Welcome back to the series on the IEC 62443 standard for industrial cybersecurity. This third installment will investigate the documents that are part of the fourth of documents, or documents in the IEC 62443-4 series.
This series of documents are aimed at vendors that produce and support the gizmos in industrial infrastructure. Like the series of documents in the IEC 62443-3 series, these documents provide us with guidance on software development and automation, along with their requirements.
|
As you can see from the titles of the documents in the table above, we are now in the IEC 62443 standard, that focuses on developing and securing the various components in an industrial infrastructure, like PLCs.
Like in the previous articles on the documents that are part of the IEC 62443-4 series, I will provide you with knowledge of some of the content that is part of the documents in the IEC62443-4 series. That way, you can focus on the documents that will provide you with most value, since the cost of buying the documents from your national standards body is nontrivial.
The purpose of IEC 62443-4-1 (Security for industrial automation and control systems – Part 4-1: Secure product development lifecycle requirements) is to define how suppliers of IACS products must develop, maintain, and retire products in a secure manner.
Content of IEC 62443-4-1
- Scope
- Defines the purpose of the document: requirements for the processes suppliers must follow to develop and maintain secure IACS products.
- Clarifies that it focuses on lifecycle processes, not specific product features.
- Normative references
- Lists other IEC 62443 standards and related documents referenced in this part.
- Terms and definitions
- Provides definitions of key terms (e.g., secure development lifecycle, threat modeling, patch, vulnerability).
- Concepts
- Introduces the concept of a Secure Development Lifecycle (SDL).
- Explains how security is integrated into each stage of the product lifecycle.
- General requirements
- High-level obligations for suppliers (e.g., having documented processes, ensuring repeatability, roles, and responsibilities).
- Process requirements (the core of the standard)
IEC 62443-4-1 is built around 8 key practices (process areas) that suppliers must implement:
- Security Management
– Establish security policies, roles, and responsibilities.
– Ensure management commitment and continuous improvement. - Specification of Security Requirements
– Define product security requirements based on risk and system context. - Secure by Design
– Incorporate threat modelling, risk assessment, and security architecture principles early in design. - Secure Implementation
– Apply secure coding practices, code reviews, and static/dynamic analysis. - Verification & Validation Testing
– Conduct security-specific testing (e.g., penetration testing, fuzz testing, regression testing). - Management of Security-Related Issues
– Define processes for reporting, tracking, and resolving vulnerabilities. - Security Update Management
– Ensure timely delivery of patches and updates throughout the product lifecycle. - Security Guidelines
– Provide users with guidance on secure configuration, deployment, and maintenance.
There is an annex section too, that provides us with examples of implementation of the IEC 62443-4-1 standard. Will become important if you want to be certified in IEC 62443-4-1, see the section later that describe which areas of IEC 62443 a company can be certified in.
The purpose of IEC 62443-4-2 (Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components) is to define the technical cybersecurity requirements for individual components that make up an industrial automation and control system (IACS).
Whereas IEC 62443-4-1 is about the processes suppliers use to develop secure products, IEC 62443-4-2 specifies the technical features and capabilities those products must have to meet security expectations.
Content of IEC 62443-4-2
- Scope
- Defines the purpose: specifying technical security requirements for IACS components.
- Explains that it builds on system-level requirements in IEC 62443-3-3 and applies them at the component level.
- Normative references
- Lists standards referenced (e.g., other IEC 62443 parts, ISO/IEC standards).
- Terms and definitions
- Defines important concepts (e.g., embedded device, host device, security level).
- Concepts
- Introduces how component security requirements (CRs) are derived from system requirements.
- Explains the relationship with IEC 62443-3-3.
- Introduces the four component categories:
- Embedded devices
- Host devices
- Network devices
- Software applications
- General requirements
- Establishes how the standard applies across different component types.
- Defines structure of requirements: Foundational Requirement (FR) → Component Requirement (CR) → Requirement Enhancements (REs).
IEC 62443-4-2 provides a catalogue of technical security requirements for IACS components, structured under the 7 foundational requirement categories. It ensures that individual components (PLCs, HMIs, servers, firewalls, applications, etc.) can support system-wide security goals and achieve the desired Security Level (SL1–SL4).
You can be certified in IEC 62443, but with an important nuance: IEC 62443 itself does not issue certifications (it’s a set of international standards), but certification schemes have been built around it. Different organizations (like ISA, TÜV, ISASecure, and other accredited certification bodies) offer certifications based on the requirements in the IEC 62443 series.
IEC 62443 certification can mean a few different things depending on whether you are an individual professional or an organization/product. The IEC 62443 standard covers industrial automation and control system (IACS) cybersecurity, and certification options fall into three main categories:
1. Individual Certifications (Personal Competence)
Several training and certification schemes exist for professionals who want to demonstrate their knowledge of IEC 62443:
- ISA/IEC 62443 Cybersecurity Certificate Program (via ISA/ISASecure / ISA Training)
- Certificates of Completion for different modules:
- Fundamentals Specialist
- Risk Assessment Specialist
- Design Specialist
- Maintenance Specialist
- These are stackable; completing several may lead toward the ISA/IEC 62443 Cybersecurity Expert designation.
- Delivered by the International Society of Automation (ISA) and training partners.
- Certificates of Completion for different modules:
- Global Training Providers (Exida, TÜV Rheinland, SGS-TÜV Saar, etc.)
- Offer “Certified IEC 62443 Professional” or similar credentials.
- Typically involve coursework, an exam, and sometimes practical exercises
2. Organizational / Process Certification
Companies can certify their processes or services against IEC 62443 requirements.
Examples:
- ISASecure SDLA (Secure Development Lifecycle Assurance): Certifies that a vendor’s product development process complies with IEC 62443-4-1.
- ISASecure SSA (System Security Assurance): For automation systems, aligned with IEC 62443-3-3.
- ISASecure CSA (Component Security Assurance): For embedded devices/components, aligned with IEC 62443-4-2.
These certifications are granted by accredited certification bodies (e.g., TÜV, exida, Bureau Veritas, UL, DNV, SGS).
3. Product Certification
Vendors of industrial control products can have their devices, applications, or systems certified for compliance with IEC 62443 requirements.
- Covers aspects like security functions, secure communications, user management, robustness testing.
- Certification schemes include ISASecure and TÜV/UL equivalents.
There are many benefits to becoming certified for both individuals and organizations. For the individual it shows that you have the knowledge to help an organization with their industrial security needs. For the organization, it shows that an effort has been made to secure the industrial infrastructure and any industrial components that might have been made by the organization.
With the ever-growing regulations and focus from the regulators, and because of the growing interest in industrial systems from the more nefarious areas of the Internet, showing that you have tried to secure your infrastructure will go a long way to mollify the regulators in case on incident.
Other Industrial Certifications
There are other certifications that might benefit your career in industrial cybersecurity, that are not focused on IEC 62443, but on the more operational aspects of industrial security. They are:
GIAC ICS/OT Security Certifications
- GICSP (Global Industrial Cyber Security Professional)
- Probably the best-known GIAC cert for ICS/OT.
- Vendor-neutral, covers IT, OT, and engineering concepts.
- Developed jointly with key industry experts, widely recognized by asset owners and vendors.
- Aligns strongly with IEC 62443 principles (risk, zones/conduits, secure design, operations).
- GRID (GIAC Response and Industrial Defence)
- Focused on incident response, detection, and active defense in ICS/OT environments.
- Good next step after GICSP if you’re focusing on defence operations.
- GCIP (GIAC Critical Infrastructure Protection)
- More specialized — aligns with NERC CIP standards for North American electric utilities.
- Valuable if you’re working in the power/energy sector.
CompTIA has an OT certification arriving in 2026, but not much is known on the content of the examination yet, but it might be worth your time to keep an eye out for that one, as more information is released!
I hope that this series or articles have given you an insight into the many documents that make up the IEC 62443 standard for industrial cybersecurity. My overall goal with this series have been to give you enough insight into the content of the individual documents, that you will be able to focus in on the documents that will make the most sense in you own situations.