Implementing effective cybersecurity controls in Industrial Automation and Control Systems (IACS) is essential to ensuring operational resilience, security compliance, and safety. While numerous frameworks exist, the IEC 62443 standard series stands out as the preeminent gold standard for IACS security. What I like about IEC 62443 is the level of focus it brings to OT security in areas such as asset visibility, layering security for crown jewels, ensuring supply chain security, defining clear roles and responsibilities for asset owners and outlining the essentials of an information security management program.

We have been running a knowledge series on IEC 62443 for a while. You can read our previous posts at these links:

·      Demystifying IEC 62443 compliance: A guide to securing Cyber Physical Systems

·      Securing IIoT with IEC 62443: A Technical Guide to breach-proof architectures

·      How to navigate IEC 62443 4-1 and 4-2 requirements: A guide for railway component manufacturers

·      A comprehensive and actionable guide to IEC 62443-based OT security assessments

Today post on IEC 62443 offers a detailed, actionable guide to deploying IEC 62443 controls and ensuring a robust security posture for your critical assets and infrastructure. This is not mere theory by any measure. Instead we will focus on practical implementation steps based on expert experience.

Before we move forward, don’t forget to check out our previous blog post on addressing NIS2 implementation challenges here.

Phase 1: Foundation and Risk Assessment (IEC 62443-2-1, 62443-3-2)

Before implementing the IEC 62443 controls, you must understand your system and its unique risks.

1.1. System inventory and asset management (IEC 62443-2-1)

• Actionable steps:

  • Conduct a comprehensive asset inventory. This includes hardware (PLC, SCADA, RTU, etc.), software, firmware, network devices, and system dependencies.

  • Classify assets based on criticality (impact on safety, environment, production).

  • Document the perceived risks against each asset

  • Maintain a dynamic asset repository and update it regularly.

Automated asset discovery tools can be highly effective in large and complex systems. Use a combination of active and passive discovery for comprehensive results.

1.2. Zones and conduits definition (IEC 62443-3-2)

• Actionable steps:

  • Segment your IACS network into logical Security Zones. A zone groups assets with similar security requirements and/or business criticality.

  • Identify the communication paths, or Conduits, between these zones.

  • Apply granular security requirements based on the risk and potential impact within each zone.

  • For example, isolate critical control systems from less critical systems like HMI (Human Machine Interface) or historian servers.

  • Assign a zone owner for each Security Zone

You can reference the ISA-99 / IEC 62443-1-1 reference model for structuring your zones. The goal is to minimize the potential for lateral movement (and to contain threats) from compromised to critical systems.

1.3. Risk Assessment (IEC 62443-3-2)

• Actionable steps:

  • Perform a security risk assessment for each zone and conduit. Consider potential threats, vulnerabilities, and impacts (safety, environment, operational, reputational, data, financial).

  • Determine the target Security Level (SL) for each zone, based on the risk appetite and operational criticality. IEC 62443 defines SL-1 (low) to SL-4 (high).

  • Leverage the results to prioritize control implementation (start with the most critical ones and then to the others).

Phase 2: Control selection and implementation (IEC 62443-3-3, 62443-2-3)

Select and deploy IEC 62443 controls aligned with the identified Security Levels. This guide highlights key areas, but it is recommended that you refer to the specific standards and profiles relevant to your industry.

2.1. System integrity (IEC 62443-3-3)

• Network segmentation and perimeter security:

  • Implement robust firewalls with granular access control rules between zones. Use industrial firewalls that understand (and are fluent in) OT protocols.

  • Enforce strict communication policies over Conduits. Block all unauthorized traffic.

  • Use Virtual Local Area Networks (VLANs) for logical segmentation within zones.

• Access control:

  • Enforce strong authentication and authorization for all users and devices. Use multi-factor authentication (MFA) wherever appropriate(especially for remote access).

  • Conduct an audit exercise to identify redundant privileges

  • Utilize Role-Based Access Control (RBAC) to grant permissions based on job roles. Follow the principle of least privilege across the board.

  • Disable unnecessary accounts and default passwords.

  • Privileges should be time or task bound, wherever possible

• System hardening:

  • Apply security patches for operating systems, firmware, and applications. (Note: Rigorous testing is crucial for OT systems before deployment).

  • Disable unnecessary services, ports, and features.

  • Implement anti-malware solutions, properly configured for industrial environments (avoid active scanning (and vendors that offer solutions that work exclusively with active scanning) that might disrupt real-time communication).

  • Enforce secure configuration benchmarks (such as Center for Internet Security (CIS) Benchmarks).

2.2. Product security (IEC 62443-4-2)

• Vendor engagement: Mandate that equipment vendors comply with relevant IEC 62443 standards (such as -4-1 for secure product development and -4-2 for product security requirements).

• Secure supply chain: Implement processes for verifying software and firmware integrity during procurement and deployment.

• Audit: Conduct audits to ensure vendors comply

2.3. Patch management (IEC 62443-2-3)

• Actionable steps:

  • Develop and implement a formal patch management program tailored for IACS. This program must involve rigorous testing of patches in a non-production environment before deployment.

  • Coordinate patch deployment windows during planned downtime or non-critical periods.

  • Consider risk-based patch prioritization, focusing on critical vulnerabilities in critical assets.

2.4. Remote access security

• Actionable steps:

  • Strictly control and monitor all remote access to the IACS network.

  • Use dedicated secure remote access gateways with MFA. Avoid allowing direct access to critical systems.

  • Enforce time-limited access and session logging for remote connections.

Phase 3: Security operations and monitoring (IEC 62443-3-3, 62443-2-1)

A resilient IACS requires continuous security monitoring.

3.1. Monitoring for malicious activity

• Actionable Steps:

  • Implement Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solutions for central log collection, correlation, and analysis.

  • Collect relevant logs from network devices, servers, PLCs, and applications.

  • Integrate an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS) capable of inspecting industrial protocols for anomalies and threat signatures.

  • Establish clear Incident Response procedures.

4. Monitoring efficacy: Defining meaningful Key Performance Indicators (KPIs)

Tracking KPIs is essential to measure the effectiveness of the deployed controls and ensure continuous improvement. These KPIs should be relevant to your specific risks and business objectives.

• Asset management efficacy:

  • Percentage of assets with an up-to-date security patch level.

  • Average time taken to patch a critical vulnerability on a critical asset.

• Network security efficacy:

  • Number of firewall policy violations detected.

  • Percentage of unauthorized connection attempts blocked.

• Endpoint security efficacy:

  • Percentage of endpoints with updated anti-malware signatures.

  • Number of malware incidents detected and contained.

• Remote access security efficacy:

  • Number of remote access sessions properly authorized and monitored.

  • Number of unauthorized remote access attempts blocked.

• Security operations efficacy:

  • Mean Time to Detect (MTTD) a security incident.

  • Mean Time to Respond (MTTR) to a security incident.

Focus on a few highly relevant KPIs and present them on a dashboard for security monitoring and continuous improvement. Track trends over time to identify areas for adjustment.

Maintaining audit trails

Complete and non-repudiable audit trails are crucial for incident investigation, compliance, and post-incident analysis.

Log management

• Actionable steps:

  • Define which security-related events to log, ensuring coverage of critical areas (access, network traffic, system changes).

  • Implement centralized logging. Logs should be immutable, timestamped using a trusted time source (NTP), and securely stored.

  • Ensure proper log retention policies in accordance with regulatory requirements and operational needs.

Capturing key events

Audit trails must capture granular details for crucial events, including:

• Authentication and authorization: Successful and failed logins, changes to user accounts and permissions.

• System access and changes: Remote access connections, system configuration changes, application program uploads and downloads, security patch installations.

• Network traffic: Security-related firewall events, potential security alerts from IDS/IPS.

• Operational actions: Changes to setpoints or control configurations that could have safety or operational impacts. (This can be critical in incident reconstruction).

KPI dashboard: Measuring efficacy of IEC 62443 controls

Ensure you mention NTP (Network Time Protocol). An audit trail is useless if the timestamps across your PLCs, Firewalls, and HMIs don't match. In an IEC 62443 audit, "Clock Drift" is a common finding.

Deploying IEC 62443 security controls cannot a one-time project; it’s an ongoing process demanding commitment. By following this risk-based approach, involving key stakeholders (IT, OT, management, vendors), and embracing continuous monitoring and evaluation, organizations can significantly improve the cybersecurity posture of their industrial systems. This methodical approach ensures not just compliance, but genuine operational resilience.

Additional resources

A downloadable report on the Stryker cyber incident
IEC 62443-based OT/ICS risk assessment checklist for the food and beverage manufacturing sector
Removable media scan solution vendor evaluation and selection checklist