IEC 62443-3-3

IEC 62443-3-3 is a standard within the IEC 62443 series that specifies system-level cybersecurity requirements for industrial automation and control systems (IACS). It focuses on what security capabilities an IACS or control system solution should provide, rather than how a specific technology must be implemented.

What IEC 62443-3-3 covers

IEC 62443-3-3 defines:

• System security requirements for IACS components working together as a system, such as PLCs, DCS, SCADA, HMIs, historians, MES interfaces and related OT infrastructure.
• Foundational requirements (FRs) that group security controls into categories such as identification and authentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events and resource availability.
• Security levels (SLs) that describe increasing degrees of protection against threat actors with different capabilities and intent.
• Mappings of requirements to SLs so that a system can be designed or assessed against a target security level for specific zones and conduits.

In industrial and manufacturing environments, IEC 62443-3-3 is often used when specifying or evaluating control systems, OT networks and their interfaces to IT systems such as MES or ERP, to ensure appropriate cybersecurity capabilities are in place.

How it is used operationally

Operationally, IEC 62443-3-3 commonly appears in:

• System design: Defining required security capabilities for new production lines, process control systems or site-wide OT networks.
• Vendor and integrator requirements: Including specific IEC 62443-3-3 requirements in RFIs, RFPs or contracts for control systems, gateways and secure remote access solutions.
• Risk and gap assessments: Comparing existing OT environments to IEC 62443-3-3 requirements to identify missing controls or weak security levels.
• Zone and conduit modeling: Applying target security levels to defined zones (e.g., safety systems, production cells) and conduits (e.g., connections to MES, historian or cloud services).

Relationship to the broader IEC 62443 series

IEC 62443-3-3 sits in the “system” part of the IEC 62443 series. It is closely related to:

• IEC 62443-1-x parts, which provide general concepts, terminology and models.
• IEC 62443-2-x parts, which address policies, procedures and management aspects of IACS security.
• IEC 62443-3-2, which describes risk assessment and the definition of zones and conduits that inform which IEC 62443-3-3 requirements and security levels are applicable.
• IEC 62443-4-x parts, which define secure product development processes and technical requirements for individual components.

Common confusion

• IEC 62443-3-3 vs. IEC 62443 in general: IEC 62443-3-3 is one part of the overall IEC 62443 series. Saying a system is “IEC 62443 compliant” without specifying the part and scope can be ambiguous.
• System-level vs. component-level: IEC 62443-3-3 focuses on system-level requirements. Component-level technical requirements are primarily addressed in IEC 62443-4-2.
• Security level vs. safety integrity level: Security levels (SLs) in IEC 62443-3-3 are different from safety integrity levels (SILs) used in functional safety standards. They should not be conflated.

Context in regulated manufacturing environments

In regulated industries such as pharmaceuticals, food and beverage, medical devices and aerospace, IEC 62443-3-3 is often referenced when designing or assessing OT architectures that interact with quality systems, MES and data historians. Organizations may use it as a structured reference for defining control-system cybersecurity requirements aligned with internal risk management and applicable regulatory expectations, without implying or requiring any particular certification outcome.