// COMPLIANCE & AUDIT

IEC 62443 OT Compliance

IEC 62443 compliance assessment and security program for OT environments.

IEC 62443Series
SL1–SL4Security Levels
Zone & ConduitModel
CRESTCertified
Overview

IEC 62443 OT Compliance Assessment

IEC 62443 is the international standard series for Industrial Automation and Control System (IACS) security — the definitive framework for securing OT environments across power generation, oil and gas, water utilities, manufacturing, and building automation. The standard addresses security across the full IACS lifecycle and from three perspectives: asset owners, system integrators, and component/product suppliers — each with distinct obligations and assessment criteria. As OT cybersecurity regulation matures globally, IEC 62443 compliance is increasingly a procurement requirement, a regulatory expectation, and an operational necessity.

Intelliroot's IEC 62443 Compliance Assessment evaluates your IACS environment against the most operationally relevant parts of the series — principally IEC 62443-2-1 (security management system for asset owners), IEC 62443-3-3 (system security requirements and security levels), and IEC 62443-4-2 (component security requirements). We define your zone and conduit model, assess target and achieved Security Levels (SL-T vs SL-A), evaluate your security management system maturity, and produce a prioritised compliance roadmap for achieving and maintaining your target security level.

Why This Matters

Why IEC 62443 Is the Benchmark for OT Security

Regulators Are Mandating IEC 62443

NCIIPC CII sector guidelines, NIS2 Directive in Europe, and sector-specific regulators in power and petroleum are explicitly referencing IEC 62443 as the compliance framework for operational technology security. Early adoption positions organisations ahead of mandatory requirements.

Supply Chain Compliance Is Now Expected

Asset owners are requiring their OT system integrators and component suppliers to demonstrate IEC 62443 compliance as a procurement condition. Integrators and vendors without IEC 62443 maturity are being excluded from tenders in critical infrastructure sectors.

Security Levels Align Investment to Risk

The IEC 62443 Security Level model (SL1 through SL4) provides a structured method for defining the capability required to resist specific threat actors — from casual violation to state-sponsored attacks. This enables OT security investment to be calibrated precisely to the threat environment.

Zone and Conduit Model Provides Systematic Protection

IEC 62443's zone and conduit model provides a disciplined architecture framework for OT network segmentation — replacing ad-hoc segmentation decisions with a structured, risk-based approach that can be systematically validated and maintained over the IACS lifecycle.

Scope

What the Assessment Covers

IEC 62443-2-1: Security Management System

  • Security management system requirements for asset owners
  • Security policy and procedure assessment
  • Risk assessment methodology review
  • Security organisation and roles
  • Security lifecycle management

IEC 62443-3-3: System Security Requirements

  • Zone and conduit model definition and validation
  • Target Security Level (SL-T) determination
  • Achieved Security Level (SL-A) assessment
  • System security requirements (FR1–FR7) evaluation
  • Security Level gap analysis

IEC 62443-4-2: Component Security (if applicable)

  • Component security capability assessment
  • Software application requirements
  • Embedded device security requirements
  • Network device security requirements
  • Host device security requirements

Roles: Asset Owner, Integrator, Supplier

  • Asset owner security programme assessment
  • Integrator security obligations review
  • Supplier / product security evaluation
  • Security lifecycle obligations mapping
  • Supply chain security requirement flow-down
Methodology

Our Assessment Approach

01

IACS Characterisation & Scope Definition

Understand the IACS environment — systems, assets, processes, and operational context. Determine the applicable IEC 62443 series parts based on the organisation's role (asset owner, integrator, or component supplier) and define the assessment scope, prioritising high-criticality zones.

02

Zone & Conduit Model Development

Define or review the zone and conduit model for the IACS environment — grouping assets by security requirements, operational function, and risk profile. Identify conduits between zones and evaluate the security controls implemented at each conduit boundary against IEC 62443-3-3 requirements.

03

Target Security Level Determination

Determine the Target Security Level (SL-T) for each zone based on the threat environment, consequence of compromise, and regulatory requirements. Assess the Achieved Security Level (SL-A) through evidence review and technical assessment — identifying the SL gap for each zone and conduit.

04

Security Management System Assessment (IEC 62443-2-1)

Evaluate the security management system against IEC 62443-2-1 requirements — covering risk management, security policy, organisational security, awareness and training, incident response, business continuity, and security programme maintenance.

05

Compliance Report & Security Roadmap

Deliver an IEC 62443 compliance assessment report with zone-by-zone Security Level gap analysis, security management system findings, and a prioritised roadmap for achieving target Security Levels through countermeasure implementation and security programme maturation.

Focus Areas
IEC 62443-2-1 IEC 62443-3-3 IEC 62443-4-2 Security Levels SL1-4 Zone & Conduit IACS Security OT Compliance Asset Owner Obligations Supply Chain OT
FAQ

Frequently Asked Questions

As an asset owner (operator of an IACS), the most directly relevant parts are IEC 62443-2-1 (security management system requirements), IEC 62443-3-2 (security risk assessment for system design), and IEC 62443-3-3 (system security requirements and security levels). IEC 62443-4-2 applies when you are evaluating the security capabilities of components you procure.
Security Levels (SL1–SL4) represent the capability required to resist specific threat actors: SL1 protects against casual or unintentional violation; SL2 against intentional violation using simple means; SL3 against sophisticated means; SL4 against state-sponsored attackers using extended resources. Most critical infrastructure operators target SL2 as a baseline, with SL3 for the most sensitive control functions. We determine the appropriate target level based on threat modelling and consequence analysis during the assessment.
IEC 62443 certification for asset owners (under IEC 62443-2-1) is available through accredited certification bodies. Intelliroot conducts the compliance assessment and remediation programme to prepare your organisation for certification — we do not issue the certification ourselves. For component suppliers seeking IEC 62443-4-2 certification of products, we can conduct pre-certification testing and work alongside accredited test laboratories.

Deliverables

IEC 62443 Compliance Assessment Report

Comprehensive assessment against applicable IEC 62443 series parts with zone-by-zone Security Level gap analysis and security management system findings.

Zone & Conduit Model Documentation

Defined or reviewed zone and conduit model with Target Security Level assignments, conduit boundary controls, and architectural recommendations for Security Level achievement.

Security Level Gap Analysis

Zone-by-zone comparison of Target Security Level (SL-T) versus Achieved Security Level (SL-A) with identified gaps mapped to IEC 62443-3-3 foundational requirements (FR1–FR7).

Security Management System Assessment

Evaluation of IEC 62443-2-1 security management system requirements with maturity scoring and recommendations for programme development.

OT Security Compliance Roadmap

Prioritised roadmap for achieving target Security Levels, structured around OT maintenance windows and operational constraints, with countermeasure recommendations and effort estimates.

Related Services in Compliance & Audit

ISO 27001 Gap Assessment ISO 27001 Internal Audit SOC 2 Readiness PCI DSS Compliance
GET STARTED
Accepting New Engagements · 24h Response

Request a Security Assessment

Tell us about your environment and security objectives. We'll design a bespoke assessment and deliver a detailed proposal within 48 hours.

Scoping Call with a Certified Consultant 45-minute deep-dive with a senior practitioner — no sales pitch.
Proposal Delivered in 48 Hours Fully scoped engagement plan with pricing and timeline.
Free Attack Surface Analysis Preliminary external exposure report at no cost.
Fully Confidential. NDA Available. No obligation. Your data is never shared.
200+ Engagements
40+ Services
98% Satisfaction
CERT-In Empanelled ISO 27001 OSCP · CEH · CISSP
1
You
2
Service
3
Details

About You

We'll use this to route you to the right expert.

What Do You Need?

Select all that apply — you can pick multiple.

Select at least one area to continue.

Final Details

Optional context to help us scope your engagement.

By submitting, you agree to our Privacy Policy. We'll never share your data.