How is IEC 62443 Series structured?

IEC 62443 Series is structured into four main parts, each addressing a different aspect of industrial cybersecurity:

• • General,
  • Policies & Procedures,
  • System,
  • Component.

The General part provides the foundational concepts, terminology, and models used throughout the entire IEC 62443 Series. It establishes a common language and conceptual framework for all stakeholders involved in industrial cybersecurity. Key elements include:

• • Definitions of key cybersecurity concepts such as zones, conduits, security levels, and risk.
  • Description of typical industrial automation architectures and threat environments.
  • Introduction of the defense-in-depth strategy for industrial systems.
  • Alignment of cybersecurity concepts with safety and reliability considerations.

This part is primarily informative and serves as the conceptual backbone of the standard. It ensures that all stakeholders—technical and non-technical—share a common understanding of cybersecurity principles before moving to implementation.

The Policies & Procedures part focuses on organizational and managerial aspects of cybersecurity. It defines how companies should establish, manage, and continuously improve their cybersecurity programs.

Key topics include:

• • Cybersecurity governance and responsibility assignment.
  • Risk assessment and risk management processes.
  • Asset management and system lifecycle management.
  • Incident response, patch management, and change management.
  • Requirements for service providers and integrators.

This part is primarily aimed at asset owners and service providers, ensuring that cybersecurity is embedded into organizational processes rather than treated as a purely technical issue. It emphasizes that secure systems cannot exist without structured management, trained personnel, and documented procedures.

The System part addresses cybersecurity at the level of the entire industrial automation system. It defines technical requirements for designing and implementing secure system architectures. Key concepts include:

• • Zones and conduits: grouping assets with similar security requirements and controlling communication between them.
  • Security levels (SL 1–4): representing increasing resistance against threat actors with different capabilities and motivations.
  • System-level security requirements for access control, network segmentation, system integrity, monitoring, and availability.
  • Secure integration of components from multiple vendors.

This part is particularly relevant to system integrators and cybersecurity architects, as it translates organizational security goals into concrete technical architectures.

The Component part focuses on individual products such as PLCs, RTUs, HMIs, industrial switches, and software components. It defines:

• • Secure development lifecycle requirements for product suppliers.
  • Technical security capabilities that components must provide, such as authentication, authorization, secure communication, and integrity checks.
  • Security capability levels aligned with system-level security requirements.

This section ensures that industrial components are designed with cybersecurity in mind and can be securely integrated into larger systems. It is particularly relevant for product manufacturers and vendors.