IEC 62443 - Orientation for more security in industrial IT

The IEC 62443 series of standards is considered the most important standard for industrial cyber security today. It provides companies with a clear framework for systematically securing production facilities and meeting regulatory requirements at the same time. But how can the standard be applied in practice - and where are individual adaptations necessary?

What is IEC 62443?

The IEC 62443 series of standards is the world's most important standard for cybersecurity in industrial automation and control systems (IACS). It is developed by the International Electrotechnical Commission (IEC) and has become a central reference framework in many industries, particularly in the process industry, the energy sector and manufacturing. The aim of the standard is to create a uniform foundation for safeguarding industrial systems, which traditionally have long life cycles and are often operated in environments in which availability and safety have the highest priority.

A core element of IEC 62443 is the segmentation into zones and conduits. Zones group together systems with similar security requirements, while conduits describe the communication links between these zones. This concept allows a targeted risk assessment and prevents an attacker from gaining access to the entire system with a single entry point. The standard also covers the entire life cycle - from planning and implementation to maintenance and decommissioning - and is aimed at all stakeholders involved: manufacturers, system integrators and operators.

The diagram shows the structure of a secure network. — Graphic illustrating the implementation of safe networks for process automation systems.

Why do we recommend that companies use this as a guide?

The threat situation for industrial systems has changed drastically in recent years. Whereas in the past, production plants were mostly operated in isolation, today digitalization, industrial IoT and cloud connections have created numerous interfaces. Attacks such as ransomware, manipulation of process data or targeted industrial sabotage are no longer hypothetical scenarios, but real risks.

IEC 62443 provides companies with a structured approach to assess and systematically address these risks. By defining clear safety requirements, operators can:

reduce the attack surface,
ensure the availability of critical systems,
fulfill regulatory requirements (ICT, NIS2, KRITIS) and
strengthen the trust of customers, supervisory authorities and partners.

Another advantage is the international dissemination of the standard. Those who take IEC 62443 into account are not only positioning themselves in terms of safety, but also economically: compliance is explicitly required in more and more tenders.

Our expertise and support

At CTE, we have worked intensively on the implementation of IEC 62443 in practice. In projects with companies from the pharmaceutical, chemical and energy sectors, we have proven that the standard can be applied pragmatically without placing an unnecessary burden on operations.

The diagram shows the structure of a segmented production network in accordance with IEC62443. — Purdue model to segment production networks according to IEC62443.

Our approach begins with a risk analysis in which the relevant assets are identified and assessed according to criticality. Based on this, we develop a zone and conduit concept that takes into account the logical and physical network structure. Typical measures that we implement together with our customers are

Segmentation of the network and introduction of firewalls between production and office environments,
Securing remote access via VPN or jump hosts with multi-factor authentication,
Hardening of operating systems and controls by removing unnecessary services,
Introduction of patch and update processes that take into account the special requirements of industrial systems,
Establishment of a monitoring system that recognizes safety-relevant events at an early stage.

In addition to technology, organization also plays a central role. IEC 62443 requires clear roles and responsibilities as well as processes for incident response and change management. Here too, we support our customers by linking the regulatory requirements with practical operational processes.

"I know from my day-to-day work that OT security remains confusing without a clear structure - IEC 62443 provides orientation for a secure network infrastructure in industrial automation."

Michael Gempp, Cyber Security Expert CTE

Practical example from a reference project

As part of an extensive reference project, we were able to transfer the requirements of IEC 62443 to three production sites of an international company. The basis for this was the Purdue model, which provides for a clear separation between office IT, control level and field level.

Click here to go directly to the reference

The security measures were defined in close consultation with the company's CISO. In addition to the specifications from IEC 62443, we integrated additional measures that were tailored to the specific regulatory requirements in the industry. Following the design, the technical implementation was carried out and finally validated by an independent penetration test.

The design of the data traffic is particularly noteworthy: we have structured the communication in such a way that it is "firewall-friendly". This means that only the absolutely necessary exchange takes place between the individual zones - if possible exclusively in the form of outgoing data traffic. This has enabled us to greatly reduce the number of open ports in sensitive, potentially vulnerable zones. This principle significantly minimizes the attack surface and makes the infrastructure resilient to typical attack patterns.

The result: a standard-compliant, yet lean and maintainable safety concept that meets regulatory requirements and functions smoothly in practice.

Picture of Michael Gempp, deputy team leader at ControlTech Engineering AG.

Would you like to know how secure your industrial network really is?

Book a non-binding consultation with Michael Gempp, IT Systems Engineer.

Please contact us.

Adaptation to specific needs

The practical example shows: IEC 62443 is not a rigid set of rules, but a framework. Each company must define for itself which threats are realistic and which protective measures can be implemented in an economically viable manner. A pharmaceutical company with strictly regulated production processes has different requirements to a medium-sized mechanical engineering company or an energy supplier.

The standard deliberately offers flexibility for this. Companies can integrate their own specifications, existing security guidelines or industry-specific regulations into the implementation. The decisive factor is that the measures are effective and fit the overall risk. We therefore always recommend that our customers do not see the standard as a "checklist", but rather as a toolbox. Together, we develop customized security concepts that are both standard-compliant and practical.

Conclusion

IEC 62443 has established itself as the reference framework for industrial cybersecurity. Companies that follow it not only create secure, but also future-proof production environments. However, implementation requires more than simply following a standard - it depends on a well thought-out strategy, technical expertise and the awareness that security is a continuous process. At CTE, we accompany our customers on this journey and ensure that an abstract standard becomes concrete, effective measures.

Other exciting topics from our everyday life:

Security Solutions

Stable operation without downtime - including protection against cyber attacks? Use external resources for legal requirements such as NIS2 Kritis.

Infographic on the connection between office workstations and laboratory workstations and how to secure them -> Topic: OT security in production

OT security in production