IEC 62443 is the international standard series for cybersecurity of industrial automation and control systems (IACS). It secures control systems using zones and conduits four security levels seven foundational requirements and clear duties for asset owners, integrators, and product suppliers. It is maintained jointly by the ISA99 committee and the IEC.
Most plant people meet it as a phrase in an audit, a procurement clause, or an insurance questionnaire, "are you 62443 compliant?", and freeze. This guide unfreezes it. IEC 62443 is not one document you pass or fail; it is a family of documents that gives everyone touching a control system a shared way to talk about risk. Read it as a language, not a hurdle. You already do most of what it asks; the standard just names it.
What is IEC 62443, in one paragraph?
IEC 62443 is a series of standards and technical reports that describe how to build, integrate, and operate secure industrial control systems. It came out of the ISA99 committee's work in the mid-2000s, was renumbered into the IEC 62443 family, and is now the internationally recognized reference for operational-technology (OT) security. Where IT security frameworks assume data confidentiality is the top priority, 62443 flips the order for the plant floor: availability and safety of the physical process come first, because a stopped line or an unsafe machine hurts before a leaked file does.
Why does the floor need its own security standard?
Because office security advice breaks on the floor. You cannot patch a 15-year-old PLC on Patch Tuesday, reboot a running furnace to install an update, or run heavy antivirus on a controller with a 20-millisecond scan budget. OT systems live for decades, prize uptime above all, and were mostly designed before anyone assumed they would touch a network. IEC 62443 exists to secure exactly that reality, legacy equipment, long lifecycles, and a hard requirement that the process keeps running, rather than pretending the floor is just another set of laptops.
How is the 62443 series organized?
The series is grouped into four categories, and which part applies to you depends on your role. This is the single most useful thing to understand about the standard: it does not treat "security" as one person's job.
The lesson is division of labor. A product supplier proves their controller was built securely (part 4). An integrator proves the system was designed and wired securely (part 3). The asset owner, the plant, proves the whole thing is operated securely over its life (part 2). No single certificate covers all three, which is why "are you 62443 compliant?" is usually the wrong question. The right one is "compliant to which part, at which security level, for which zone?"
What are zones and conduits?
Zones and conduits are how 62443 divides a plant into defensible pieces. A zone is a group of assets that share the same security needs; a conduit is the controlled pathway that carries traffic between zones. Everything crossing a conduit is inspected and restricted on purpose, no accidental flat network where the office printer can reach the safety controller.
If you have ever heard a controls engineer insist that the plant network is "segmented," this is the formal version of that instinct. It maps cleanly onto the layered industrial network most plants already run, and onto the Purdue model that SCADA architectures follow. The security value is blunt: contain the blast radius. When something gets compromised, a laptop, a vendor's tool, a phishing click, zoning decides whether the damage stops at one cell or spreads to the whole plant.
What do the four security levels mean?
Security levels (SL) rank how hard a zone is to breach, from casual accident to nation-state effort. You assign each zone a target level based on what an attacker could do if they got in, then design controls to meet it. Higher levels cost more, so you do not make every zone SL 4, you make the safety zone strong and the break-room Wi-Fi weak.
The standard also splits security level into three flavors worth knowing: SL-T (target, what the risk assessment says the zone needs), SL-C (capability, what a product or system can deliver when configured right), and SL-A (achieved, what you actually ended up with after installation). Audits live in the gap between target and achieved.
What are the seven foundational requirements?
Underneath the security levels sit seven foundational requirements (FRs), the categories every technical control maps back to. They are the same seven at every level; what changes is how strictly you meet them. In order, they are: identification and authentication control (know who or what is connecting), use control (enforce what each identity is allowed to do), system integrity (detect tampering with software and data), data confidentiality (protect sensitive information in transit and at rest), restricted data flow (the zones-and-conduits principle in requirement form), timely response to events (detect, log, and react to incidents), and resource availability (keep the process running under attack).
That last one, resource availability, is where OT security parts company with IT security most sharply. In an office, the safe move under attack is often to shut a system down. On the floor, shutting the process down can be the incident, a halted furnace, a dropped batch, an unsafe stop. IEC 62443 puts availability of the physical process on equal footing with keeping attackers out, which is exactly why you cannot copy an office security program onto a control network and call it done.
How do you actually apply IEC 62443 in a plant?
You do not swallow the whole standard. You work a loop, one system at a time.
- Inventory and identify. List every controller, HMI, switch, gateway, and connected device. You cannot zone what you have not found, and unknown assets are where breaches hide.
- Partition into zones and conduits. Group assets by shared security need, control zone, safety zone, DMZ, and define exactly what crosses between them.
- Assess risk per zone. For each zone, ask what an attacker could do and what it would cost. That drives the target security level (SL-T).
- Close the gap. Compare the security capability you have (SL-C) to the target. The difference is your remediation list: segmentation, authentication, logging, patch process.
- Assign roles and responsibilities. Decide who owns each control, asset owner, integrator, supplier, using the part 2, 3, and 4 split so nothing falls through the cracks.
- Operate and reassess. Security is a program, not a project. New equipment, new connections, and new threats reopen the loop; schedule the review.
Where do modern data and AI layers fit without breaking 62443?
Above the control zone, reading through a conduit, never inside it. The whole point of connecting the floor is to get data into analytics machine monitoring and decision tools, and 62443 does not forbid that. It disciplines it. A well-behaved data layer sits in a higher zone, pulls from the historian and controllers through a firewalled, read-mostly conduit, and writes nothing back into control logic. That is exactly the pattern behind good IIoT design and the reason edge IIoT gateways exist as a security boundary. Done this way, connectivity and security are not in tension, the standard is the blueprint for connecting safely. It is also why real-time anomaly signals and anomaly detection can run on plant data without touching the process. Harmony follows this model on purpose: it reads from PLCs, sensors, and existing systems to compute true OEE and surface issues, with the control layer untouched and no rip-and-replace (see the connected systems module).
What do the standards bodies actually say?
- ISA/IEC 62443 is the internationally recognized series of standards for the cybersecurity of industrial automation and control systems, maintained by the ISA99 committee and IEC (ISA).
- The series defines seven foundational requirements and four security levels (SL 1–4) applied to zones and conduits, with separate obligations for asset owners, integrators, and product suppliers (IEC).
- U.S. federal guidance for the same domain, NIST SP 800-82 Revision 3, covers OT security for SCADA, DCS, and PLC environments and points to the same layered, segmented architecture (NIST).
You do not need certification to benefit. Borrowing the zones, conduits, and security-level thinking gives a mid-market plant a defensible security posture and a common language with auditors, insurers, and integrators. For where this fits in the wider modernization picture, see smart factory technology and how plants dismantle data silos safely.