IEC 62443 Foundational Requirements

IEC 62443 Foundational Requirements

If you have been working in the field of Industrial Control Systems cyber security (ICS security) or in the broader Operational Technology cybersecurity domain (OT security) then you may have heard of the standard ANSI/ISA/IEC 62443, referred to these days as simply IEC 62443. This standard has certain Foundational Requirements that are important and these are explained in short here.

This short guide will explain these IEC 62443  Foundational Requirements, but to really understand Industrial Cybersecurity in detail and also get certified as an Industrial Cybersecurity Professional, please take the Abhisam CICP Course now. (Click the image below to learn more about it). This is the most cost effective way, to learn all that you need to know about Industrial Cybersecurity and to get certified as a Professional, but at a fraction of the cost that you would otherwise spend on multiple other certifications from other providers.

Industrial Cybersecurity Training Course

First the basics.

What is IEC 62443?

The ANSI/ISA/IEC 62443 set of standards and practices is a joint effort by the ISA 99 committee. This ISA committee worked hard for many years on Industrial Cybersecurity to have a comprehensive standard that could provide guidance and direction regarding ICS security to a wide set of stakeholders such as asset owners/operators, IACS (Industrial Automation and Control System) vendors, system integrators, design engineering consultants, EPC companies that build manufacturing plants and others.

Note that the term IACS includes not only Industrial Automation and Control Systems (that may themselves be based on DCS – Distributed Control Systems or PLC – Programmable Logic Controllers, or other kinds of electronic controllers), but also other operational technology systems such as Safety Instrumented Systems, Building Automation Systems, SCADA (Supervisory Control and Data Acquisition systems) as well as specialized systems such as HIPPS (High Integrity Pressure Protection Systems) and BMS (Burner Management Systems). Hence we use the term IACS, it could be any or all of these systems.

This ground work resulted in a planned set of standards that dealt with Industrial Control System cybersecurity, whether based on DCS, PLC, SCADA or other technologies and architectures, whether used as BPCS (Basic Process Control Systems) or SIS (Safety Instrumented Systems) or as Building Automation systems. Note that collectively these systems fall under the category of OT (Operational Technology) systems.

ISA later on collaborated with IEC (International Electrotechnical Commission) for a common set of standards, that could be used globally (not just in the US) and these efforts resulted in the series now referred to as ANSI/ISA/IEC 61443 series of standards. Many parts of this series have been published by ISA and some parts by IEC. However, all parts whether published originally by ISA or IEC, are now included in the series and referred to as ANSI/ISA/IEC 62443 or simply as IEC 62443 or even just as “62443 standard series”

IEC 62443 parts

As of now, there are about 14 parts in the IEC 62443 series, although some more are being planned. Note that even among the 14 parts, not all have been published and some are still in the draft / planning stage. All the parts are shown in the chart below. This is also referred to as the ISA IEC 62443 framework.

IEC 62443

There is no single IEC 62443 standard pdf available. Each part is a separate pdf that has to be purchased from the IEC website or from authorized standards distributors. However, ISA members can view the parts that are published by ISA for free on their website in the member’s area. But the parts that are developed and published by IEC themselves (such as for example IEC 62443-2-4), are not available for viewing in the ISA member area and have to be purchased separately from IEC.

IEC 62443-1-1

This is the first part of the IEC 62443 series and the one where the Foundational Requirements are introduced. These Foundational Requirements (FR for short) are then referenced throughout the IEC 62443 series, so it is essential to understand them. There are seven FRs and they are listed below in the table.

Foundational Requirements IEC 62443

IEC 62443 Foundational Requirements Explained

Identification & Access Control (IAC)

This ensures that the devices as well as the information that they possess can only be accessed by genuine entities, having the necessary permissions, who need this access, in order for the plant or facility to be operated safely, and in a manner in which the IACS is designed to operate it.

Use Control

Use Control (UC) ensures that only authorized entities can use the devices and/or the information that they possess for valid and necessary tasks that are essential to maintain the safety and productivity of the plant or facility. The principle of “least privilege” is to be followed.

System Integrity (SI)

This Foundational requirement ensures that there cannot be any unauthorized changes to data in the communication channels, so that only genuine and correct data is available. For example, the process values that are displayed on a DCS operator’s screen must be the real ones and not manipulated by malicious entities, as happened during the Stuxnet attack.

Data Confidentiality (DC)

All data in the IACS should remain confidential and should not be accessible to outsiders or unauthorized insiders, whether malicious or not.

Restricted Data Flow

This Foundational Requirement ensures that every entity gets the information only on a “need to know basis”. Thus there should not be unnecessary data flows to areas where it is not required. For example, there may not be a valid reason to send any data from an Enterprise level ERP server to the SIS logic solver of a plant. This implies that the system architecture as well as the hardware and software configuration should be carefully designed, so that the system can be partitioned properly into Zones and Conduits, with appropriate security levels.  The use of devices such as a Unidirectional Gateway and Data Diode, or similar  can help.

Timely Response to Events

This Foundational Requirement of IEC 62443 ensures that the IACS shall provide the necessary capabilities, to respond to security violations by notifying the proper authority, reporting evidence of the violation and taking timely corrective action upon discovery of such an incident.

Resource Availability

Ensure that the design and operation of the IACS is such that there are no “denial or service” situations, where the IACS cannot operate the plant or bring it to a safe state. In any situation the Safety Related System, such as the Safety Instrumented System should not be prevented from shutting down the plant or bringing it to a safe state, even under a Denial of Service Attack.

These Foundational Requirements are referenced all through the different parts of the IEC 62443 series. The different parts of the IEC 62443 series have guidance on how to meet these FRs while implementing the parts.

IEC 62443 parts- what you need to know

Note that all parts of IEC 62443 have not been published as of now, so you can only refer to the ones that have been published. This standard is useful for not only IT Security auditors who may need to audit IACS or other OT systems as part of their job, but also for Instrumentation, Control Systems, Automation engineers who design, build, integrate and maintain these systems including those engineers and technicians who work for Asset Owners (such as Oil & Gas companies, chemical manufacturing plants, or Water utilities as typical examples), but also IACS vendors and their system integrators, as well as EPC companies that design and build plants and facilities.

What is the Understanding IEC 62443-2-4 course?

This course focuses on thoroughly understanding IEC 62443-2-4 part of the IEC 62443 standard. This part is meant for Industrial Automation and Control systems vendors, their system integrators and other Operational Technology vendors and system integrators, who provide automation solutions to asset owners/operators. It is also useful for asset owners/operators to know what to expect (and whether the vendor or system integrator is delivering as expected) a solution that is supposed to be secure.

Understanding IEC 62443-2-4

You can take this as an individual course, or better still access it as a part of the Professional version of the Abhisam Industrial Cybersecurity course (CICP course), when you take the CICP course.

The Abhisam Industrial Cybersecurity Course gives a great explanation of all the IEC 62443 parts.

Related Posts

  • Understanding IEC 62443-2-4
    What is IEC 62443-2-4? Understand it easily

    Abhisam is pleased to announce that a new module on understanding IEC 62443-2-4 is  now a part of the Abhisam Industrial Cybersecurity training course (Professional Version). What is IEC 62443-2-4? As you probably…

  • IEC 62443 guide
    IEC 62443 Guide

    Here's a guide to IEC 62443. After going through this (somewhat short) IEC 62443 guide, you will understand how it helps you secure your Industrial Automation and Control Systems (IACS for short) against…

  • IEC 62443 training
    IEC 62443 Training

    Update: Join us on 27th and 28th November 2025 in Mumbai for the next IEC 62443 training workshop. Join the IEC 62443 training workshop here. This brief guide will explain how to take…

Get the OT Cybersecurity and IEC 62443 Guide for free

Abhisam Quick Guide OT Cybersecurity and IEC 62443
Quick Guide OT Cybersecurity

FREE! Get the Abhisam Quick Guide to OT Cybersecurity and IEC 62443

Just get this Confined Space Safety e-learning course today and get trained in working safely in confined spaces.

Note that it includes all the knowledge that you need to have to know how to work safely in confined spaces.

Can I not get this information free from elsewhere?

There is a  common myth  “Just Google it”

It is a myth that you can simply Google for Confined Space   information and get everything that you need to know.

Most likely you will get a large number of occupational safety articles and information, some videos, some power point slides, but much of the information may be in bits and pieces.

While you can get some basic information about confined space safety from these sources, it may not be complete. Even if you do find enough material, it will take you a long time to sequence it all together in one coherent document that makes sense to you.

Even after doing all this there is a possibility that you may not get what you really need to know from an OSHA compliance perspective

Plus you will spend several hours of your time doing all this for zero returns on your investment!

On the other hand, when you take this Abhisam Confined Space safety course, you know that

    1.  It is very carefully made, with subject matter experts in the field of Occupational Safety, Process Safety & Industrial operations who have spent decades in the actual field creating permit systems, investigating incidents and streamlining methods to reduce or eliminate confined space safety accidents.
    2. Utilizes easy graphics, animations and simulations, real life examples of dos and donts, correct and incorrect practices  that enable you to understand everything easily.
    3.  Earn a Certificate when you pass the associated exam and also get an electronic badge that can be displayed online on places such as LinkedIn. Get Noticed.

Can I not simply buy a book? That will be much cheaper!

Of course, you could always pass this up and decide to go for  buy a book on this topic,

but,

remember that there are some disadvantages with this approach

    1.  The first is that not a single book is available  that covers all the topics that you need to know. On the other hand, there will be many books on general workplace safety, occupational safety, permit systems, that may be relevant to only those working in normal workplaces, not those having confined spaces.
    2.  Some of these books may be outdated and obsolete.
    3.  Nobody gives you a certificate if you simply read a book!

 

What does the $7 trial include?

The $7 trial includes trial access to ALL the courses in the Abhisam Catalog for a limited time including this Confined Spaces Safety course

After the trial is over you can choose to either buy an individual course OR subscribe to the GOLD or PLATINUM membership plans.

Your card will not be billed automatically.

Which versions are available?

This course is available as either stand alone (select the Standard version above), Professional, or as part of the Abhisam GOLD membership level.

The Standard version allows you to access the course online from any device (PC/tablet/smartphone) that has an internet connection and a browser that supports HTML 5 (such as Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera, etc). You can access the course for a period of one year, within which you need to take the exam to earn a Certificate (electronic). You will also earn an electronic badge that can be displayed online on LinkedIn and similar portals.

The Professional version allows you access to the course for 3 years online. You will also earn an electronic badge that can be displayed online on LinkedIn and similar portals.

The content in the Standard and Professional versions is the same.

What is the Abhisam GOLD membership?

When you subscribe to the Abhisam GOLD membership, you get access to all the courses in the Abhisam Catalog, by paying just one low monthly subscription with no commitment as you can cancel anytime. You can also get a free certification exam every month. If you are interested in taking a bunch of courses, then the GOLD membership gives you an affordable plan to do this. This is available to individuals only.

What is the Abhisam Platinum membership?

This is meant for organizations with multiple learners. When you subscribe to the Abhisam Platinum membership, your learners get access to all the courses in the Abhisam Catalog, by paying just one low Enterprise yearly subscription. You can also get a free certification exam every month. 

Additionally Platinum membership gives you a Dashboard where your Training Manager can see the progress of the learners, such as learner module completion, login times, test scores, etc.