Guide To IEC 62443 For OT Security In Industrial Automation

30th November, 2025.

In this post, we will see the concept of IEC-62443 for OT security in industrial automation.

Industrial automation today is divided into two parts - OT and IT. This is with the advent of IoT. OT stands for operational technology and IT stands for information technology. While OT is based on hardware and lower level components which interact with the field, IT is based on software and higher level components which interact with the cloud server and worldwide communication. When OT was the only original form of industrial automation, cyber security was not that much a concern and was not implemented in them widely. But now, cyber security is seriously required in OT due to advanced networking. Keeping this in mind, an international standard of IEC-62443 was developed specially for OT technology, to mix it with the latest cybersecurity methods. In this post, we will understand the concept of IEC-62443.

IEÇ 62443 - the industrial cybersecurity standard for OT

IEC 62443 is an international standard developed for securing industrial automation and control systems at the OT layer. As OT is concerned, the standard primarily deals with PLC, SCADA, DCS, HMI, RTU, VFD, and smart sensors. As OT was not designed initially keeping cybersecurity in mind and everything was isolated, the standard now blends its features regarding how an industrial plant should be protected, the threats should be managed and how the vendors should develop secure products and firmware on a timely basis. In all the cases, the standard ensures that your data is protected confidentially, any cyber attack does not cause any major failure, old products are retrofitted with this standard and the production keeps on going even if any incident occurs. This is because the increased networking with IT layer (and also inter-network) brings along its own threats of various cyber attacks like unauthorised access, data manipulation, shutdown of system, ransomware and mis-configuration. 

This standard is structured into four categories - general, policies and procedures, system requirements and component requirements. General deals with the basic concept of networking, zones, conduits and security levels. Policy and procedure deals with the concept of audit and documentation, patch management, incident response, and user access management. System requirement deals on how to secure the entire control system practically using architectures like firewalls, segments, DMZ, conduits and zones. Component requirement deals on life cycle overview for the vendors to keep in mind when designing OT devices and including methods like audit logs, encryption, user authentication, firmware update signing, secure boot and secure coding. The security layer in this standard is divided into four types - SL1 - Protection against casual attackers, SL2 - Protection against skilled attackers, SL3 - Protection against organised attackers and SL4 - Protection against nation-state attackers. These layers are also necessary to understand, which helps in secure design according to the requirement.

In short, when this standard is implemented for your OT system, whether new or old, the following things will be covered - networks will be segmented and grouped, firewalls will be present in critical areas, users operating in SCADA and HMI will have various access levels, remote access will be secured through VPN, patch management (controlled process of updating software, firmware, and operating systems in industrial systems to fix vulnerabilities, improve stability, and maintain security) will be taken care of, unauthorised access will be prevented and unused hardware or services will be disabled. Due to this, your OT devices will be secured, networks cannot be hacked and vendors will also ensure that their upcoming devices are compliant with this standard to follow this cycle for lifetime. One thing to note is that IT here plays a supporting role, but this standard is majorly concerned with OT. IEC 62443 covers OT first, and then defines how IT should interact with OT securely, using DMZ, VPN, network monitoring, cloud connectivity, unidirectional gateways and strict firewall rules. 

Practical example of IT-OT separation using IEC-62443

Let us have a simple example of working with this standard, so that you understand how OT is secured, whether it is new or required to be retrofitted in an existing OT structure. Suppose your plant has the following components - PLC, SCADA, HMI, Historian server, MES, ERP and remote support needed by vendors. IEC 62443 tells you how to isolate these systems so IT problems never affect OT. This will be done by splitting the architecture into various groups. The first group will be the IT zone of ERP, MES and remote support, which has high traffic and high risk. Due to this, it will be ensured that IT never talks with OT directly. To allow it to talk, a DMZ (demilitarised zone) will be present consisting of OPC UA, proxy servers, jump servers, remote access gateway, patch servers, historian replica servers and antivirus updates. Then going down finally to OT group, which is the most sensitive area as it interacts with the process directly, care is thus taken that no direct access from IT or internet is given to OT and all communication goes through DMZ firewalls. So how does communication happen? Let us understand this with some examples. If an IT engineer wants to connect to SCADA PC for data reporting, it will be done through historian replica server on DMZ, which talks with actual historian server on SCADA PC, thus ensuring SCADA PC remains untouched. If a vendor wants remote access to PLC, it will be done through VPN and jump server in DMZ with proper approval and credentials. If someone wants to install Windows patches in SCADA PC, then it will be done through patch server in DMZ after it has been tested and approved properly. And if MES wants data from PLC directly, then it will be done through an OPC server in DMZ through an OPC proxy in that. 

If you are an existing customer running an OT plant, and need to update with this standard, you do not need a full shutdown, but in sections. IEC 62443 upgrades are usually done zone by zone, and so, you need downtime for firewall additions, commissioning new network devices, updating PLC or SCADA patches, segmenting network switches, installing DMZ servers, readdressing IP addresses and changing existing network topology. Additional components will be required like firewalls, L3 managed switches, VLAN-capable switches, VPN gateway for secure remote access, DMZ jump server, DMZ historian or replication server, patch management server, OPC UA proxy server, endpoint protection for SCADA PCs, and certificate management. Some things like auditing the network, doing backup and documentation, hardening Windows SCADA systems, creating new user roles, blocking unused IT ports and adding VPN for remote access can be done in a live plant without shutdown. 

Also, a major part to note with this standard is that it secures OT even without IT too. This question occurs when you directly connect your laptop to the PLC, which is the biggest threat. So, the laptop must follow strict rules - like regular patching, application whitelisting, antivirus installed, only approved software installed with no crack versions, USB port lock, and no internet access. Also, instead of directly connecting, you should use a jump server, firewall (which can block file transfer, pinging, and broadcast traffic), and VLAN. The program made in PLC or any other OT device should be password protected, have user roles, signed firmware update, and secure boot. 

I have covered the general theory on IEC 62443. I have also not attempted to cover all the topics related to it, as it can vary from case to case. Once you are familiar with this type of technology, you can easily troubleshoot any issues related to it.

Thank you for reading the post. I hope you liked it and will find a new way in this type of technology.