IEC 62443 guide

IEC 62443 Guide

Here’s a guide to IEC 62443. After going through this (somewhat short) IEC 62443 guide, you will understand how it helps you secure your Industrial Automation and Control Systems (IACS for short) against cyber threats.

Let us understand more about it, why it was developed and where it can be used.

Update: There have been changes in IEC 62443 in the year 2024. Please read about the IEC 62443 latest version here

What is IEC 62443?

IEC 62443 is not a single document, but a set of standards, practices and technical reports that have been developed over a decade by joint global efforts of different voluntary bodies and standards organizations. ISA (Instrumentation, Systems and Automation society, formerly known as the Instrument Society of America), in collaboration with IEC (International Electrotechnical Commission) were the primary drivers behind this work. Many parts have been developed by various working groups of ISA and other parts by working groups of IEC. After ANSI (American National Standards Institute) approval, this standard is officially now referred to as ANSI/ISA/IEC 62443.

The standard is still a work in process and not all parts have been published, yet the parts that are available are useful enough to secure your IACS and other OT (Operational Technology) systems. The current structure is shown below. Draft parts may be available for comment to stakeholders and standards committee members.

Update June 2024: This is the older version of Categories in IEC 62443. Here is the latest IEC 62443 infographic

IEC 62443

Note that more parts will be added, in addition to the ones shown in this graphic. This standard has now been declared as a Horizontal standard, meaning that it is not just applicable to the process industries (such as chemical manufacturing plants or oil and gas fields), but also to any business sector that has Operational Technology as a critical element.

Typical examples are discrete parts manufacturing plants, electrical grid infrastructure such as electricity distribution networks, city water supply systems, sewage plants, smart warehouses that have critical building automation systems for climate control and so on. In short any facility or business that depends on OT for its continued existence can make use of IEC 62443.

How can I understand IEC 62443?

In order to understand the standard, you have to first understand a lot of concepts related to Industrial Automation and Control Systems, as well as Cybersecurity. The easiest way to go about this to take the Abhisam Industrial Cybersecurity training course (Certified Industrial Cybersecurity Professional) that covers all of this in great detail. This is not your typical plain vanilla cybersecurity course, but a specialized OT cybersecurity course,

Industrial Cybersecurity Training Course

Once these concepts are understood, then IEC 62443 will start making sense. After completing the course and passing the exam you earn the title of CICP and an electronic badge that can be displayed online, on social media sites such as LinkedIn, to enhance your professional visibility.

There are various IEC 62443 training courses available, the Abhisam CICP Course (Standard as well as Professional) include the basics of IEC 62443. The Abhisam CICP Course (Professional) includes IEC 62443-2-4 training.

Does an IEC 62443 checklist exist?

IEC 62443 is a multi part standard, with each part having many aspects. It is not just a single document that can be checked for compliance with a checklist. Not all parts may apply to your situation. The best way is to first take the CICP course (which includes a module on IEC 62443), then study the different parts of the standard and then start working on a checklist.

The CICP Course (Professional version) does have a module,  “Understanding IEC 62443-2-4” that has a multi-part table to know how to comply with various aspects of this part of the standard. A checklist can be developed based on this.

Who can make use of IEC 62443?

Industrial manufacturing plants and facilities, as well as installations such as Oil Terminals, City Water supply plants, Pipeline networks, power generation plants, electrical grid networks, port handling facilities are all considered as “Assets”. These are typically operated by asset owners themselves, or in some cases by separate entities known as “operators” (here operators does not refer to personnel operating the plant but to the company or organization that operates the plant).

Together we refer to these as Asset owner/operators.

These assets utilize Industrial Automation and Control Systems , including Safety Instrumented Systems (SIS), Fire & Gas systems (F & G), that monitor and control these facilities as well as ensure that they remain safe.  We refer to these systems as IACS. These IACS may include various types of control systems such as those based on DCS (Distributed Control Systems), PLC (Programmable Logic Controllers) or SCADA (Supervisory Control and Data Acquisition systems).

Every IACS (including those for similar plants) is actually (almost) custom built with different sensors, transmitters, actuators, final control elements, controllers and so on. The term IACS includes  BPCS (Basic Process Control Systems), SIS (Safety Instrumented System) including special SIS such as HIPPS (High Integrity Pressure Protection Systems) and BMS (Burner Management Systems), Building Automation Systems (BAS) or even HVAC control systems that may be critical to maintaining a controlled environment in industries such as pharmaceutical manufacturing, clean rooms, silicon wafer fabs, etc.

These assets and the IACS are designed and engineered by various organizations such as design engineering consultants, IACS vendors and system integrators and EPC (Engineering Procurement and Construction) companies. More entities may be involved in the basic design of the asset, such as government regulatory bodies (who may issue permits). This is the ecosystem that is involved. All of them can make use of various parts of the standard.

For example, devices such as field instruments (such as Pressure transmitter or Flow transmitters), PLCs and DCS controllers should be conformant to IEC 62443-4-1 and IEC 62443-4-2. If Industrial IoT devices are present in the IACS then they should conform to the new upcoming IEC 62443-4-3 standard. The IACS vendors and system integrators should follow IEC 62443-2-4 while building the IACS.

Thus all the entities that are involved in designing, engineering, building, installing, commissioning and operating these assets can make use of the different IEC 62443 parts that apply to them.

Is IEC 62443 an OT security standard?

Yes, IEC 62443 is an OT security standard. OT is short for Operational Technology, which means the tech that is required to run facilities such as industrial plants or machinery, or even ships or vehicles. OT includes all Instrumentation, Automation, Control systems and safety systems that are used to monitor and operate assets.

Why do we need a separate OT security standard?

IT security refers to the cybersecurity of Information Technology based systems. IT systems are basically data processing systems as opposed to OT systems that run physical equipment. IT systems include ERP systems (such as SAP), banking systems (including mainframe systems or those using AS 400 systems and similar), credit card & payments processing or stock trading systems. In these systems there are no physical objects that are controlled, only data. OT systems control physical objects and are also referred to as cyber physical systems.

The security goals and situations regarding IT security and OT security are different. Poor OT security can actually cause physical events such as fires or loss of containment.  Poor IT security can cause loss of data, including confidential data as well as loss of money but cannot cause direct physical harm to anybody.

Can I get an IEC 62443 pdf?

As already stated, this is a multi part standard and not all parts have been published so far. ISA members can view the parts developed by ISA on their website as part of their member benefits. However in case a pdf is needed it has to be purchased from the ISA store. The parts developed by IEC can be purchased from the IEC webstore.

Is IEC 62443 the only standard used for OT security?

No there are other documents and standards, based on the industry in which you operate. For example, for large electricity suppliers (BES-Bulk Electricity Suppliers)  in North America the NERC CIP plan applies.  NERC- CIP is short for the North American Electric Reliability Corporation Critical Infrastructure Protection standard. This is a legal requirement.

Other guidance documents include the NIST 800-82 standard for OT security. Currently Rev 3 is being worked on and should be released soon.

 

Related Posts

  • IEC 62443 training
    IEC 62443 Training

    Update: Join us on 27th and 28th November 2025 in Mumbai for the next IEC 62443 training workshop. Join the IEC 62443 training workshop here. This brief guide will explain how to take…

  • Understanding IEC 62443-2-4
    What is IEC 62443-2-4? Understand it easily

    Abhisam is pleased to announce that a new module on understanding IEC 62443-2-4 is  now a part of the Abhisam Industrial Cybersecurity training course (Professional Version). What is IEC 62443-2-4? As you probably…

  • IEC 62443 Foundational Requirements
    IEC 62443 Foundational Requirements

    If you have been working in the field of Industrial Control Systems cyber security (ICS security) or in the broader Operational Technology cybersecurity domain (OT security) then you may have heard of the…

Get the OT Cybersecurity and IEC 62443 Guide for free

Abhisam Quick Guide OT Cybersecurity and IEC 62443
Quick Guide OT Cybersecurity

FREE! Get the Abhisam Quick Guide to OT Cybersecurity and IEC 62443

Just get this Confined Space Safety e-learning course today and get trained in working safely in confined spaces.

Note that it includes all the knowledge that you need to have to know how to work safely in confined spaces.

Can I not get this information free from elsewhere?

There is a  common myth  “Just Google it”

It is a myth that you can simply Google for Confined Space   information and get everything that you need to know.

Most likely you will get a large number of occupational safety articles and information, some videos, some power point slides, but much of the information may be in bits and pieces.

While you can get some basic information about confined space safety from these sources, it may not be complete. Even if you do find enough material, it will take you a long time to sequence it all together in one coherent document that makes sense to you.

Even after doing all this there is a possibility that you may not get what you really need to know from an OSHA compliance perspective

Plus you will spend several hours of your time doing all this for zero returns on your investment!

On the other hand, when you take this Abhisam Confined Space safety course, you know that

    1.  It is very carefully made, with subject matter experts in the field of Occupational Safety, Process Safety & Industrial operations who have spent decades in the actual field creating permit systems, investigating incidents and streamlining methods to reduce or eliminate confined space safety accidents.
    2. Utilizes easy graphics, animations and simulations, real life examples of dos and donts, correct and incorrect practices  that enable you to understand everything easily.
    3.  Earn a Certificate when you pass the associated exam and also get an electronic badge that can be displayed online on places such as LinkedIn. Get Noticed.

Can I not simply buy a book? That will be much cheaper!

Of course, you could always pass this up and decide to go for  buy a book on this topic,

but,

remember that there are some disadvantages with this approach

    1.  The first is that not a single book is available  that covers all the topics that you need to know. On the other hand, there will be many books on general workplace safety, occupational safety, permit systems, that may be relevant to only those working in normal workplaces, not those having confined spaces.
    2.  Some of these books may be outdated and obsolete.
    3.  Nobody gives you a certificate if you simply read a book!

 

What does the $7 trial include?

The $7 trial includes trial access to ALL the courses in the Abhisam Catalog for a limited time including this Confined Spaces Safety course

After the trial is over you can choose to either buy an individual course OR subscribe to the GOLD or PLATINUM membership plans.

Your card will not be billed automatically.

Which versions are available?

This course is available as either stand alone (select the Standard version above), Professional, or as part of the Abhisam GOLD membership level.

The Standard version allows you to access the course online from any device (PC/tablet/smartphone) that has an internet connection and a browser that supports HTML 5 (such as Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera, etc). You can access the course for a period of one year, within which you need to take the exam to earn a Certificate (electronic). You will also earn an electronic badge that can be displayed online on LinkedIn and similar portals.

The Professional version allows you access to the course for 3 years online. You will also earn an electronic badge that can be displayed online on LinkedIn and similar portals.

The content in the Standard and Professional versions is the same.

What is the Abhisam GOLD membership?

When you subscribe to the Abhisam GOLD membership, you get access to all the courses in the Abhisam Catalog, by paying just one low monthly subscription with no commitment as you can cancel anytime. You can also get a free certification exam every month. If you are interested in taking a bunch of courses, then the GOLD membership gives you an affordable plan to do this. This is available to individuals only.

What is the Abhisam Platinum membership?

This is meant for organizations with multiple learners. When you subscribe to the Abhisam Platinum membership, your learners get access to all the courses in the Abhisam Catalog, by paying just one low Enterprise yearly subscription. You can also get a free certification exam every month. 

Additionally Platinum membership gives you a Dashboard where your Training Manager can see the progress of the learners, such as learner module completion, login times, test scores, etc.