comprehensive, internationally recognised framework for operational technology protection.
