OT Security Lifecycle IEC 62443

Lifecycle development in accordance with OT Cyber Security standards
The purpose of IEC 62443 is to protect the end user. The standard states how to center the purpose through specific plans, procedures, and artifact control.

Discover our consulting options for the Security Lifecycle

The implementation of the lifecycle for the design and manufacture of systems compliant with Industrial Cyber Security standards is based on the technical compliance of the system, machine or plant, with the requirements of IEC 62443, and also paves the way for subsequent certification processes of OT Cyber Security.

The activities recommended by the IEC 62443 standards focus on architecture, policies and testing prior to the installation of automation solutions.


Our OT Security Lifecycle development consultancy includes a series of modular activities that make it easier for integrators and manufacturers to comply with IEC 62443 standards:

  • Security Plan for System Integrators. The security plan refers to the management system documents developed by the integrator for other purposes. We offer support for preparation of the cybersecurity plan to implement the IEC 62443-2-4 requirements, considering the specific contractual scope of the integrator. We also offer consultancy for preparation of the security policies to be implemented for the project, related, for example, to endpoint protection, remote access, backup and patch management.
  • Support for System Architecture. The definition of the security architecture takes into account the Zone & Conduit diagram recommended by the standards. We offer advice to support organization of the network and data flow permitted by the security specifications, as proof of compliance with IEC 62443 for a given SL-T.
  • Analysis of Cyber Security Requirements. The end customer’s requirements can sometimes be generic or more specific ones beyond the IEC 62443 standard. We offer consultancy on detailed analysis of the requirements and support with their application and the identification of requests that may not be applicable to standard products.
  • Test Procedures. The security requirements must be tested at the end of commissioning against the Cyber Security specifications to confirm to the end user, when contractually required, that the project implements these requirements. The procedure we prepare for the integrator covers device configuration review, vulnerability testing, backup verification, patch management and all the security features implemented through the specifications. The procedures for testing are attached to the procedure, if carried out independently by the integrator or, if required, by our specialists.
  • Operating Procedures. After preparation and delivery of the project, the user needs safety procedures to make the system work properly and maintain the correct level of safety over time. This involves descriptive procedures on how to perform backup and restore, account management, patch management, monitoring, and all other tasks related to the scope of supply. To meet these needs, we support the integrator and the manufacturer in the preparation of operating procedures in accordance with IEC 62443-2-4.
  • Security Plan for Machine and Plant Manufacturers. Manufacturers of machines and large plants are for all purposes suppliers in accordance with IEC 62443 for systems that make up machines configured for specific projects. The more developed the Security Plan is, the more robust the machine is in terms of cybersecurity and the easier the work is even for the system integrator. For this reason, the manufacturer can in turn implement processes that comply with OT Cyber Security with the support of our specialists, and there is the possibility of certifying the process according to ISA/IEC standards.
  • Support for Artifact Compliance. When implemented in product development, the IEC 62443-4-1 standard requires artifacts for each specific product developed. This includes threat modeling and risk assessment, cybersecurity specifications, testing procedures, design documentation, patch development and implementation, and activities and documentation that we produce entirely for both the integrator and the manufacturer.


The activities for the OT Security Lifecycle, if aggregated, constitute comprehensive consultancy; they can be agreed separately on request.


In IEC 62443/ISA 99 terms, an OT system is defined as a “control system,” that is, a hardware or software component intended to be integrated into a final industrial automation and control system. PLCs, HMIs, SCADA systems, and safety instrumented systems are examples of OT systems.

The legislative references in the IEC 62443 standard directed at OT device manufacturers are found in IEC 62443-4-1 and IEC 62443-4-2 regarding the design requirements in conformity with legislation for systems, sub-systems, or hardware or software components.

As defined in IEC 62443-4-1, the manufacturer is required to implement certain cyber security practices when developing the product:

  • Specification of Security Guidelines
  • Security by design
  • Secure Implementation
  • Security V&V Testing
  • Security Guidelines

Recommended Posts

IEC 62443 industrial cyber security
cyber security industria 4.0
Cyber Security Risk Assessment High Level

Why Choose us

  • We have gained experience in the OT Cyber Security field since 2014
  • We test every solutions thanks to our in-house OT Cyber Security laboratory
  • Our specialists are IEC 62443/ISA 99-certified personnel (Fundamentals Specialist and Cyber Security Risk Assessment Specialist)
  • Automation and OT Network Security are some of our most performing competences
  • We have bulit a wide network of partnerships with the main international OT solution suppliers
  • Our BYHON internal division is the ISASecure® accredited certification body

For more information about this service or to request a quote