IEC 62443 in Plain English: What Operators Actually Need to Know

If you have been handed an IEC 62443 readiness requirement and the first thing you did was search for the standard, you already know the problem: IEC 62443 is not a standard. It is a family of about 14 documents, totaling thousands of pages, aimed at at least four different audiences. It is not written to be read cover-to-cover.

This post gives you the working subset. Enough to have an informed conversation with an auditor, an integrator, or your own leadership.

The documents that actually matter to operators

If you run an industrial facility — as opposed to manufacturing industrial equipment or designing control systems — the documents you are most likely to be assessed against are:

• 62443-2-1: Establishing an industrial automation and control systems security program. The organizational foundation.
• 62443-3-2: Security risk assessment for system design. This is where zones and conduits come from.
• 62443-3-3: System security requirements and security levels. The control catalog.

The others are mostly for product vendors and system integrators. You will reference them; you will not typically be audited against them.

The two concepts that do 80% of the work

Zones and conduits

A zone is a grouping of assets with common security requirements. A conduit is the controlled communication path between zones. That's it. The power of the model is that once you have defined zones and conduits, you have a shared language for talking about which controls go where and who owns what.

In practice, the zones in a heavy manufacturer typically map to: corporate IT, industrial DMZ, operations zone, process control zone, safety instrumented system. Each zone has a defined security level target. Each conduit between zones has a documented ruleset.

Security Levels (SL 1 through 4)

Each zone gets a target security level. The levels roughly correspond to:

• SL 1: Protection against casual or coincidental violation
• SL 2: Protection against intentional violation using simple means
• SL 3: Protection against intentional violation using sophisticated means
• SL 4: Protection against intentional violation using sophisticated means and extended resources

Most facilities we work with land on SL 2 for most zones, SL 3 for critical process zones. SL 4 is rare and typically applies only to specific safety-critical contexts.

The 62443 foundational requirements

62443-3-3 defines seven foundational requirements (FRs). At a high level:

• FR 1: Identification and authentication control
• FR 2: Use control
• FR 3: System integrity
• FR 4: Data confidentiality
• FR 5: Restricted data flow
• FR 6: Timely response to events
• FR 7: Resource availability

Each FR contains system requirements (SRs) with requirement enhancements that scale with target security level. When someone says "we are 62443 SL 2 in this zone," what they mean is that the controls in the relevant FRs meet the SL-2 requirement for that zone.

How to actually get started

If you are staring at a 62443 readiness requirement, this is the order of operations we use with clients:

• Define your zones. Draw the lines. Get plant operations and IT to agree.
• Define your conduits. Document the flows between zones.
• Assign target security levels per zone.
• Gap-assess current state against the SL requirements for each zone.
• Remediate in priority order, starting with conduit enforcement and segmentation.
• Document and prepare for assessment.

Steps 1–3 can usually be completed in 4–6 weeks. Step 4 takes another 2–3 weeks. Steps 5–6 are where most of the time and cost go — typically 3–9 months depending on starting state.

The takeaway

62443 is not a pass/fail document. It is a framework for talking about industrial cybersecurity in a common language. The audit value is real, but the operational value — having a shared vocabulary for zones, conduits, and security levels — is higher.

If you have a 62443 requirement from a customer, insurer, or regulator, we do readiness work and gap assessments.