Skip to content

IEC 62443-2-1 und -2-4

The IEC 62443 standard provides an internationally recognized standard for network security in the process and automation industry, which is increasingly used in Industry 4.0. It helps prevent cyberattacks and serves as proof of due diligence in accordance with the Industrial Safety Regulation and Product Safety Act.

Request Offer
Person in Sicherheitskleidung und Schutzhelm arbeitet mit einem Tablet in einer industriellen Umgebung.
IEC 62443 test mark from TÜV NORD CERT GmbH

Security in Industry 4.0

The risk of cyberattacks is constantly increasing for companies. This makes the responsible handling of information more important than ever. After all, information is a valuable asset whose loss or manipulation can cause considerable damage.

The IEC 62443 standard (Industrial Communication Networks - Networks and System Security) has established itself as an internationally recognised standard for proof of conformity in the process and automation industry. Due to the lack of standardisation specifications, many other industrial sectors now rely on this standard. This makes IEC 62443 the central certification standard for Industry 4.0.

IEC 62443 also serves as possible proof of fulfilment of the duty of care in accordance with the Industrial Safety Ordinance and the Product Safety Act.

Factsheet (pdf)

Advantages of certification according to IEC 62443

  • Certification of internationally recognised safety standards for customers and business partners
  • Minimising the risk of errors and reputational damage (risk management)
  • Reducing costs and risks by identifying and eliminating digital security vulnerabilities in advance
  • Minimisation of production downtimes, increase in availability
  • Demonstration of up-to-date quality and security certifications as proof of business performance and customer focus
  • Fulfilment of the duty of care in accordance with the Industrial Safety Ordinance and Product Safety Act

 

What exactly is Part 2 of IEC 62443?

The second part "Security requirements for operators and service providers" describes the IT security management system and thus defines the organisation of security and the associated implementation aids.

Part 2-1 describes requirements for an IT security management system, such as the definition of security procedures. Part 2-2 contains information on how and in which areas these procedures are to be implemented. Updating the software of automation systems (patching) is of particular importance because outdated software can lead to security vulnerabilities. Part 2-3 is therefore completely dedicated to patch management. Parts 2-4 deal with the use of service providers for commissioning and service from a security perspective.

Added Value and Synergies within the IEC 62443 Series – Building on IEC 62443-2-1

Within the IEC 62443 series of standards, IEC 62443-2-1 plays a central strategic role as it establishes an organisational framework for the systematic cybersecurity of operational technology (OT).

The IEC 62443 series is an internationally recognised standard for the comprehensive protection of industrial automation and control systems (IACS).

A certified implementation of IEC 62443-2-1 establishes the basis for applying other parts of the series. The implemented security programme provides an overarching control and governance framework on which technical, system and component-related security requirements are based.

Benefits in Combination with Other IEC 62443 Standards

  • The risk-based approach anchored in IEC 62443-2-1 provides governance, roles, and processes for repeatable, documented, and traceable OT risk analyses
  • Risk analyses according to IEC 62443-3-2 can be consistently integrated into the security program and systematically maintained over time.

Results can be used directly for action planning, prioritization, and management decisions.

  • The guidelines, responsibilities, and decision-making processes defined by IEC 62443-2-1 create a clear framework for deriving and implementing system requirements.
  • Security levels can be defined, documented, and monitored uniformly organization-wide.

The existing management and review system facilitates the verification of the effectiveness of technical measures.

  • The security program supports the structured management and assessment of external service providers and system integrators.
  • Requirements for competencies, processes, and evidence can be derived from the existing governance model.

Supplier and service provider risks are systematically addressed and monitored.

  • The security objectives and risk tolerances defined in the security program serve as the basis for the selection and evaluation of secure components.
  • Requirements for components can be consistently derived from risk analyses and system requirements.

Easier integration of certified or tested components into existing system and plant architectures

Overall Benefits for Organizations

  • Reduced implementation effort for additional IEC 62443 standard parts thanks to existing governance, risk, and process structures
  • Consistent verification of OT cybersecurity across management, system, and component levels
  • Increased planning reliability for the modernization, expansion, and operation of industrial plants
  • Improved audit and certification capability through clear assignment of requirements, evidence, and responsibilities
  • Strengthened cyber resilience throughout the entire IACS lifecycle, including legacy systems and hybrid IT/OT environments

IEC 62443-2-1 therefore serves as a strategic entry point and a cornerstone for the gradual, structured, and sustainable implementation of the entire IEC 62443 series of standards in the industrial environment.

Examination content

The audit consists of the pre-audit, on-site readiness assessment and certification audit stages. The certification addresses the logical levels of organisation/processes, system and components as well as procedural and functional requirements. The aim is to certify the implemented CSMS (Cyber Security Management System).

The new standard content is partly based on established ISMS requirements, which means that certification can be easily combined with ISMS audits. Existing risks are identified, analysed and remedied through qualified measures. In this way, you simultaneously protect your confidential data and improve the integrity and availability of your IT systems. After passing the audit, you will receive a certificate. It is valid for three years (including annual surveillance audits).

Whitepaper IEC 62443

In addition to a digitalisation strategy, industrial plants need a stringent cyber security strategy. The IEC 62443 standard offers a well thought-out, structured and established process model for this. In addition to technology, it also takes processes into account and consistently incorporates the three important roles of Industry 4.0: Operators, integrators and component manufacturing companies. This certification standard can be used to demonstrate fulfilment of the duty of care and lay the foundation for proof of conformity at an early stage. Our white paper highlights all the important aspects:

  • The IEC 62443 standard in its entirety
  • Scenario 1: the role of the operators
  • Scenario 2: the role of industrial plant integrators
  • Scenario 3: the role of component manufacturing companies
Download

Audit process for ISO IEC 62443 certification

1

01

Enquiry & quotation

2

02

Commissioning TÜV NORD

3

03

Audit stage 1: Determination of readiness for certification

4

04

Audit stage 2: Certification audit

5

05

Certification decision TÜV NORD

6

06

Issue of certificate

Would you like to learn more about IEC 62443 certification? Please feel free to contact us.

ISMS Sales & Projectmanagement

sales.isms@tuev-nord.de
Send Email

This may also interest you

Gruppe von Personen arbeitet in einem modernen Büro mit Computern und Bildschirmen.
ISO/IEC 27001
Person beugt sich über ein Waschbecken und schöpft Wasser aus einem Wasserhahn.
KRITIS
Ingenieure diskutieren um ein holografisches Modell eines Autos in einem High-Tech-Labor.
ISO/SAE 21434