What Is IEC 62443?

Why Is IEC 62443 Important?

Cybersecurity is crucial in our digital world—especially in industrial environments, where a cyber breach can have catastrophic consequences. To address these concerns, the International Electrotechnical Commission (IEC) introduced the IEC-62443 standard, a series of guidelines and best practices for the security of industrial automation and control systems (IACS).

Compliance with IEC 62443 security standards, while not required, is strongly recommended for any organization implementing digital technologies in an industrial context. Following IEC 62443 can help asset owners keep their IACS secure and resilient against cyberthreats, which is crucial for maintaining the safety and reliability of critical infrastructure as well as ensuring operational continuity.

IEC 62443 and Industry 4.0

Industry 4.0, which focuses on the integration of digital technologies into manufacturing and other industries, prioritizes cybersecurity because connected devices and systems are vulnerable to data breaches and other cyberattacks. IEC 62443 provides a framework for addressing these concerns in the context of IACS. The standards cover risk assessment, security policies and procedures, network security, system design and implementation, and security monitoring and maintenance, and more.

The Role of IEC 62443 in Industrial Cybersecurity

In the context of industrial cybersecurity and IEC 62443, an asset owner is an individual, organization, or entity that owns, operates, or controls an IACS or any IACS components. The IACS could be a process control system, a building automation system, or any other system used to control industrial processes or infrastructure.

Asset owners are responsible for ensuring the security and availability of their IACS. This includes identifying and assessing cybersecurity risks, implementing appropriate security controls and countermeasures, and ensuring that the system is maintained in a secure state over its entire life cycle. Asset owners are also responsible for complying with any relevant laws, regulations, and industry standards related to industrial cybersecurity.

Asset owners are among the key stakeholders in the industrial cybersecurity ecosystem, alongside system integrators, suppliers, service providers, and regulatory bodies. Effective collaboration among these stakeholders is essential for ensuring the security and resilience of IACS.

Design Principles of IEC 62443

The design principles of IEC 62443 focus on a holistic approach to IACS security that considers all aspects of the system and promotes continuous improvement and collaboration among all stakeholders. The design principles of IEC 62443 can be summarized as follows:

1. Security by design: IEC 62443 emphasizes the importance of incorporating security into the design process of IACS, from the initial concept phase through deployment and maintenance.
2. Defense-in-depth: Multiple layers of security controls—a combination of physical, technical, and procedural security measures—protect IACS from both external and internal threats.
3. Risk assessment: IEC 62443 emphasizes the importance of conducting security risk assessments to identify potential threats and vulnerabilities and determine their level of risk.
4. Continuous monitoring and improvement: The standard promotes continuous monitoring of IACS to identify potential security issues and implement improvements.
5. Integration with business processes: Integrating security management with existing processes throughout the organization helps ensure security is not an afterthought.
6. Collaboration and information sharing: Partnership between all stakeholders involved in the design, implementation, and maintenance of IACS helps ensure a consistent, comprehensive approach to security.

Elements of the IEC 62443 Standards

The IEC-62443 series of standards was designed to address various aspects of cybersecurity across the life cycle of OT networks. Some of the primary elements include:

• Policy and procedure—documented security policies and procedures that outline the organization's approach to IACS security, including overall cyber risk management
• System design—guidelines for designing secure ICS, ensuring that security considerations, such as technical security requirements, are integrated from the outset
• Implementation—covering the secure deployment of IACS products, including software and hardware system components, network configurations, and user access controls
• Maintenance—underscoring the significance of regular upkeep, updates, and patch management to keep the system secure against emerging threats
• Incident response—being prepared for and responding to security incidents, ensuring the organization can quickly mitigate the impact and restore normal operations

How Does IEC 62443 Break Down IACS Security?

IEC 62443 breaks down IACS security into the maturity levels of an organization's cybersecurity management capabilities and the security levels required of its systems and/or components. In this way, IEC 62443 helps organizations systematically assess and implement cybersecurity measures based on their unique system security requirements.

IEC 62443 Maturity Levels

The IEC 62443 standard defines four maturity levels, designed to help organizations evaluate their cybersecurity capabilities and identify areas for improvement. The maturity levels are:

• Level 0 (Informal): At this level, the organization lacks a formal cybersecurity strategy. Actions are reactive, and there's no consistent approach to managing threats.
• Level 1 (Structured): The organization has established basic cybersecurity practices and procedures. However, these may not be consistently applied across the board.
• Level 2 (Integrated): Cybersecurity practices are integrated into daily operations. There's a consistent approach to managing cyber risks, with regular reviews and updates.
• Level 3 (Optimized): At this pinnacle level, the organization has a mature cybersecurity approach. Continuous improvement processes are in place, ensuring that the organization stays ahead of emerging threats.

IEC 62443 Security Levels

Security levels (SL) in IEC-62443 represent the depth and rigor of security capabilities. There are four defined security levels:

• SL 1—Protection against casual or coincidental violation: This level offers basic protection against non-malicious threats, such as unintentional human errors.
• SL 2—Protection against intentional violation using simple means: Here, the system can defend against attacks that employ basic tools and techniques.
• SL 3—Protection against intentional violation using sophisticated means: At this level, the system is equipped to counter threats from skilled and motivated adversaries using advanced tools.
• SL 4—Protection against intentional violation with severe consequences: This is the highest security level, designed to protect against nation-state level adversaries or threats that could have a catastrophic impact.

Zones and Conduits

Rather than the hierarchical access method in the Purdue Model, IEC-62443 implements a concept called Zones and Conduits. 

Zones are logical groupings of assets that have similar security requirements. These assets can be physical, like a machine, or intangible, such as a software application. The key idea behind zoning is to segment the ICS environment so that a breach in one zone doesn't compromise the entire system.

Conduits, on the other hand, represent communication paths between zones. They serve as controlled interfaces, ensuring that data flows securely between zones. By defining zones and conduits, organizations can implement targeted security measures, focusing on protecting the most critical assets and communication paths.

Zones and conduits offer a more flexible design for modernizing OT network designs. For instance, the Purdue Model’s rigidity makes it difficult to separate levels between physical locations (whether in another facility, a data center, or even the public cloud). This opens up a world of possibilities when it comes to architecting not only the factory of the future, but also existing legacy environments.

IEC 62443 and the Modern Threat Landscape

ISA/IEC 62443 standards remain relevant today, as the threat landscape for industrial control systems has continued to evolve and expand. Industrial organizations increasingly rely on connected devices and networks, which can make them vulnerable to cyberattacks. ISA/IEC 62443 provides a comprehensive framework for addressing these risks and improving the security of IACS systems.

Moreover, many organizations are subject to regulatory requirements and compliance mandates, and ISA/IEC 62443 can help them meet these requirements. For example, the US Cybersecurity and Infrastructure Security Agency (CISA) recommends the use of ISA/IEC 62443 to protect critical infrastructure systems.

In addition, the ISA/IEC 62443 standards continue to be updated and revised to reflect changes in the threat landscape and advances in security technology. This ongoing evolution ensures that the standard remains relevant and effective in addressing the latest cybersecurity challenges faced by industrial sector organizations.

How Zscaler Contributes to IEC-62443 Security Levels

With Zones and Conduits enable organizations to design and implement OT networks securely by grouping similar resources into a zone, and then using a secure communications mechanism such as Zscaler to control access between the zones.

Acting as the conduit’s “traffic cop,” the Zscaler platform:

• Allows only authorized connections to the zone
• Ensures only authorized flows are allowed between zones
• Enforces end-to-end encryption between zones
• Controls who and what can enter or leave a zone

The Zscaler Solution for IEC 62443 Compliance

A zero trust approach is the most effective way to ensure robust ICS and OT security and achieve IEC 62443 compliance with adaptive, context-based application access that doesn’t depend on network access. With an effective zero trust architecture in place, any user can only access the applications and systems they need, with no complex firewall stacks or VPNs required, all while your apps and network stay invisible to the internet.

Zscaler Private Access™ (ZPA™) is the world’s most deployed zero trust network access (ZTNA) platform, providing a powerful alternative to VPN. It eliminates exposed ports, prevents lateral movement and avoids unnecessary traffic backhauling to provide secure, low-latency access to private applications.

Zscaler benefits:

• Hybrid workforce security: Empower your users to securely access web apps and cloud services from any location or device, with a smooth user experience.
• Agentless access for third parties: Extend your secure private app access to vendors, contractors, suppliers, and more with support for unmanaged devices, with no endpoint agent.
• IIoT and OT connectivity: Provide fast, reliable, and secure remote access to industrial IoT and OT devices to facilitate maintenance and troubleshooting.