Guide18 min read

IEC 62443 Readiness Guide

Prepare engineering, project, and assurance teams for practical IEC 62443 discussions across system scope, security levels, segmentation, risk assessment, and project verification.

Use this guide to prepare
Evidence and discussion points before formal review.
  • SuC boundary evidence
  • zones and conduits workshops
  • SL-T discussions
  • FAT/SAT verification
12
readiness steps
4
evidence themes
7
foundational requirements
FAT/SAT
verification focus

Overview

What IEC 62443 readiness needs before detailed assessment starts.

Who this guide is for

For engineering, OT cybersecurity, project, assurance, vendor, and integrator teams.

Why IEC 62443 readiness matters

Reduces late rework by clarifying scope, evidence, and verification early.

Readiness workflow
A practical flow for turning IEC 62443 language into project evidence.

01

Define

Confirm the SuC, owners, interfaces, and evidence baseline.

02

Structure

Map zones, conduits, communication paths, and trust boundaries.

03

Assess

Connect security levels and risk scenarios to operational context.

04

Verify

Plan FAT, SAT, handover, residual risk, and close-out evidence.

1
Readiness step
Understand the IEC 62443 structure

The IEC 62443 series is divided into several areas.

AreaWhat it coversWhy it matters
GeneralTerms, concepts, and modelsCreates a shared language for IT, OT, engineering, and assurance teams
Policies and proceduresCybersecurity management and governanceSupports organisational security processes and responsibilities
SystemRisk assessment, system requirements, security levels, zones, and conduitsMost relevant to project architecture and system design
ComponentProduct and device security requirementsUseful for assessing PLCs, HMIs, switches, software, and embedded devices
For project teams, the most commonly relevant areas are
  • IEC 62443-3-2 for risk assessment, SuC definition, zones, conduits, and security levels
  • IEC 62443-3-3 for system security requirements and foundational requirements
  • IEC 62443-4-2 for component security requirements
  • IEC 62443-2-4 for service provider and integrator requirements
2
Readiness step
Define the System under Consideration

The System under Consideration, often shortened to SuC, defines the boundary of the system being assessed.

This is one of the most important preparation steps.

A weak SuC definition leads to unclear risk assessment, unclear security levels, and poor evidence.

The SuC should identify
  • control panels
  • PLCs and safety PLCs
  • HMIs and operator stations
  • SCADA servers and clients
  • engineering workstations
  • historians and reporting systems
  • industrial switches and routers
  • firewalls and remote access equipment
  • vendor equipment connected to the control system
  • links to corporate IT, cloud platforms, or third-party networks
  • interfaces to other control systems or packages
  • backup, recovery, and maintenance infrastructure
Questions to answer
  • What system is being assessed?
  • Where does the system boundary start and end?
  • Which assets are inside the scope?
  • Which assets are outside the scope?
  • Which systems does it communicate with?
  • Who owns the system?
  • Who maintains it?
  • Who has remote or local access?
  • What drawings, schedules, and records support the boundary definition?
Useful evidence
  • network architecture drawings
  • control system architecture drawings
  • panel layouts
  • asset registers
  • IP address schedules
  • switch schedules
  • firewall rule sets
  • remote access procedures
  • vendor package interface details
  • system functional design specifications
  • backup and recovery procedures
3
Readiness step
Identify zones and conduits

IEC 62443 uses zones and conduits to structure security architecture.

A zone is a group of assets with similar security requirements.

Example zones may include
  • safety instrumented system zone
  • basic process control system zone
  • SCADA zone
  • engineering workstation zone
  • historian zone
  • industrial DMZ
  • vendor package zone
  • corporate IT zone

Assets in the same zone should normally have similar risk, function, ownership, and security requirements.

A conduit is a controlled communication path between zones.

Examples include
  • firewall connection between SCADA and corporate IT
  • remote access path through a jump host
  • data transfer from a control system to a historian
  • vendor support connection
  • interface between package PLCs and the main control system
  • connection between safety and non-safety systems
Why zones and conduits matter
  • understand trust boundaries
  • reduce unnecessary connectivity
  • define firewall and access control requirements
  • identify high-risk interfaces
  • support risk-based segmentation
  • provide a clear basis for testing and verification
Preparation checklist
  • current or proposed network diagrams
  • asset list grouped by function
  • communication matrix
  • protocol list
  • firewall rule export or proposed rule table
  • remote access path description
  • vendor connection details
  • interface list between control system packages
  • trust boundary assumptions
4
Readiness step
Prepare for security level discussions

IEC 62443 uses Security Levels to describe the level of protection required or achieved.

Security Level discussions should be based on risk, consequence, threat exposure, and operational context.

They should not be selected casually or copied between projects without justification.

TermMeaning
SL-TTarget Security Level. The desired security level for the system, zone, or conduit
SL-AAchieved Security Level. The level actually implemented and verified
SL-CCapability Security Level. The level a product or system is capable of supporting
LevelGeneral meaning
SL 1Protection against casual or accidental misuse
SL 2Protection against intentional misuse using simple means
SL 3Protection against intentional misuse using more specialised skills and resources
SL 4Protection against highly capable attackers with significant resources
Questions to answer
  • What would happen if this system was unavailable?
  • What would happen if the system was manipulated?
  • What would happen if data from the system was exposed?
  • Is the system safety-related?
  • Is the system connected to corporate IT?
  • Is remote access provided?
  • Are third-party vendors involved?
  • Is the system part of critical infrastructure?
  • What is the expected threat environment?
  • What level of security can the selected products actually support?

An SL-T target is only useful if it can be designed, implemented, tested, and evidenced.

A project should avoid setting high security targets without considering
  • product limitations
  • legacy equipment
  • operational constraints
  • maintenance requirements
  • cost and programme impact
  • available evidence
  • testing capability
5
Readiness step
Understand the foundational requirements

IEC 62443-3-3 defines seven foundational requirements.

These provide a useful structure for reviewing security controls.

Foundational RequirementPractical meaning
FR1 Identification and authentication controlConfirming who or what is accessing the system
FR2 Use controlControlling what authorised users and systems can do
FR3 System integrityProtecting systems from unauthorised change or corruption
FR4 Data confidentialityProtecting sensitive data from unauthorised disclosure
FR5 Restricted data flowControlling communication paths and segmentation
FR6 Timely response to eventsDetecting, logging, and responding to cybersecurity events
FR7 Resource availabilityMaintaining system availability and resilience
How to use them in a project
  • design review questions
  • vendor questionnaires
  • procurement requirements
  • FAT cybersecurity checks
  • SAT cybersecurity checks
  • evidence matrices
  • gap assessments
  • hardening reviews
6
Readiness step
Prepare for cybersecurity risk assessment

IEC 62443 risk assessment should be practical, evidence-based, and tied to the defined SuC.

A typical process includes:

  1. 1define the SuC
  2. 2identify assets
  3. 3identify threats
  4. 4identify vulnerabilities
  5. 5assess likelihood
  6. 6assess consequence
  7. 7evaluate risk
  8. 8define risk treatment
  9. 9agree security requirements
  10. 10verify implemented controls
Inputs required
  • asset inventory
  • network drawings
  • system architecture
  • data flow diagrams
  • operational context
  • remote access details
  • user and role information
  • backup and recovery arrangements
  • patching and antivirus approach
  • known vulnerabilities
  • previous audit findings
  • incident history
  • safety and operational consequence information
Output should include
  • clear scope statement
  • list of assessed assets and interfaces
  • risk scenarios
  • risk ratings
  • recommended mitigations
  • assigned actions
  • owners and due dates
  • link to security levels or security requirements
  • evidence required for closure

Risk assessment should not end as a static document. It should drive design changes, implementation work, and verification.

7
Readiness step
Connect IEC 62443 to project delivery

IEC 62443 should be introduced early in the project lifecycle.

Late cybersecurity review often causes avoidable rework.

Concept and FEED stage
  • define high-level SuC scope
  • identify major interfaces
  • identify remote access assumptions
  • define initial zones and conduits
  • identify applicable standards and client requirements
  • include cybersecurity in procurement strategy
Detailed design stage
  • develop network architecture
  • define firewall and routing requirements
  • agree user and role model
  • define backup and recovery arrangements
  • specify logging and monitoring requirements
  • review vendor package security
  • map requirements to evidence
Build and configuration stage
  • harden devices and operating systems
  • configure accounts and permissions
  • configure firewalls and switches
  • apply secure remote access controls
  • document backups
  • record software and firmware versions
  • prepare test procedures
FAT stage
  • asset list accuracy
  • user account configuration
  • password and authentication settings
  • firewall rules
  • network segmentation
  • disabled unused services
  • backup and restore process
  • antivirus or allowlisting status
  • event logging
  • remote access controls
  • security-relevant alarms
  • configuration records
SAT and handover stage
  • installed system matches approved design
  • site network connections match agreed architecture
  • remote access is controlled and documented
  • backups are completed and recoverable
  • account ownership is transferred correctly
  • residual risks are recorded
  • cybersecurity actions are closed or formally accepted
  • operations team receives required documentation
8
Readiness step
Build a verification evidence pack

IEC 62443 readiness depends heavily on evidence.

The project team should avoid relying on verbal confirmation where objective records are available.

Evidence areaExample records
ScopeSuC definition, architecture drawings, interface list
Assetsasset register, IP schedule, software list, firmware list
Segmentationzones and conduits diagram, firewall rules, switch config
Access controluser list, role matrix, account ownership record
Remote accessremote access procedure, jump host configuration, approval records
Hardeninghardening checklist, disabled services list, baseline configuration
Backup and recoverybackup schedule, restore test evidence, recovery procedure
Monitoringlog source list, alarm/event records, monitoring configuration
Vulnerability managementpatch records, vulnerability review, exception register
TestingFAT/SAT test sheets, punch list, action tracker
Handoverfinal documentation pack, residual risk register, acceptance record
9
Readiness step
Common gaps found during IEC 62443 readiness reviews

These issues are common because many industrial systems were designed for reliability and availability before cybersecurity was treated as a core engineering requirement.

  • unclear SuC boundary
  • incomplete asset register
  • poor separation between IT and OT networks
  • flat control system network
  • unmanaged remote access
  • shared local administrator accounts
  • weak password management
  • incomplete backup evidence
  • no restore test evidence
  • undocumented vendor connections
  • outdated drawings
  • unclear firewall ownership
  • limited logging
  • missing patch and vulnerability process
  • cybersecurity not included in FAT/SAT
  • no formal residual risk acceptance
10
Readiness step
Readiness checklist

Use this checklist before an IEC 62443 workshop, design review, or cybersecurity assessment.

Scope and ownership
  • SuC boundary is defined
  • system owner is identified
  • maintenance owner is identified
  • vendor responsibilities are understood
  • third-party interfaces are listed
Architecture
  • network architecture drawing is available
  • control system architecture drawing is available
  • zones and conduits are drafted
  • trust boundaries are understood
  • remote access routes are identified
Assets
  • asset register is available
  • IP address schedule is available
  • software and firmware versions are recorded
  • critical assets are identified
  • obsolete or unsupported assets are flagged
Access control
  • user roles are defined
  • privileged accounts are listed
  • shared accounts are identified
  • vendor accounts are controlled
  • account ownership is documented
Security controls
  • firewall rules are documented
  • unused services are disabled where practicable
  • hardening requirements are defined
  • patching approach is documented
  • antivirus or allowlisting approach is documented
Resilience
  • backup procedure is documented
  • restore testing is evidenced
  • incident response contacts are known
  • recovery priorities are understood
  • residual risks are recorded
Verification
  • FAT cybersecurity checks are included
  • SAT cybersecurity checks are included
  • evidence requirements are agreed
  • action tracker is maintained
  • handover pack requirements are defined
11
Readiness step
Practical implementation roadmap

A realistic IEC 62443 readiness roadmap may look like this:

  1. 1define the SuC
  2. 2gather architecture and asset evidence
  3. 3identify zones, conduits, and trust boundaries
  4. 4review remote access and third-party interfaces
  5. 5perform risk assessment
  6. 6agree SL-T expectations
  7. 7map requirements to design controls
  8. 8implement hardening, segmentation, access control, and backup controls
  9. 9verify controls during FAT and SAT
  10. 10close or accept residual risks
  11. 11maintain records through operation and future change
12
Readiness step
Key takeaway

IEC 62443 readiness is mainly about clarity, evidence, and risk-based engineering.

A project team should be able to show
  • what system is in scope
  • which assets and interfaces matter
  • how the system is segmented
  • what security level is being targeted
  • what controls are required
  • how those controls will be verified
  • what evidence proves the system has been implemented as intended

The earlier this work starts, the easier it is to avoid late rework and produce a defensible cybersecurity assurance pack.

Discuss practical OT cybersecurity evidence

Use a technical discovery call to frame the system boundary, known constraints and the evidence needed before sharing sensitive site details.