Managing ICS Security with IEC 62443, published by SANS Institute (updated April 2022, sponsored by Fortinet), is a companion paper to "Effective ICS Cybersecurity Using the IEC 62443 Standard" that examines how organizations can use the IEC 62443 series of standards to strategically reduce industrial control system (ICS) cybersecurity risk. The paper covers the standard's zone-based risk model, its cybersecurity management system (CSMS) framework, and how Fortinet's product line maps to the standard's requirements.
Key findings:
- IEC 62443 addresses ICS risk by dividing an organization's environment into individual security zones rather than applying one set of controls across the entire ICS, which the paper argues is more financially practical than a monolithic approach
- Each security zone is assigned a Security Level (SL) ranging from 1 to 4, based on seven foundational requirements (FRs) that expand into system requirements (SRs) and requirement enhancements (REs)
- IEC 62443 concerns date back to before 2009, when the first technical specification in the series, IEC/TS 62443-1-1, was introduced
- The standard is referenced by other major frameworks, including NERC CIP, the NIS Directive, and the NIST Cybersecurity Framework
- IEC 62443-2-1 provides guidance for building a cybersecurity management system (CSMS) for ICS, with structural similarities to ISO/IEC 27001 but adjusted for industrial environments
- Vendors can pursue IEC 62443 Conformance Certification through ISASecure, though the paper notes that only a fraction of ICS product types on the market are currently certified
- The standard recommends assessing "conduits," meaning the operational dependencies and communications between security zones, as part of ICS risk analysis
- Selecting security countermeasures should account for three primary functions: visibility, security controls, and actionable response
- Fortinet's product portfolio is mapped to all seven IEC 62443 foundational requirements, with named coverage spanning FortiGate, FortiNAC, FortiSwitch, FortiAnalyzer, FortiEDR, and other tools
- To help meet Security Level 4 requirements, Fortinet highlights multifactor authentication (MFA), ICS protocol inspection, and network access control (NAC)-based micro-segmentation as key capabilities
The paper's core argument is that segmenting ICS risk into individually assessed zones, each with its own target security level, is more sustainable than trying to apply uniform controls across an entire industrial environment. It also emphasizes that meeting the standard is a shared responsibility across asset owners, vendors, and systems integrators, not just a security team's task, and that a RACI matrix can help clarify who owns which part of that responsibility per zone.
This is a vendor-sponsored companion paper: the standards analysis is written by a SANS instructor, while the product-to-framework mapping in the second half describes Fortinet's own solution coverage of the IEC 62443 requirements.