IEC 62443's Defence Architecture

Posted by Matias Almeida Garzon

by Matias Almeida Garzon

Split into four parts, the first two of the #IEC62443 standard explore topics like terminology, policies, and procedures to set up the foundation for the implementation. The third block shifts the attention towards the system integration for industrial automation and control systems (IACS).

The 3-3 subsection stipulates the security systems requirements (SR) based on the first component’s foundational requirements (FR) and establishes a discrimination system designed to set a hierarchy of criteria to provide access.

The architecture follows a multi-layered defence system designed to isolate and delay intruders in the case of a successful attack. 62443-3-3 defines the creation of “zones”, or groups of multiple assets that share physical and functional characteristics. An important detail is that all IACS assets must be at the same level. This structure uses “conduits” to establish communications channels between zones and leverages access depending on security levels.

An example provided by Cisco displays four subsystems spread across three main zones and connected by conduits. This architecture highlights two industrial applications networks connected through conduits to the Enterprise DMZ and the through the last layer to the Enterprise infrastructure.

It is important to note that the application of #62443 does not necessarily translate into the removal of protocol defences like firewalls, but rather strengthens it by providing an extra layer of protection. The benefit of the standard is that provides more flexibility for engineers to personalise defence systems accordingly to their needs. There is even possible to adopt #Zero-trust security approaches to this technology.

Enrol in our online training program and gain an in-depth understanding of IEC 62443. Over a period of 12 weeks, participants will delve into various aspects of the standard and establish long-term relationships with other participants.

Visit our page to learn more and register:

Follow this link to read more about CISCO's take on the standard:

To learn more about the zero-trust approach, visit: