What is IEC 62443-3-3?
IEC 62443-3-3 is part of the IEC 62443 series and describes the technical security requirements for industrial automation and control systems (IACS). This standard focuses specifically on implementing security measures at the system level, such as in SCADA, DCS and PLC environments.
IEC 62443-3-3 defines concrete technical security requirements and links them to the appropriate Security Level (SL).
π§ What does IEC 62443-3-3 describe?
The standard contains 48 technical requirements, grouped into 7 fundamental categories. These apply to the βtarget systemβ, for example a SCADA system, HMI environment or process controller.
7 Foundational Requirements:
- Identification and authentication control (IAC)
- User-Based Access Control, MFA, unique user IDs
- Use control (UC)
- Least Privilege, RBAC, restricting functions per user
- System integrity (SI)
- Whitelisting, Application Control, patch management
- Data confidentiality (DC)
- Encryption of network traffic, passwords and data
- Restricted data flow (RDF)
- Timely response to events (TRE)
- Resource availability (RA)
- Protection against DDoS, redundancy, High Availability
π Security Levels (SL)
IEC 62443-3-3 defines four Security Levels, based on the type of threat:
| SL | Goal | Example use |
|---|---|---|
| SL 1 | Protection against accidental errors | Non-critical HMIs or monitoring stations |
| SL 2 | Protection against intentional misuse with limited resources | Basic OT networks |
| SL 3 | Protection against well-resourced attackers | Critical infrastructure, manufacturing |
| SL 4 | Protection against highly sophisticated attackers | Energy, chemicals, vital processes |
Each technical requirement in IEC 62443-3-3 has a minimum SL at which it must be applied.
π Practical application in OT
| Component | Examples of 3-3 requirements |
|---|---|
| SCADA | Login management (IAC), action logging (TRE), data encryption (DC) |
| PLC | Authentication of programming tools (IAC), physical port control (UC) |
| Historian | Secure communication (DC), DoS protection (RA), patch management (SI) |
| Engineering Station | Whitelisting (SI), Application Control (UC), permission management (RBAC) |
β Benefits of implementation
- Clear and measurable technical requirements
- Supports a Defense in Depth strategy
- Applicable per system, per zone or segment
- Supports compliance with NIS2, ISO 27001, NIST CSF
π In summary
IEC 62443-3-3 contains the technical security requirements for systems in OT networks, linked to Security levels. It is the technical basis for protecting processes, systems and infrastructure against cyber threats.