← Home

Developing Secure Products and Systems (IEC 62443-4)

The ISA/IEC 62443-4 series ensures cybersecurity is built directly into industrial automation products rather than relying solely on system-level controls. It defines what product suppliers must do during development and what technical security capabilities individual IACS components must provide.

This page covers ISA/IEC 62443-4-1 (Secure Product Development Lifecycle Requirements) and ISA/IEC 62443-4-2 (Technical Security Requirements for IACS Components), together with the ISA Secure product certification program.

IEC 62443 Developing Secure Products and Systems
Figure – Overview of the IEC 62443-4 series: secure product development lifecycle (4-1), technical security requirements for IACS components (4-2), and ISA Secure product certification.

Learning Objectives

Refer to: ISA/IEC 62443-4-1
Refer to: ISA/IEC 62443-4-2
Refer to: IEC 62443 Security Levels (SL-T, SL-C, SL-A)


IEC 62443-4 Overview (Parts 4-1 & 4-2)

The IEC 62443-4 series focuses on ensuring cybersecurity is integrated into industrial automation products at the source. The two parts are complementary: Part 4-1 defines how products should be developed securely, while Part 4-2 defines what security capabilities those products must provide.

ISA/IEC 62443-4-1 — Secure Product Development Lifecycle

Defines the secure development lifecycle that product suppliers should follow when designing, developing, maintaining and retiring IACS products.

Focus areas include:

ISA/IEC 62443-4-2 — Technical Security Requirements

Defines the technical cybersecurity capabilities that individual industrial components must provide.

Focus areas include:

Shared Responsibilities

Secure product development supports operational requirements across the supply chain. Product suppliers and system integrators each have defined responsibilities when selecting, integrating and deploying industrial components.

Role Key Responsibilities
Product Supplier Documented security capabilities; supported SL-C; secure integration guidance; product security documentation; lifecycle security support.
System Integrator Specify the required Security Capability Level (SL-C); select components capable of achieving the Target Security Level (SL-T); ensure components are integrated according to supplier guidance.

Refer to: IEC 62443 Roles (Product Supplier, System Integrator)


IEC 62443-4-1 Secure Product Development Lifecycle

Primary Objective

Ensure cybersecurity is integrated throughout the entire product lifecycle rather than added after development. The lifecycle covers:

Security Capability Level (SL-C)

Part 4-1 emphasises Security Capability Level (SL-C), which represents the cybersecurity capabilities built into an individual product or component. Unlike SL-T (target) and SL-A (achieved), SL-C describes what a product can natively provide when correctly configured and integrated.

Product suppliers should:

Alignment with Asset Owners

Secure product development should support operational requirements by providing:

Refer to: IEC 62443 Patch Management

Threat Modelling

Threat modelling is a key activity throughout product development. It identifies possible attack paths, likely threat actors, vulnerabilities and potential impacts. Results are used to:

Security Management Activities

Security management continues throughout the product lifecycle. Typical activities include:

Product Supplier Maturity

IEC 62443-4-1 recognises that organisations mature over time. Supplier maturity considers repeatable development processes, security governance, continuous improvement and measurement against defined practices. The standard references maturity concepts similar to CMMI, where organisations progress from ad hoc practices to continuously improving secure development processes.

Refer to: IEC 62443 Models (Maturity Models)


IEC 62443-4-2 Technical Security Requirements for IACS Components

Purpose

Part 4-2 defines the technical cybersecurity capabilities required for industrial components. Rather than describing system security, it specifies what security functions individual products should implement.

Four Component Categories

Technical requirements are mapped according to component type. Each category has specific security requirements in addition to those shared across all component types.

Component Category Examples
Software Application SCADA software, historian software, engineering software.
Embedded Device PLC, RTU, IED, remote controllers.
Host Device Operator workstations, engineering workstations, industrial servers, historian servers.
Network Device Industrial Ethernet switches, routers, VPN gateways, industrial firewalls.

Common Component Security Constraints (CCSC)

Certain requirements apply to all component types regardless of function. Examples include:

Component Requirement Mapping

Part 4-2 organises requirements using common and component-specific mappings. This structure allows requirements to be shared across all devices while defining additional requirements only where appropriate.

Abbreviation Description
CR Common Component Requirement
SAR Software Application Requirement
EDR Embedded Device Requirement
HDR Host Device Requirement
NDR Network Device Requirement

Refer to: IEC 62443 Foundational Requirements (FR1–FR7)


ISA Secure Certification & Product Conformance

ISA Secure is an independent product certification program managed by the ISA Security Compliance Institute (ISCI). Certification provides assurance that products have been independently assessed against applicable IEC 62443 requirements.

Certification Scope

Certification evaluates areas such as:

Robustness Testing

Typical robustness testing includes:

ISA Secure certification helps asset owners and system integrators identify products that have been independently verified to meet defined IEC 62443 security requirements, reducing the burden of supplier assessment during component selection.


Key Principles


Key Takeaways


Standards References