MEQuest
LearnDigital Transformation in Oil & Gas
Module 10Unit 3 of 57 min

IEC 62443 & Standards

IEC 62443 is the international standard series for industrial automation and control systems (IACS) security. It provides a comprehensive framework for securing OT environments - from risk assessment to system architecture, component requirements, and ongoing maintenance. It is the de facto standard for OT cybersecurity in oil and gas.

IEC 62443 Structure

Part 1: General - Concepts & Models

Defines terminology, concepts, and models. Introduces the zones and conduits model for segmenting OT networks into security zones with controlled communication paths between them.

Part 2: Policies & Procedures

Requirements for asset owners (the oil company): risk assessment, security management system, personnel security, physical security, and supply chain management.

Part 3: System - Security Requirements

Requirements for system integrators: defines Security Levels (SL 1-4) that specify increasingly rigorous controls. SL-1 protects against casual violations; SL-4 protects against nation-state actors.

Part 4: Component - Technical Requirements

Requirements for product vendors (Siemens, ABB, Honeywell): secure development lifecycle, authentication, authorisation, integrity, and confidentiality at the component level.

Security Levels (SL)

SL-1: Casual

Protection against unintentional or accidental violation. Basic access control, logging.

SL-2: Intentional (Low Resources)

Protection against intentional attack using simple means. Authentication, encrypted communications, network segmentation.

SL-3: Intentional (Sophisticated)

Protection against sophisticated attack with moderate resources. Multi-factor authentication, IDS/IPS, continuous monitoring.

SL-4: State-Sponsored

Protection against nation-state level threats with extensive resources. Most stringent controls; typically applied only to safety-critical systems.

Other Relevant Standards

NIST SP 800-82

Guide to ICS Security (US-focused)

API 1164

Pipeline SCADA Security (oil & gas specific)

NERC CIP

Critical Infrastructure Protection (power sector, some O&G overlap)

Start with a risk assessment
IEC 62443 does not require every system to be at SL-4. The standard's risk assessment process helps you determine the target security level for each zone based on the consequences of a successful attack. A wellhead RTU in a remote desert may need SL-1; a safety instrumented system on an offshore platform may need SL-3 or SL-4.
Previous
SCADA Vulnerabilities
Next
OT Incident Response