JoeGuardian Automation

3. IEC 62443 Explained for Automation Professionals

---

In the previous post, we covered the Purdue Model and how it helps organize industrial systems into levels: field devices, PLCs, HMIs, SCADA, operations, IT, and cloud systems.

Now we are going to cover one of the most important standards in industrial cybersecurity:

IEC 62443

IEC 62443 is the international cybersecurity standard created specifically for Industrial Automation and Control Systems (IACS).

For automation professionals, this standard is important because it gives structure to how industrial systems should be secured.

It helps answer questions like:

• How should we separate IT and OT networks?
• Who should have access to PLCs and HMIs?
• How should remote access be controlled?
• How much security is enough?
• How do we protect legacy equipment?
• How do we reduce cybersecurity risk without affecting production?

---

What is IEC 62443?

IEC 62443 is a family of standards focused on cybersecurity for industrial control systems.

It applies to systems such as:

• PLCs
• HMIs
• SCADA systems
• DCS systems
• Safety systems
• Engineering workstations
• Industrial networks
• Remote access systems
• Industrial servers
• Field devices

Unlike general IT cybersecurity standards, IEC 62443 was created for environments where:

• Availability is critical
• Safety is a priority
• Downtime can be extremely expensive
• Systems may run 24/7
• Legacy equipment is common
• Changes must be tested before implementation

This makes it especially useful for manufacturing plants and industrial facilities.

---

Why IEC 62443 Matters in Automation

Automation systems control real-world processes.

A cybersecurity issue in OT can affect:

• Motors
• Pumps
• Valves
• Conveyors
• Robots
• Filling systems
• Packaging lines
• Safety systems

In IT, a cyber incident may affect files, emails, or business data.

In OT, a cyber incident may affect machines, production, and people.

That is why IEC 62443 focuses on protecting both the digital system and the physical process.

---

IEC 62443 is Risk-Based

IEC 62443 does not say every system needs the same level of security.

Instead, it uses a risk-based approach.

That means security controls should be based on:

• The criticality of the system
• The consequence of failure
• The likelihood of attack
• The value of the process
• The safety impact
• The required availability

For example:

A small packaging machine may not require the same security level as a safety system, chemical process, or power generation control system.

---

Asset Owners, Integrators, and Product Suppliers

IEC 62443 separates responsibilities between different roles.

Asset Owner

The company that owns and operates the industrial system.

Examples:

• Manufacturing plant
• Food and beverage facility
• Pharmaceutical plant
• Utility company

The asset owner is responsible for defining security requirements and maintaining the cybersecurity program.

---

System Integrator

The company or team that designs, installs, or modifies the control system.

Examples:

• Automation integrator
• Controls engineering contractor
• Internal engineering team

The integrator is responsible for implementing the system according to the security requirements.

---

Product Supplier

The manufacturer that builds the hardware or software.

Examples:

• PLC manufacturer
• HMI software vendor
• SCADA vendor
• Industrial switch manufacturer
• Drive manufacturer

The supplier is responsible for providing secure products and documentation.

This division is important because cybersecurity is not the responsibility of one person or one department. It requires teamwork.

---

The Core Idea: Secure by Design

IEC 62443 promotes the idea of secure by design.

This means security should be considered during:

• System design
• Network architecture
• Equipment selection
• Programming
• Commissioning
• Maintenance
• Upgrades
• Remote access planning

Security should not be added only after the system is already installed.

A secure system should be designed from the beginning.

---

One of the most important IEC 62443 concepts is:

Zones and Conduits

Zones

A zone is a group of assets with similar security requirements.

Examples:

• PLC zone
• HMI zone
• Safety zone
• Remote access zone
• Enterprise IT zone
• Historian zone

A zone helps define what needs to be protected.

---

Conduits

A conduit is a controlled communication path between zones.

Examples:

• Firewall connection
• VLAN trunk
• VPN tunnel
• Router connection
• Data diode
• Secure gateway

A conduit controls how data moves between zones.

Simple example:

IT Network  →  DMZ  →  OT Network

The DMZ acts as a controlled zone between business systems and control systems.

---

Restricted Data Flow

IEC 62443 emphasizes restricted data flow.

That means systems should only communicate when necessary.

A good rule is:

Allow only what is required. Block everything else.

For example:

• ERP should not directly communicate with PLCs
• Vendor laptops should not directly access controllers
• Office computers should not be on the PLC network
• Remote users should pass through a secure jump server
• Safety systems should be isolated from standard control networks

This reduces the attack surface and limits lateral movement.

---

Security Levels (SL)

IEC 62443 defines different security levels.

These levels help determine how much protection a system needs.

Security Level	Protection Against
SL0	No special cybersecurity protection
SL1	Accidental misuse or simple mistakes
SL2	Intentional misuse with simple tools
SL3	Sophisticated attackers with OT knowledge
SL4	Highly skilled attackers with major resources

---

SL-T, SL-A, and SL-C

IEC 62443 also uses three important security level terms.

SL-T – Target Security Level

This is the security level you want to achieve.

Example:

A safety system may have a higher SL-T than a standard HMI.

---

SL-A – Achieved Security Level

This is the security level currently achieved by the system.

Example:

Your plant may want SL2, but current controls only meet SL1.

---

SL-C – Capability Security Level

This is the maximum security level a product or component can support.

Example:

An old PLC may not support modern authentication or encryption, so it may have limited security capability.

The gap between SL-T and SL-A helps define what improvements are needed.

---

The 7 Foundational Requirements

IEC 62443 is built around seven foundational requirements.

These are core categories of cybersecurity protection.

---

FR1 – Identification and Authentication Control

Verify users, devices, and systems before allowing access.

Examples:

• Unique user accounts
• Strong passwords
• Multi-factor authentication
• Device authentication

---

FR2 – Use Control

Limit what authenticated users are allowed to do.

Examples:

• Operators can run the machine
• Engineers can modify logic
• Vendors can access only assigned systems
• Administrators have controlled privileges

---

FR3 – System Integrity

Protect systems from unauthorized modification.

Examples:

• Change management
• Program backup comparison
• Firmware validation
• Application whitelisting
• Malware protection

---

FR4 – Data Confidentiality

Protect sensitive information.

Examples:

• Encrypted remote access
• Secure file transfer
• Protected engineering backups
• Controlled access to documentation

---

FR5 – Restricted Data Flow

Control communication between systems.

Examples:

• Firewalls
• VLANs
• DMZ
• ACLs
• One-way communication

---

FR6 – Timely Response to Events

Detect and respond to cybersecurity events quickly.

Examples:

• Security logs
• Alarm monitoring
• Remote access logs
• Incident response procedures
• SIEM integration

---

FR7 – Resource Availability

Ensure systems remain available when needed.

Examples:

• Redundant networks
• Backup systems
• UPS protection
• Disaster recovery plans
• Protection against denial-of-service attacks

---

Practical Example: Applying IEC 62443 in a Plant

Imagine a production line with:

• CompactLogix PLC
• PanelView HMI
• Stratix switch
• PowerFlex drive
• Engineering workstation
• Historian server
• Remote vendor access

A basic IEC 62443 approach would include:

1. Create an asset inventory
2. Assign devices to zones
3. Define communication paths
4. Place firewalls between critical zones
5. Use role-based access
6. Secure remote access through a jump server
7. Backup PLC and HMI programs
8. Monitor network traffic and access logs
9. Review changes through change management
10. Test recovery procedures

This is how cybersecurity becomes practical for automation teams.

---

IEC 62443 and Legacy Equipment

Many industrial plants have old systems that cannot be fully secured.

Examples:

• Old PLCs
• Legacy HMIs
• Unsupported Windows PCs
• Old drives with no authentication
• Serial-to-Ethernet gateways

IEC 62443 recognizes this reality.

When a device cannot protect itself, the network architecture must protect it.

This is called using compensating controls.

Examples:

• Put the device behind a firewall
• Limit access by IP address
• Disable unused ports
• Monitor communication
• Use jump servers
• Prevent direct internet access
• Restrict engineering access

---

Common Mistakes IEC 62443 Helps Prevent

Avoid These Mistakes

❌ Flat industrial networks
❌ Shared engineering passwords
❌ Remote access directly to PLCs
❌ No asset inventory
❌ No backup strategy
❌ No change management
❌ No separation between IT and OT
❌ No monitoring of industrial traffic
❌ Safety systems connected without protection
❌ Unsupported systems exposed to unnecessary networks

---

IEC 62443 in Simple Words

If we simplify IEC 62443 for automation professionals:

• Know what assets you have
• Separate systems by risk
• Control communication between zones
• Limit user access
• Protect engineering workstations
• Monitor activity
• Backup critical systems
• Prepare for incidents
• Keep safety and availability as top priorities

---

Final Thoughts

IEC 62443 is one of the most important cybersecurity standards for industrial automation.

It gives automation professionals a structured way to think about cybersecurity without treating OT like regular IT.

For technicians and engineers, the most important takeaway is this:

Secure industrial systems by design, separate critical assets into zones, control communication through conduits, and always protect safety and availability.

Cybersecurity is not only about protecting data.

In OT, cybersecurity protects people, equipment, production, and the physical process.