IEC 62443 Industrial Security

IEC 62443 Industrial Cybersecurity Certification

Enhance the cyber resilience of industrial components and systems

Enhance the cyber resilience of industrial components and systems

Cybersecurity for cyber-physical systems

Across a variety of industries, from manufacturing and processing plants to energy suppliers and rail, cyber-physical systems are implemented to enable higher efficiencies, unmatched flexibility, and innovative business models. However, this also translates into a shift in the risk landscape, as cyber-attacks increase. Against this backdrop, suppliers and system integrators must optimize the cyber resilience of their components and systems by improving their development, integration, and support processes.

The IEC 62443 standard provides a structured approach to cybersecurity

IEC 62443 Industrial Cybersecurity CertificationInitially developed for the Industrial Automation and Control Systems supply chain, it has become the leading industrial cybersecurity standard for all types of plants, facilities, and systems across many industries.

The standard applies to component suppliers, system integrators, and asset owners.

The IEC 62443 standard doesn't solely address the technology that comprises a control system, but the work processes, countermeasures, and employees.

Through a set of defined process requirements, the standard ensures that all applicable security aspects are addressed in a structured manner.

Security aspects include a systematic approach to cybersecurity throughout the stages of:

  • Specification 
  • Integration
  • Operation
  • Maintenance 
  • Decommissioning

Furthermore, the standard foresees that processes get established to facilitate all necessary technical security functions. Adapted to the relevant project scope, it lays the foundations for cybersecurity robustness throughout the product and system lifetime.

IEC 62443 certification can also boost the competitiveness of the supplier and system integrator: A third-party certification demonstrates to asset owners and operators that the purchased component or system is based on a methodized and coherent approach to cybersecurity, in line with industry best practice.

TÜV SÜD can help you achieve certification

TÜV SÜD was one of the first companies to provide IEC 62443 certification. Suppliers and system integrators worldwide partner with us to confirm their compliance to applicable process requirements as laid out in the standard.

Our extensive experience with industrial processes, combined with profound expertise in industrial cybersecurity, makes us uniquely positioned to assess your security processes and solutions. Our methodology for risk analysis, applying both security and safety aspects, is proven in the field. Our experts actively participate in international standardization committees, gaining valuable insights on the latest regulatory developments. Our experts’ relentless commitment to instill safe operations across industries, means that the TÜV SÜD certification mark has become a globally renowned symbol for safety, security, and trust.

Key documents in the iec 62443 series

Of the 14 separate documents in the IEC 62443 series, these cybersecurity requirements represent a good starting point for industrial organizations seeking to secure their automation control systems from cyber threats.

IEC 62443 Section
Description  

IEC 62443-2-1 Edition 2

 Establishing an industrial automation and control system security program
IEC 62443-2-4 Security program requirements for IACS service providers 
 IEC 62443-3-2 Security risk assessment for system design
IEC 62443-3-3 System security requirements and security levels 
IEC 62443-4-1 Secure product development lifecycle requirements
IEC 62443-4-2 Technical security requirements for IACS components

 

ISASECURE® IEC 62443 CONFORMANCE CERTIFICATION

The ISASecure® Certification program certifies products and supplier development practices to the ISA/IEC 62443 series of Industrial Automation and Control standards. The product evaluation process includes a security vulnerability scan using a commercially available scanning tool that evaluates the product against the US-CERT NVDB.

TÜV SÜD is an ISASecure® Chartered Laboratory (License No. ISCI-CL0006) authorized by ISA Security Compliance Institute (ISCI), a not-for-profit consortium that manages the ISASecure® conformance certification program.

We offer four types of certifications with security assurance levels (SAL) in alignment with ISA/IEC 62443 standards:

  • ISASecure® Component Security Assurance (CSA) Certification, certifies to ISA/IEC 62443-4-1 and ISA/IEC 62443-4-2 at four security assurance levels.
  • ISASecure® IIoT Component Security Assurance (ICSA) Certification, certifies to ISA/IEC 62443-4-1 and ISA/IEC 62443-4-2 with several requirement enhancements and four requirement exceptions to account for IIOT device characteristics. Two SAL’s are defined for this certification, along with market surveillance audits.
  • ISASecure® System Security Assurance (SSA) Certification, certifies to ISA/IEC 62443-4-1 and ISA/IEC 62443-3-3.
  • ISASecure® Security Development Lifecycle Assurance (SDLA) Certification, certifies product suppliers’ SDL to the ISA/IEC 62443-4-1 standard. Supplier must meet maturity level 3 or 4.

A product supplier’s development process, component, or system that passes evaluation according to the latest version of ISASecure® specifications will be granted with ISASecure® certification by TÜV SÜD. The ISASecure® mark may not be affixed on certified products and systems.


 

The standard addresses security processes along the complete supply chain. For product suppliers, TÜV SÜD provides certification services based on IEC 62443-4-1 Secure Product Development Lifecycle. The standard applies to the supplier’s overall security programs, and to the security processes connected to the development of the relevant component and control system.

Corresponding certifications are available to system integrators based on IEC 62443-2-4 Security Program for Service Providers.

Beside the generic process aspects during product development and system integration, the standard specifies technical security requirements to components and systems. These technical requirements are described in IEC 62443-4-2 and IEC 62443-3-3. The assessment of both process and technical requirements are the basis for the certification of components and systems, respectively.


Contact Us

EXPLORE

IEC 62443 whitepaper download
White paper

IEC 62443 Industrial Security Standards

Take action to strengthen industrial cybersecurity.

Learn More

IEC 62443 and Industrial Security
Stories

Mitigate Security and Safety Risks with IEC 62443

Discover the impact cyber-physical systems are having on industries globally

Learn More

Industrial Cybersecurity 2.0: How to Protect Against a Growing Threat
Webinar

Industrial Cybersecurity 2.0

How to protect your facility with industrial cybersecurity training, assessments, and gap analysis.

Learn More

VIEW ALL RESOURCES

Next Steps

Site Selector