IEC 62443: industrial OT cybersecurity standard
IEC 62443 is the international standard for securing industrial automation and control systems. It defines four Security Levels and maps directly to NIS2 article 21 requirements.
What is IEC 62443?
IEC 62443 is a series of standards developed by IEC TC 65 specifically for Industrial Automation and Control Systems (IACS). It covers organisational security management, system design, and component requirements.
Unlike generic IT security standards (ISO 27001), IEC 62443 explicitly addresses the characteristics of OT environments: long lifecycles, real-time constraints, legacy protocols and safety requirements.
The standard defines Security Levels (SL 1–4) and a Target Security Level (SL-T) methodology that allows organisations to prioritise security investments based on risk, not a one-size-fits-all checklist.
The four Security Levels explained
Security Levels describe the capability to resist attacks from specific threat actors. For most NIS2-covered OT environments, SL 2 is the baseline.
Protection against unintentional errors
Basic security measures preventing errors from inattention. Assumes an attacker without motivation or specific skills. Applicable when consequences are limited.
- •Authentication on HMI workstations
- •Network segmentation between IT and OT
- •Basic logging of login events
Protection against intentional attacks with moderate skills
Measures targeting an attacker with knowledge of industrial systems and deliberate motivation. Required for most NIS2-covered OT environments.
- •Role-based access control (RBAC)
- •Encrypted communications where technically feasible
- •Patch management per vendor advisories
- •Remote access via jump server with MFA
- •Change management procedure for OT systems
Protection against sophisticated attacks with OT expertise
Attacker has specific knowledge of the target system and sufficient resources for targeted attacks. Relevant for critical infrastructure (energy, water, transport) and SEVESO installations.
- •Two-factor authentication on all OT access
- •Zone segmentation with stricter conduit policy
- •Passive OT monitoring (network traffic analysis)
- •Supply chain security assessment for OEM suppliers
- •Annual penetration test on OT perimeter
Protection against state-sponsored or organised attacks
Attacker has extensive resources, advanced tooling and long-term motivation. Not required for the vast majority of industrial companies, but relevant for nationally vital infrastructure.
- •Physical separation of safety-critical systems (air-gap where applicable)
- •Cryptographic integrity checking of software components
- •Specialised OT-SOC monitoring
- •Formal IACS risk assessment per IEC 62443-3-2
NIS2 article 21: IEC 62443 cross-reference
Each NIS2 article 21 requirement maps to one or more IEC 62443 parts. This table shows where IEC 62443 provides the technical implementation guidance.
| Article | Requirement | IEC 62443 | Implementation |
|---|---|---|---|
| Art. 21(2)(a) | Risk analysis and information security policies | IEC 62443-2-1 / 3-2 | Security management policy (CSMS) and IACS risk assessment methodology |
| Art. 21(2)(b) | Incident handling | IEC 62443-2-1 | Incident response plan, communication procedures and recovery plans for OT |
| Art. 21(2)(c) | Business continuity and crisis management | IEC 62443-2-1 | Backup and recovery policy specific to OT configurations and PLC programs |
| Art. 21(2)(d) | Supply chain security | IEC 62443-2-4 | Security requirements for IACS service providers (OEM suppliers, system integrators) |
| Art. 21(2)(e) | Security in acquisition and development | IEC 62443-3-3 / 4-2 | Product requirements for OT components: authentication, patchability, logging |
| Art. 21(2)(f) | Vulnerability management and disclosure | IEC 62443-2-3 | Patch management for IACS systems and vulnerability disclosure procedure |
| Art. 21(2)(g) | Basic security practices for networks and systems | IEC 62443-3-3 | System security requirements (SRs): authentication, access control, network segmentation |
| Art. 21(2)(h) | Cryptography and encryption | IEC 62443-3-3 SR 4.3 | Encryption of communications and storage where technically feasible in OT context |
How GCG applies IEC 62443
IACS risk analysis (62443-3-2)
Inventory of zones and conduits, determination of Target Security Level (SL-T) per zone based on impact × probability.
Gap analysis (62443-3-3)
Assessment of your current OT environment against the system security requirements (SRs) of IEC 62443-3-3 for your target SL.
Segmentation and hardening
Implementation of zones, conduits and compensating controls based on the gap analysis findings.
Supplier assessment (62443-2-4)
Assessment of security requirements for OEM suppliers and system integrators per NIS2 article 21(2)(d).
Reporting and evidence package
Written gap report, risk register, network diagrams and security policy: the evidence package a regulator expects.
Periodic review
NIS2 requires a continuous approach. Annual or biannual reassessments keep your IEC 62443 posture current.
Frequently asked questions about IEC 62443
Request your IEC 62443 gap analysis
We determine your Target Security Level, assess the gaps, and deliver a prioritised remediation plan.