Cookies

This website uses cookies that require your consent.

Skip to content

IEC 62443 - Orientation for more security in industrial IT

The IEC 62443 series of standards is considered the most important standard for industrial cyber security today. It provides companies with a clear framework for systematically securing production facilities and meeting regulatory requirements at the same time. But how can the standard be applied in practice - and where are individual adaptations necessary?

What is IEC 62443?

The series of standards IEC 62443 is the world's leading standard for CybersecurityWhat is cybersecurity?The totality of measures taken to protect systems, networks, and data from digital attacks and misuse. in industrial automation and control systems (IACS). It is being developed by the International Electrotechnical Commission (IEC) and has become a key reference framework in many industries, particularly in the process industry, the energy sector, and manufacturing. The standard aims to establish a uniform foundation for securing industrial systems, which traditionally have long lifecycles and are often operated in environments where availability and safety are top priorities.

A core element of IEC 62443 is the segmentation into zones and conduits. Zones group together systems with similar security requirements, while conduits describe the communication links between these zones. This concept allows a targeted risk assessment and prevents an attacker from gaining access to the entire system with a single entry point. The standard also covers the entire life cycle - from planning and implementation to maintenance and decommissioning - and is aimed at all stakeholders involved: manufacturers, system integrators and operators.

The diagram shows the structure of a secure network.
Graphic illustrating the implementation of safe networks for process automation systems.

Why do we recommend that companies use this as a guide?

The threat situation for industrial systems has changed drastically in recent years. Whereas in the past, production plants were mostly operated in isolation, today digitalization, industrial IoT and cloud connections have created numerous interfaces. Attacks such as ransomware, manipulation of process data or targeted industrial sabotage are no longer hypothetical scenarios, but real risks.

IEC 62443 provides companies with a structured approach to assess and systematically address these risks. By defining clear safety requirements, operators can:

  • reduce the attack surface,

  • ensure the availability of critical systems,

  • fulfill regulatory requirements (ICT, NIS2, KRITIS) and

  • strengthen the trust of customers, supervisory authorities and partners.

Another advantage is the international dissemination of the standard. Those who take IEC 62443 into account are not only positioning themselves in terms of safety, but also economically: compliance is explicitly required in more and more tenders.

Our expertise and support

At CTE, we have worked intensively on the implementation of IEC 62443 in practice. In projects with companies from the pharmaceutical, chemical and energy sectors, we have proven that the standard can be applied pragmatically without placing an unnecessary burden on operations.

The diagram shows the structure of a segmented production network in accordance with IEC62443.
Purdue model to segment production networks according to IEC62443.

Our approach begins with a risk analysis in which the relevant assets are identified and assessed according to criticality. Based on this, we develop a zone and conduit concept that takes into account the logical and physical network structure. Typical measures that we implement together with our customers are

  • Segmentation of the network and introduction of firewalls between production and office environments,

  • Securing remote access via VPNWhat is a VPN?A VPN (Virtual Private Network) is a network that enables a secure connection over a less secure network, such as the Internet. or Jump hostsWhat do we mean by "jump hosts"?Jump hosts are secure access servers used for remote maintenance of internal systems. They verify and log remote access attempts (e.g., via VPN and MFA) to protect critical infrastructure. with multi-factor authentication,

  • Hardening of operating systems and controls by removing unnecessary services,

  • Introduction of patch and update processes that take into account the special requirements of industrial systems,

  • Establishment of a monitoring system that recognizes safety-relevant events at an early stage.

In addition to technology, organization also plays a central role. IEC 62443 requires clear roles and responsibilities as well as processes for incident response and change management. Here too, we support our customers by linking the regulatory requirements with practical operational processes.

"I know from my day-to-day work that OT security remains confusing without a clear structure - IEC 62443 provides orientation for a secure network infrastructure in industrial automation."
Michael Gempp, Cyber Security Expert CTE

Practical example from a reference project

As part of an extensive reference project, we were able to transfer the requirements of IEC 62443 to three production sites of an international company. The basis for this was the Purdue model, which provides for a clear separation between office IT, control level and field level.

In close coordination with the CISOWhat is a CISO?As a senior executive, the CISO (Chief Information Security Officer) is responsible for information security. He implements security strategies and continuously adapts the organization’s cyber resilience to new threats. The security measures were defined in accordance with the company’s guidelines. In addition to the requirements of IEC 62443, we incorporated additional measures tailored to the specific regulatory requirements of the industry. Following the design phase, the technical implementation took place, and the system was finally validated through an independent penetration test.

The design of the data traffic deserves special mention: We have structured the communication so that it is “firewall-friendly.” This means that only the absolutely necessary data is exchanged between the individual zones—preferably exclusively in the form of outbound traffic. This has allowed us to reduce the number of open PortsWhat is a port?An interface that maps network data to a specific application. Since open ports are potential points of vulnerability, they are specifically monitored. significantly reduce exposure in sensitive, potentially vulnerable areas. This principle significantly minimizes the attack surface and makes the infrastructure resilient to typical attack patterns.

The result: a standard-compliant, yet lean and maintainable safety concept that meets regulatory requirements and functions smoothly in practice.

Photo of Michael Gempp, Business Unit Manager for Industrial IT at ControlTech Engineering AG.

Would you like to know how secure your industrial network really is?

Schedule a no-obligation consultation with Michael Gempp, Business Unit Manager for Industrial IT.

Please contact us.

Adaptation to specific needs

The practical example shows: IEC 62443 is not a rigid set of rules, but a framework. Each company must define for itself which threats are realistic and which protective measures can be implemented in an economically viable manner. A pharmaceutical company with strictly regulated production processes has different requirements to a medium-sized mechanical engineering company or an energy supplier.

The standard deliberately offers flexibility for this. Companies can integrate their own specifications, existing security guidelines or industry-specific regulations into the implementation. The decisive factor is that the measures are effective and fit the overall risk. We therefore always recommend that our customers do not see the standard as a "checklist", but rather as a toolbox. Together, we develop customized security concepts that are both standard-compliant and practical.

Conclusion

IEC 62443 has established itself as the standard framework for industrial cybersecurity. Companies that follow this framework create production environments that are not only secure but also future-proof. However, implementation requires more than simply complying with a standard—it depends on a well-thought-out strategy, technical expertise, and the understanding that security is an ongoing process. At CTE, we support our customers on this journey and ensure that an abstract standard is translated into concrete, effective measures.