IEC 62443 is a family of standards that addresses cybersecurity from multiple perspectives, including:
Asset owners
System integrators
Product suppliers
Service providers
Assessors and certification bodies
The standards are organised into six major groups based on their purpose.
IEC 62443 groups and their focus areas.
Group 1 — General
Purpose
Provides the foundation of the IEC 62443 series by defining concepts, terminology and the overall cybersecurity model used throughout the standards. These documents establish the common language and principles used by all other parts of IEC 62443.
Standards
IEC 62443-1-1 – Terminology, concepts and models.
IEC 62443-1-2 – Master glossary of terms and abbreviations.
IEC 62443-1-3 – System security conformance metrics.
IEC TR/TS 62443-1-4 – IACS security lifecycle and use cases.
IEC TR/TS 62443-1-5 – Cybersecurity profiles.
IEC TR/TS 62443-1-6 – Application of IEC 62443 in IIoT.
Group 2 — Policies and Procedures
Purpose
Focuses on how organisations manage cybersecurity. These standards are primarily written for asset owners, operations personnel, service providers and management. They define the processes, governance and management systems needed to operate secure industrial environments.
Standards
IEC 62443-2-1 – Security program requirements for IACS asset owners.
IEC 62443-2-2 – Security program rating.
IEC 62443-2-3 – Patch management in the IACS environment.
IEC 62443-2-4 – Requirements for IACS service providers.
IEC TR/TS 62443-2-5 – Implementation guidance for asset owners.
Group 3 — System
Purpose
Addresses cybersecurity at the industrial control system level. These standards assist organisations with designing secure architectures, performing cybersecurity risk assessments, implementing defence-in-depth and achieving appropriate Security Levels (SL).
Standards
IEC TR/TS 62443-3-1 – Security technologies for IACS.
IEC 62443-3-2 – Security risk assessment and system design.
IEC 62443-3-3 – System security requirements and security levels.
Group 4 — Component
Purpose
Focuses on cybersecurity built directly into industrial products. These standards are primarily intended for PLC manufacturers, HMI vendors, SCADA suppliers, network equipment manufacturers and software developers.
Standards
IEC 62443-4-1 – Secure product development lifecycle requirements.
IEC 62443-4-2 – Technical security requirements for IACS components.