Security for the systems that run the physical world.
IEC 62443 is the international series for industrial automation and control systems — defining zones and conduits, security levels, and a secure development lifecycle for the OT that NIS 2 and the CRA increasingly demand. Setu Innovation engineers it for product suppliers and asset owners alike.
- IEC / ISA series
- Roles · owner · integrator · supplier
- Levels · SL 1–4
- Feeds · NIS 2 & CRA
If you build or operate industrial control systems, 62443 is your framework.
IEC 62443 secures industrial automation and control systems (IACS) across three roles — asset owners, system integrators and product suppliers — covering everything from plant security programmes to the components inside them.
A 20-second self-check
- Do you manufacture automation products, controllers or industrial software?
- Do you integrate or operate OT / ICS environments?
- Are you an operator of essential services in scope of NIS 2?
- Do customers ask for 62443 certification or security levels?
Mostly "yes"? 62443 is the framework that structures your OT security — and feeds your NIS 2 and CRA obligations. A short call confirms which parts apply to you.
A series organised by role and by layer.
62443 is a family of standards. These are the parts most programmes work with.
IACS security programme
The security management programme for asset owners — policies, organisation and processes for operating an industrial environment securely.
Risk assessment, zones & conduits
Partition the system into zones and conduits, assess risk, and assign each a target security level — the architectural foundation of the whole approach.
System security requirements
System-level security requirements mapped to security levels SL 1–4, used to specify and assess an integrated control system.
Secure development lifecycle
The secure product development lifecycle for suppliers — the requirements that map closely to CRA secure-by-design expectations.
Component requirements
Technical security requirements for the components — controllers, devices, applications — that make up a control system.
Foundational requirements & levels
Seven foundational requirements (from access control to resource availability), each met to a security level scaled to the threat.
Three roles, four security levels.
62443 assigns responsibilities by role and scales protection by security level, so each party works to the parts that fit.
Asset owners
Operators of industrial environments: run the security programme (62443-2-1) and the risk assessment with zones and conduits (62443-3-2).
System integrators
Design and commission the integrated solution to meet system security requirements and the target security levels (62443-3-3).
Product suppliers
Build to a secure development lifecycle (62443-4-1) and meet component security requirements (62443-4-2) — the route that aligns with the CRA.
Security levels SL 1–4
From protection against casual misuse (SL 1) to defence against well-resourced, ICS-skilled attackers (SL 4) — assigned per zone, conduit and component.
62443 is proven in the architecture and the development lifecycle.
Zones, conduits, security levels and a secure SDL are engineering work — not a policy PDF. Setu does the advisory and the engineering, in one team.
Scope by role
Establish your role — owner, integrator or supplier — settle the relevant parts, and map a prioritised gap against the target security levels.
Engineer zones & SDL
Define zones and conduits and the risk assessment, specify system and component security requirements, and stand up the secure development lifecycle (62443-4-1).
Certify & align
Prepare for 62443 certification, and tie the evidence into your NIS 2 and CRA obligations so one body of work serves all three.
IEC 62443, answered plainly.
Is IEC 62443 mandatory?
It's a voluntary standard series, not law in itself — but it's the de facto reference for industrial cybersecurity, and its secure-development and component requirements map closely to NIS 2 and the CRA for OT and products with digital elements.
How does it relate to NIS 2 and the CRA?
62443 gives concrete engineering substance to the broad duties in NIS 2 (OT security) and the CRA (secure development, product requirements). Working to 62443 is a practical way to evidence both for industrial systems and products.
What are zones and conduits?
Group assets with shared security needs into zones, control communication between them through defined conduits, and assign each a target security level. It's the basis of the risk assessment in 62443-3-2.
What are security levels?
SL 1 to SL 4 express the strength of protection against increasingly capable attackers, defined against seven foundational requirements and applied to zones, conduits, systems and components.
Who needs which part?
The series is role-based: asset owners use 62443-2-1 and 3-2; integrators use 3-3; product suppliers use 4-1 (secure development) and 4-2 (components). Most organisations focus on the parts that match their role.
Apply IEC 62443 where the engineering gets specific.
A focused review: your role and the parts that apply, the gap to your target security levels, and how 62443 feeds your NIS 2 and CRA obligations. Tell us where you are and we'll take it from there — or ask for a call if that's easier.
Talk to our team →