ISA/IEC 62443

ISA/IEC 62443 is a family of international standards that defines terminology, concepts, and requirements for securing industrial automation and control systems (IACS). It covers the full lifecycle of operational technology (OT) environments, including design, implementation, operation, and maintenance of industrial control systems in sectors such as manufacturing, energy, and aerospace.

The standards are jointly developed by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). They are structured into multiple parts that address different stakeholders and layers, including asset owners, system integrators, and product suppliers.

Key concepts

Across the series, ISA/IEC 62443 commonly addresses:

• Industrial automation and control systems (IACS): Control systems, SCADA, PLCs, DCS, safety systems, and supporting networks used to monitor and control industrial processes.
• Security levels (SLs): Graduated target levels of cybersecurity robustness defined against different attacker capabilities, used to set requirements for systems, zones, and conduits.
• Zones and conduits: A segmentation model that groups assets with similar security needs into zones and manages communications between them through controlled conduits.
• Defense in depth: Layered technical and procedural controls across network, system, and application layers.
• Lifecycle approach: Requirements for security spanning development, integration, operation, maintenance, and decommissioning of OT assets.

Scope in manufacturing and regulated environments

In industrial and manufacturing contexts, ISA/IEC 62443 commonly applies to:

• Plant control networks, PLCs, DCS, SCADA, and safety instrumented systems.
• Interfaces between OT and IT, including connections to MES, ERP, historians, and remote access solutions.
• Engineered test equipment and automated test stands used for production or qualification of regulated hardware, such as aerospace components.
• Supplier-developed automation components that must be integrated into a secure plant architecture.

Organizations often use ISA/IEC 62443 to define security requirements for new systems, assess existing installations, specify vendor expectations, and align with internal or external cybersecurity programs.

Relationship to other frameworks

ISA/IEC 62443 focuses specifically on industrial and OT environments. It is frequently mapped or aligned with broader cybersecurity frameworks such as NIST 800-53, NIST Cybersecurity Framework, or sector-specific guidance. In practice, many regulated manufacturers use ISA/IEC 62443 to define OT-specific controls that complement enterprise IT security requirements.

Operational use

In day-to-day operations, ISA/IEC 62443 commonly informs:

• Risk assessments for control systems and connected test equipment.
• Network segmentation and access control design for production lines.
• Security requirements in equipment procurement and supplier contracts.
• Procedures for patching, remote access, account management, and system hardening in OT environments.

Common confusion

• Not a single standard: ISA/IEC 62443 is a series of documents, not one standalone specification. Different parts target policies, system requirements, and product development practices.
• Not limited to one industry: While widely used in manufacturing and process industries, the series is intended for any industrial automation and control environment, including infrastructure and aerospace test and ground systems.
• Security levels vs. maturity levels: ISA/IEC 62443 security levels describe technical robustness against types of attackers, which is different from organizational maturity models that rate processes or governance.

Link to the provided context

In scenarios such as flight hardware test equipment, ISA/IEC 62443 is often referenced to set cybersecurity expectations for test stands and associated control networks. Asset owners may use its security levels and zoning concepts to determine appropriate protections for mission-critical, safety-relevant test systems while considering connectivity, data sensitivity, and existing controls.