Industrial Automation and Control System Security - ISA/IEC 62443

Protecting Industrial Automation and Control Systems against cyberattacks is not optional — it's essential in our connected world. Learn more about the ISA/IEC 62443 standards and discover our agile evaluation and certification services.
get a free consult

Comprehensive OT Cybersecurity Compliance for a Safer Industrial Environment

In Operational Technology (OT), security extends beyond IT, protecting not only data but also the physical safety of workers, machines, and the environment. At CCLab, we recognize the unique challenges of each industrial environment and offer customized cybersecurity compliance services to meet your specific needs. We guide you through the complexities of the IEC 62443 standard, conducting comprehensive security tests, documentation reviews, and audits to ensure compliance.

Companies who chose us

About the ISA/IEC 62443 standards

ISA/IEC 62443 series of standards were created to provide an achievable model to handle risks and mitigate cybersecurity threats.
iec-62443-standards

IEC 62443 is the standard series that applies to all stakeholders involved in protecting Industrial Automation and Control Systems (IACS), offering the most effective cybersecurity solution for Industry 4.0 worldwide. The various parts of IEC 62443 are relevant to asset owners, operators, maintenance service providers, integrators, and product suppliers (developers of control systems and their components).
With increased connectivity of production assets (Industrial IoT devices - IIoT), new hazards emerge that must be treated in traditional risk management processes. An industrial automation control system and component manufacturer shall apply the security requirements under IEC 62443 4-1 and IEC 62443-4-2 from the very first stage of the product development.
The IEC 62443-4-1 standard outlines requirements for a secure product development lifecycle, embedding security from the design phase onward. It ensures security is integrated throughout the entire process, from conceptualization and design to implementation, testing, deployment, maintenance, and decommissioning of industrial automation systems.
An IEC 62443-4-1 certificate confirms that a developer has followed a secure-by-design approach and defense-in-depth strategy, covering the full security lifecycle, including patch management.

The main objective of the IEC 62443 series is to provide a flexible framework that systematically addresses vulnerabilities in IACS and implements necessary mitigations.


In industrial control systems, unlike traditional IT's focus on the CIA principles (Confidentiality, Integrity, Availability), the priority is Availability to safeguard Operational Technology (OT). As a result, the protection goals center on physical assets, plant safety, operational continuity, and ensuring time-critical system responses.

Developer/Manufacturer

PRODUCT SUPPLIER

ISA/IEC 62443-4-1

Component/Product

PRODUCT

ISA/IEC 62443-4-2
Applications
Embedded devices
Network components
Host devices

IEC 62443-4-2 standard outlines the cybersecurity technical requirements for the various components that may constitute an Industrial Automation and Control System (IACS), including:

Embedded Devices

hardware devices that have a specific function within the larger system. In an Industrial Control System (ICS), this category would typically include Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Safety Instrumented Systems (SIS), Intelligent Electronic Device (IED), Distributed Control System (DCS).

Network Devices

components that deal with data transmission and network communication. They include switches, routers, firewalls, and wireless access points.

Host Devices

These are the computers or servers where the industrial software applications run. They serve as the user-facing interface of the systems, and in ICS this may include the Human-Machine Interface (HMI) devices and industrial PCs, operator workstations and Data Historian.

Software Applications

This refers to software programs installed on the host devices to exercise control over the processes and manage the system. This can include control software running on the PLCs, SCADA system software, and other specific software applications required for processes within the ICS system.The purpose of this standard is to define security capabilities that allow a component to address threats at a specified security level (SL) independently, without relying on additional countermeasures.

Security level

Misuse

Means

Resources

Knowlegde

Motivation

1

Accidental

-

-

-

-

2

Intentional

Simple

Few

General

Low

3

Intentional

Sophisticated

Moderate

IACS-specific

Moderate

4

Intentional

Sophisticated

Extensive

IACS-specific

High

Key distinctions between IEC 62443-4-1 and IEC 62443-4-2

  • IEC 62443-4-1 concentrates on secure product development and the product lifecycle, while IEC 62443-4-2 emphasizes technical security requirements for IACS components, specifically embedded devices, network devices, host devices, and software applications.

  • IEC 62443-4-1 utilizes four maturity levels of development processes, whereas IEC 62443-4-2 is structured around four security levels for components.

  • IEC 62443-4-1 encompasses 47 development process-related requirements distributed across 8 practices, whereas IEC 62443-4-2 addresses 141 foundational requirements depending on the applied security level.

  • To verify compliance with IEC 62443-4-1, in addition to reviewing documentation, the development processes and associated artifacts must be audited at the manufacturer's site.

The IEC 62443 standard describes 4 levels of security functionality
for component security (62443-4-2)

SL1

Protection against causal or coincidental violation

SL2

Protection against intentional violation using simple means with low resources, generic skills and low motivation

SL3

Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation

SL4

Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

Why are security levels relevant?

When considering the entire concept of IACS, the asset owner's automation demands and the outcomes of the related risk assessment drive the system integrator to specify the appropriate security capability levels for individual components within the automation solution. The integrator defines security zones to effectively segment the system components, allowing for the implementation of targeted security levels within each zone. This ensures that critical processes are adequately protected against specific threats.

Get IEC 62443 certification under the IECEE CB Scheme

QIMA and CCLab are recognized in the IECEE CB Scheme, the world’s largest certification scheme for electrical and electronic products and components. Based on our evaluation results, we can issue CB certificates that are internationally accepted in several countries. Read more about CB Certification here:  https://www.cclab.com/service/cybersecurity-certification 
CCLab is ready to provide the following services to conform and comply with the desired standards and security levels.

  • Gap analysis

  • Consultation and support the preparations for certification

  • Online and on-site workshops

  • Documentation review

  • Secure product development lifecycle requirements audit & certification (62443-4-1)

  • Technical security requirements for IACS component evaluation & certification (62443-4-2)

Together with other members of QTICS Group, we provide a wider range of compliance services within the Energy & Industry sector.

You don’t have enough information about Industrial Control System Security?

check our faq

Do you need support for your Industrial Control System Security project?

CONTACT US

Testimonials

Kenneth Lasoski

Kenneth Lasoski

Versa Networks

Evaluation team was extremely reasonable and flexible with resolution to findings and was helpful in finding agreeable solutions for CB comments. Consultation team was always responsive and helped shape the documentation for easier evaluation, and provided useful recommendations on satisfying SFR/SARs.

Thierry Bonda

Thierry Bonda

Landis+Gyr

CCLab was well prepared, flexible during the whole evaluation process, and supported us with continuous communication and guidance. Many lessons were learnt during the project and CCLab has always been looking for solutions, supporting our developers the best way they could. The new Swiss evaluation methodology was a good and professional basis to work with, but both parties had to learn how to deal with it.

Jake Nelson

Jake Nelson

Corsec Security Inc.

The relationship between Corsec and CCLab has been instrumental in helping product vendors successfully complete the Common Criteria certification process. As a Common Criteria consultant to the product vendor, Corsec relies on CCLab’s responsiveness and expertise to quickly and thoroughly complete the testing component of the process. CCLab has been essential in managing multiple projects, their professionalism has helped ensure product vendor satisfaction and ultimate project success.

Alexander Testov

Alexander Testov

AO Kaspersky Lab.

"I would definitely recommend CCLab to anyone in need of Common Criteria certification. Our cooperation was comfortable, well organized and efficient. I am totally satisfied with the result."

Dayton Marcucci

Dayton Marcucci

HID Global

The CCLab team gave us full support to adapt to the changes during product development. Whatever the challenges faced they could keep the due dates and we were able to complete the process quickly and efficiently. The real agile lab helped our success. We are going to work with them again. I highly recommend them to anyone wanting to get its product certified.

Jaime Chica

Jaime Chica

NXP Semiconductors

It was a well-managed project which achieved success in an effortless manner.

Kalev Pihl

Kalev Pihl

SK ID Solutions

We needed a lab that works quickly but with high work morale and quality of work. CCLab is exactly like that! It was good cooperation experience to work with them. The project was rather complex and our expectations maybe even too high, but the team was committed to the common goals and could keep the milestones; therefore we were able to deliver what was needed. I highly recommend CCLab team to anyone for their great team spirit, quality orientations, agility and reasonable pricing.

Israr Ahmed

Israr Ahmed

Ascertia Ltd.

On behalf of Ascertia, accept my appreciation for the excellent job done by CCLab team over the past several months in achieving the Common Criteria Certificate for ADSS Server SAM solution. It was an enormous undertaking but went smoothly and efficiently! Thanks to your leadership and dedication combined with your staff's teamwork and energy, we achieved our target. You and your employees should take great pride in this accomplishment. We look forward to extend our work with you for our next certification milestone and hope will continue to get such excellent service.

Zsolt Rózsahegyi

Zsolt Rózsahegyi

I4P Informatics Ltd.

Thanks to the agile processes we've been able to add new features to the product during the evaluation that made it even more valuable to customers. CCLAB efficiently supported us throughout the whole change management process. The predictability, accurate scheduling, and supportive mindset helped us to finish the project in time.