IEC 62443 Series

The IEC 62443 series is an internationally recognized set of standards developed to address cybersecurity for Industrial Automation and Control Systems (IACS). It provides a comprehensive, risk-based framework to secure industrial environments across their entire lifecycle, from design and implementation to operation and maintenance.

Unlike traditional IT security standards, IEC 62443 is specifically tailored to the needs and constraints of industrial systems, where availability, safety, and reliability are critical. The standard adopts a defense-in-depth approach and defines responsibilities across multiple stakeholders, including asset owners, system integrators, and product suppliers.

The subject of OT security is increasingly discussed among practitioners dealing with Machinery and Process Safety. Hereafter some recent examples of Cyber Attacks on OT networks.

On the 1^st September 2025, the British automotive manufacturer Jaguar Land Rover (JLR) was hit by a major cyberattack that resulted in a near-complete shutdown of its global production operations. The incident affected both IT and automated OT/production systems and has been widely described as one of the most disruptive cyber incidents in the UK manufacturing sector.

On May 7, 2021, the U.S. fuel pipeline operator Colonial Pipeline detected a cyber intrusion that forced it to shut down its operational technology systems, leading to widespread fuel shortages along the U.S. East Coast. The Hack directly impacted the critical infrastructure (energy distribution); it forced an entire operational shutdown — a rare outcome for ransomware and it highlighted fundamental cyber-security gaps in OT/ICS environments connected to IT networks. The attackers gained entry through a compromised VPN account that lacked multi-factor authentication (MFA). The shutdown began on May 7, 2021 and continued for several days. Colonial Pipeline paid approximately $4.4 million in Bitcoin to the attackers shortly after the incident. Later, U.S. law enforcement recovered about $2.3 million of the ransom payment.

As digital transformation accelerates across industrial sectors, the distinction between Information Technology (IT) and Operational Technology (OT) security has become increasingly important. While both domains aim to protect systems from cyber threats, they differ fundamentally in purpose, risk tolerance, and operational priorities. Understanding these differences is essential for designing effective cybersecurity strategies in modern industrial environments.

At its core, IT security focuses on protecting information. Its primary goal is to ensure the confidentiality, integrity, and availability of data—often referred to as the CIA triad. IT systems manage business data such as emails, financial records, customer information, and enterprise applications. A breach in IT typically results in data loss, reputational damage, or regulatory penalties.

In contrast, OT security is centered on protecting physical processes. OT systems control and monitor industrial operations such as manufacturing lines, power generation, water treatment, and transportation systems. In these environments, availability and safety are paramount. A cybersecurity incident in OT can cause physical damage, environmental harm, or even loss of life, making the consequences potentially far more severe than in traditional IT systems.

IT and OT differ greatly in terms of priority of the 3 key aspects of electronic systems:

• • Availability
  • Confidentiality
  • Integrity

One of the most fundamental differences between IT and OT security lies in how system availability is treated. In IT environments, downtime, while undesirable, is often acceptable if it allows vulnerabilities to be patched or systems to be restored safely. In OT environments, however, downtime can halt production, damage equipment, or endanger personnel.

As a result, OT security prioritizes continuous operation and system stability, sometimes even at the expense of applying immediate security patches. This contrasts with IT environments, where frequent updates and rapid changes are standard practice.

The primary goal of the IEC 62443 series is to provide a flexible framework that facilitates addressing current and future vulnerabilities in IACS and applying necessary mitigations in a systematic, defensible manner. It is important to understand that the intention of the IEC 62443 series is to build extensions to enterprise security that adapt the requirements for business IT systems and combines them with the unique requirements for strong availability needed by IACS.

The term “Industrial Automation and Control Systems” (IACS), includes control systems used in manufacturing and processing plants and facilities, building environmental control systems, geographically dispersed operations such as utilities (i.e., electricity, gas, and water), pipelines and petroleum production and distribution facilities, and other industries and applications such as transportation networks, that use automated or remotely controlled or monitored assets.

[IEC 62443-1-1: 2009] 3 Terms, definitions and abbreviations

3.2.57 industrial automation and control systems – IACS

collection of personnel, hardware, and software that can affect or influence the safe, secure, and reliable operation of an industrial process

NOTE These systems include, but are not limited to:

industrial control systems, including distributed control systems (DCSs), programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices, supervisory control and data acquisition (SCADA), networked electronic sensing and control, and monitoring and diagnostic systems. (In this context, process control systems include basic process control system and safety-instrumented system (SIS) functions, whether they are physically separate or integrated.)

associated information systems such as advanced or multivariable control, online optimizers, dedicated equipment monitors, graphical interfaces, process historians, manufacturing execution systems, and plant information management systems.

associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing operations functionality to continuous, batch, discrete, and other processes.

The term “security” is considered here to mean the prevention of illegal or unwanted penetration, intentional or unintentional interference with the proper and intended operation, or inappropriate access to confidential information in IACS. Cybersecurity which is the particular focus of this technical specification, includes computers, networks, operating systems, applications and other programmable configurable components of the system.

The audience for IEC 62443 series includes all users of IACS (including facility operations, maintenance, engineering, and corporate components of user organizations), manufacturers, suppliers, government organizations involved with, or affected by, control system cybersecurity, control system practitioners, and security practitioners. Because mutual understanding and cooperation between information technology (IT) and operations, engineering, and manufacturing organizations is important for the overall success of any security initiative, this technical specification is also a reference for those responsible for the integration of IACS and enterprise networks.