IEC 62443: industrial OT cybersecurity standard

IEC 62443 is the international standard for securing industrial automation and control systems. It defines four Security Levels and maps directly to NIS2 article 21 requirements.

The standard

What is IEC 62443?

IEC 62443 is a series of standards developed by IEC TC 65 specifically for Industrial Automation and Control Systems (IACS). It covers organisational security management, system design, and component requirements.

Unlike generic IT security standards (ISO 27001), IEC 62443 explicitly addresses the characteristics of OT environments: long lifecycles, real-time constraints, legacy protocols and safety requirements.

The standard defines Security Levels (SL 1–4) and a Target Security Level (SL-T) methodology that allows organisations to prioritise security investments based on risk, not a one-size-fits-all checklist.

Key parts
IEC 62443-2-1
Security management system (CSMS)
IEC 62443-2-3
Patch management for IACS
IEC 62443-2-4
Security for IACS service providers
IEC 62443-3-2
Risk assessment for IACS
IEC 62443-3-3
System security requirements (SRs)
IEC 62443-4-2
Technical security requirements for components
Security Levels

The four Security Levels explained

Security Levels describe the capability to resist attacks from specific threat actors. For most NIS2-covered OT environments, SL 2 is the baseline.

SL 1

Protection against unintentional errors

Basic security measures preventing errors from inattention. Assumes an attacker without motivation or specific skills. Applicable when consequences are limited.

  • Authentication on HMI workstations
  • Network segmentation between IT and OT
  • Basic logging of login events
SL 2

Protection against intentional attacks with moderate skills

Measures targeting an attacker with knowledge of industrial systems and deliberate motivation. Required for most NIS2-covered OT environments.

  • Role-based access control (RBAC)
  • Encrypted communications where technically feasible
  • Patch management per vendor advisories
  • Remote access via jump server with MFA
  • Change management procedure for OT systems
SL 3

Protection against sophisticated attacks with OT expertise

Attacker has specific knowledge of the target system and sufficient resources for targeted attacks. Relevant for critical infrastructure (energy, water, transport) and SEVESO installations.

  • Two-factor authentication on all OT access
  • Zone segmentation with stricter conduit policy
  • Passive OT monitoring (network traffic analysis)
  • Supply chain security assessment for OEM suppliers
  • Annual penetration test on OT perimeter
SL 4

Protection against state-sponsored or organised attacks

Attacker has extensive resources, advanced tooling and long-term motivation. Not required for the vast majority of industrial companies, but relevant for nationally vital infrastructure.

  • Physical separation of safety-critical systems (air-gap where applicable)
  • Cryptographic integrity checking of software components
  • Specialised OT-SOC monitoring
  • Formal IACS risk assessment per IEC 62443-3-2
NIS2 mapping

NIS2 article 21: IEC 62443 cross-reference

Each NIS2 article 21 requirement maps to one or more IEC 62443 parts. This table shows where IEC 62443 provides the technical implementation guidance.

ArticleRequirementIEC 62443Implementation
Art. 21(2)(a)Risk analysis and information security policiesIEC 62443-2-1 / 3-2Security management policy (CSMS) and IACS risk assessment methodology
Art. 21(2)(b)Incident handlingIEC 62443-2-1Incident response plan, communication procedures and recovery plans for OT
Art. 21(2)(c)Business continuity and crisis managementIEC 62443-2-1Backup and recovery policy specific to OT configurations and PLC programs
Art. 21(2)(d)Supply chain securityIEC 62443-2-4Security requirements for IACS service providers (OEM suppliers, system integrators)
Art. 21(2)(e)Security in acquisition and developmentIEC 62443-3-3 / 4-2Product requirements for OT components: authentication, patchability, logging
Art. 21(2)(f)Vulnerability management and disclosureIEC 62443-2-3Patch management for IACS systems and vulnerability disclosure procedure
Art. 21(2)(g)Basic security practices for networks and systemsIEC 62443-3-3System security requirements (SRs): authentication, access control, network segmentation
Art. 21(2)(h)Cryptography and encryptionIEC 62443-3-3 SR 4.3Encryption of communications and storage where technically feasible in OT context
What we do

How GCG applies IEC 62443

01

IACS risk analysis (62443-3-2)

Inventory of zones and conduits, determination of Target Security Level (SL-T) per zone based on impact × probability.

02

Gap analysis (62443-3-3)

Assessment of your current OT environment against the system security requirements (SRs) of IEC 62443-3-3 for your target SL.

03

Segmentation and hardening

Implementation of zones, conduits and compensating controls based on the gap analysis findings.

04

Supplier assessment (62443-2-4)

Assessment of security requirements for OEM suppliers and system integrators per NIS2 article 21(2)(d).

05

Reporting and evidence package

Written gap report, risk register, network diagrams and security policy: the evidence package a regulator expects.

06

Periodic review

NIS2 requires a continuous approach. Annual or biannual reassessments keep your IEC 62443 posture current.

Frequently asked questions about IEC 62443

Request your IEC 62443 gap analysis

We determine your Target Security Level, assess the gaps, and deliver a prioritised remediation plan.