The IEC 62443 Standard, the international reference for Industrial Cyber Security

Reading time: 6 minutes - Difficulty: medium

In our previous article we highlighted the complicated relationship between the Industry 4.0 and solutions for Industrial Cyber Security. We stated that the only way to apply the most adequate countermeasures in order to create a security plan in accordance with IEC 62443 for industrial automation control system, such as PLC, SCADA and HMI, is by analyzing the actual cyber risk for the OT world, Operational Technology. Although many companies are still skeptical regarding the prevention from cyber attacks, we can say that the international standard IEC 62443 is “hacker-proof”. We will now discuss the key points of this standard.


What the IEC standard aims at in terms of Industrial Cyber Security

The IEC 62443 is the international standard for the security for industrial automation control systems. This standard is therefore the only reliable solution for Cyber Security in the field of industrial automation.

This standard was set up almost twenty years ago by a group of volunteers belonging to the SP99 Committee, established by ISA, International Society Automation & Control. It was later reviewed and adopted by the IEC, the International Electrotechnical Commission; hence the original name was ISA 99/IEC 62443.

Even if not mandatory for companies, the application of this standard makes industrial control systems immune against cyber threats. In the current scenario, where the number of hazards for this type of technologies is significantly growing, the application of the IEC standard ensures that companies are immune from any potential hazards that may cause, among other things, the breakdown of equipment, freeze in production, as well as unexpected costs related to the repairing of control systems, and profit loss.

This international standard was therefore set up to protect the Industry 4.0 making the sharing of data from outwards to inwards, and vice-versa, safe and reliable.

IEC 62443 compliance and Cyber Security Lifecycle

Before examining which specifications of the Industrial Cyber Security standard are the most relevant for Industry 4.0, it is necessary to clarify some fundamental terms to better understand this field.

IACS: literally Industrial Automation Control System, also known as ICS, Industrial Control System. In a broader meaning, IACS is synonymous with OT (Operations Technology) being a technology that interfaces with an operational process. In this context, the term is used to distinguish an IACS from an IT device that aims at receiving and transmitting the information. Examples of IACS are industrial devices such as PLCs, HMIs, or SCADAs.

IACS Security Lifecycle: it is the Security Lifecycle of an IACS, namely the set of phases that must be carried out in order for the IACS protection to be in compliance with the Cyber Security requirements defined by the IEC standard. The phases of the IACS Security Lifecycle are Assess, Implement, and Maintain.

CSMS: it is the Cyber Security Management System that represents the set of practices and actions aiming at identifying cyber risks and defining the most correct countermeasures.

IACS Security Lifecycle

H-ON Consulting: Ciclo di Vita della sicurezza IACS

The international IEC standard covers all phases of the IACS Security Lifecycle. It begins with the assessment of risks and vulnerabilities and ends with the maintenance of the security level performances in the long term.

The Assess Phase consists in the set of activities aiming at identifying high-level risks and analyzing vulnerabilities and low-level risks. It ends with the allocation of minimum Cyber Security requirements required for each component of the IACS system.


1. Risk Assessment

2. Vulnerability Assessment

3. Penetration Test

4. Threat Modeling

5. Security Level Allocation

It is during the Implement Phase that companies wishing to protect themselves from cyber attacks shall define the entire CSMS, Cyber Security Management System, as well as adopt procedures and strategies aiming at preventing cyber attacks and protecting their own industrial control systems.


1. Defense Strategy


3. Security Level verification

Cyber Security is however a process that needs to be constantly monitored and periodically implemented by means of maintenance activities (Maintain Phase) related to the safety level of industrial plants. This is the only way to ensure that data flow, which can be shared outwards, is safe from cyber threats, therefore avoiding catastrophic consequences for companies.


1. Auditing

2. Follow up

Why companies should comply with the IEC 62443 Standard

The compliance with the IEC 62443 international standard represents a guarantee both for the security of OT data to be shared with the IT and the entire production sector. It is therefore possible to avoid any possible contamination with “infected” data.
However, when looking at the future, industrial product safety may only be a mirage if we don’t apply for adequate security for industrial automation control system against cyber attacks. For this reason, we all have to be aware of this scenario.

As consultants in the field, we have created a dedicated team of certified specialists in accordance with the ISA99/IEC62443 Cybersecurity Fundamentals Specialist and ISA99/IEC62443 Cybersecurity Risk Assessment Specialist standards. Our goal is to help companies adopt real security measures that are long-lasting and in compliance with the IEC 62443 standard for every single phase of the IACS Security Lifecycle.


Did you find this helpful? For further information about our Industrial Cyber Security services


Contact us


Go back to the blog

Send this to a friend