IEC 62443 vs. ISO 21434

Reading time: 4 minutes - Difficulty: advanced

While IEC 62443 is the standard that dictates best practices for cybersecurity of industrial automation and control systems, ISO 21434 addresses the automotive market. Let us take a look at the common features and differences between the two cybersecurity frameworks.

IEC 62443: history and directions for Operational Technology

IEC 62443 is the international standard for cybersecurity in industrial control systems, which is the set of best practices geared toward the world of factory automation.

The standard was created 20 years ago by the SP99 committee established by ISA, International Society Automation & Control. It was later revised and adopted by IEC, the International Electrotechnical Commission, from which it takes its original name ISA 99/IEC 62443; today known simply as IEC 62443.

H-ON Consulting: Ciclo di Vita della sicurezza IACS

Download Infographics

Do you want to help our page grow? Follow us on Linkedin


The standard stipulates that the lifecycle of industrial automation and control systems has three phases:

  • Assess
  • Implement
  • Maintain

The entire lifecycle of OT systems (Operational Technology, including, for example, DCS, SCADA, HMI and IIoT systems) includes an initial phase of OT cyber security assessment and vulnerability investigation, touches on the implementation phase of cyber security countermeasures, and suggests how to maintain security performance against cyber threats over time.


Do you need support for a project that entails the implementation of IEC 62443?


Contact us

Do you want to help our page grow? Follow us on Linkedin


ISO 21434: origin and lifecycle of Automotive security

ISO 21434 sets out the requirements for the cybersecurity management system for newly approved smart vehicles.

Linked to UNECE Regulation No. 155, the standard is the work of the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE); hence it is called ISO/SAE 21434 – Road Vehicles Cybersecurity Engineering.


The need to protect the automotive market from cyber attacks, as is the case in many other contexts, stems from the fact that breaches to servers, remote access applications, or infotainment systems are rapidly growing, impacting the security and functionality of vehicles, and, consequently, the safety of property or people.


The lifecycle, for the purposes of the ISO 21434 management system, outlines the importance of organizational aspects to ensure the cybersecurity of end products, following the diagram below.


Lifecycle ISO 21434

Do you need support for a project that entails the implementation of ISO 21434?


Contact us

Do you want to help our page grow? Follow us on Linkedin


When to apply IEC 62443 vs. ISO 21434

As mentioned, IEC 62443 refers to industrial automation and control systems, IACS (Industrial Automation and Control System) to be precise. We are talking about Operational Technology, technologies that interface with operational processes, including the aforementioned industrial devices such as PLCs, HMIs and SCADAs.


On the contrary, the following fall within the categories of components covered by ISO 21434:

  • Gateway
  • Infotainment systems
  • Sensors
  • Cameras
  • Security systems
  • Communication systems in general


On the other hand, the following are deemed parts of the interface, and so are outside the scope of the standard:

  • External storage devices
  • Back-end servers
  • Connectivity systems
  • Diagnostic and maintenance applications


Different standards may be applied in this case, again IEC 62443, or ISO 27001, or NIST.


Any questions or comments?


Share us your feedback

Do you want to help our page grow? Follow us on Linkedin


Go back to the blog
Send this to a friend