IEC 62443-4-1
secure product development lifecycle for OT and ICS suppliers

IEC 62443-4-1 explained for OT product suppliers, AppSec teams, and product security teams

IEC 62443-4-1 (Security for industrial automation and control systems, Part 4-1: Secure product development lifecycle requirements) is the international standard that defines how a product supplier develops, ships, and maintains an industrial automation and control system component securely. It is the process-side anchor in the wider IEC 62443 family, paired with the technical-side component requirements of IEC 62443-4-2. The standard names eight practices (Security Management, Specification of Security Requirements, Secure by Design, Secure Implementation, Security Verification and Validation Testing, Management of Security-Related Issues, Security Update Management, Security Guidelines), four maturity levels (initial, managed, defined, improving), the per-practice activities a supplier executes, and the per-product evidence pack the SDL produces.

For OT product manufacturers, embedded device makers, ICS suppliers, medical device makers, industrial automation vendors, IIoT platform suppliers, and transportation control unit manufacturers shipping into asset owners that operate under 62443, the standard is the SDL reference customer security reviews, regulatory disclosure obligations, certification bodies (ISASecure SDLA, TUV-style assessors), and the conformity assessment routes under the EU Cyber Resilience Act all read against. For AppSec teams and product security teams inside supplier organisations running the SDL discipline alongside broader application security programmes, the standard is the OT-specific reference that pairs with NIST SSDF, OWASP SAMM, and BSIMM on the IT side.

This page walks through the scope of the standard, the eight SDL practices and their activities, the four maturity levels, the per-product evidence pack the SDL produces, the failure modes the standard surfaces, the relationship with adjacent regimes (62443-4-2, the wider 62443 family, NIST SSDF, OWASP SAMM, BSIMM, the EU Cyber Resilience Act, ISO/SAE 21434), and where IEC 62443-4-1 sits alongside the SDLC vulnerability handoff workflow, the PSIRT product security incident response workflow, and the security feature launch readiness evidence pack workflow. Suppliers that adopt 62443-4-1 as the SDL anchor produce an evidence pack that holds up across the ISASecure SDLA assessment, customer-side security reviews, regulatory disclosure obligations, and internal audit on one operating record.

What IEC 62443-4-1 covers

The standard is the international anchor for secure development of industrial automation and control system components. It is broader than any single internal SDL policy and narrower than the wider 62443 family; the boundary is the product supplier role and the eight practices that span from organisational governance through end-of-life security guidance. Read sequentially across the document, the standard answers how a supplier operates a defensible SDL across a product family rather than how a single launch passes a security review.

The eight SDL practices

The eight practices are the structural core of the standard. Each practice carries named activities (numbered SM-1 through SM-13, SR-1 through SR-5, SD-1 through SD-4, SI-1 through SI-2, SVV-1 through SVV-5, DM-1 through DM-6, SUM-1 through SUM-5, SG-1 through SG-7) and per-product evidence the supplier produces. The practices are sequential at the product level (requirements before design before implementation before testing) but operate continuously at the organisational level (issue handling, update management, and guidelines refresh run between product releases).

1. 1

   Practice 1: Security Management (SM)

   Establish the SDL applicability statement, the documented secure development process, named SDL roles, security expertise on the development team, the secure development environment (developer workstation hardening, source repository protection, build server integrity, dependency cache protection), the tooling integrity process (third-party tool verification, in-house tool review, build reproducibility), and the security training programme. SM-1 through SM-13 are the governance baseline every later practice reads against.

2. 2

   Practice 2: Specification of Security Requirements (SR)

   Document the product security context (the deployment environment the product is sold into), the threat model the design will resist, the per-product security requirements specification (conformance to relevant 62443-4-2 component requirements at the target Security Level), and the customer-side security responsibilities the product depends on. SR-1 through SR-5 produce the requirements artefact every later design, implementation, and verification step builds against.

3. 3

   Practice 3: Secure by Design (SD)

   Apply the secure-by-design principles to the architecture: defense-in-depth design, secure design best practices (least privilege, separation of duties, fail-secure defaults, simplest defensible interface), the threat model that gets refreshed when the design changes, the design review with documented outcomes and named reviewer, the secure component selection (third-party component evaluation against the SDL the product supplier expects of itself). SD-1 through SD-4 produce the design artefacts the implementation step builds against.

4. 4

   Practice 4: Secure Implementation (SI)

   Implement the design using documented secure coding standards (CERT C, CERT C++, MISRA C, language-specific guidelines per runtime), a code review process (peer review and automated tooling), and the implementation traceability back to the design and the requirements. SI-1 and SI-2 produce the source code artefacts and the review evidence the verification step reads against. The standard does not mandate a specific tool but expects the supplier to demonstrate the secure coding standard is applied and the review evidence exists.

5. 5

   Practice 5: Security Verification and Validation Testing (SVV)

   Test the implementation against the security requirements. SVV activities cover security requirements testing (does the product meet each SR), threat mitigation testing (do the design mitigations work in practice), vulnerability testing (static application security testing, software composition analysis, dynamic analysis, fuzz testing), penetration testing (manual offensive testing per defined test plan), and the test plan and test report record. SVV-1 through SVV-5 produce the verification evidence the certification assessor and the customer-side security review both read.

6. 6

   Practice 6: Management of Security-Related Issues (DM)

   Receive, triage, investigate, and disclose security-related issues across the product family. DM activities cover the receipt of security-related issue reports (internal teams, customers, researchers, ISACs, regulators), the investigation discipline, the assessment of impact across product versions and variants, the periodic security review of the issue backlog, and the disclosure to affected parties. DM-1 through DM-6 produce the vulnerability handling record the customer-side asset owner reads against and the regulatory disclosure obligation (under the EU Cyber Resilience Act, sector regulations, and contractual obligations) feeds.

7. 7

   Practice 7: Security Update Management (SUM)

   Develop, qualify, and distribute security updates to deployed products. SUM activities cover the security update qualification (does the update fix the issue without breaking the control system function), the timely delivery against documented response targets per severity band, the documentation of dependencies on third-party component updates, and the secure delivery (signed updates, verified delivery channel, integrity verification at the receiving asset). SUM-1 through SUM-5 produce the patch release record the customer-side patch management process (paired with IEC 62443-2-3) reads against.

8. 8

   Practice 8: Security Guidelines (SG)

   Document the security guidance the product user (asset owner, system integrator, operator) needs to deploy, operate, and maintain the product securely. SG activities cover the product defense-in-depth documentation, the security hardening guidelines, the secure configuration documentation, the operational security guidelines, the account management guidelines, the secure decommissioning guidance, and the end-of-life security communication. SG-1 through SG-7 produce the product security documentation the integrator and asset owner read against when applying 62443-2-4 integration controls and 62443-2-1 operating controls.

The four maturity levels

The standard names four maturity levels per practice. A supplier programme typically sits at different levels across the eight practices: a well-managed security update process running at Maturity Level 3 alongside an initial-stage threat modelling practice at Maturity Level 1. The ISASecure SDLA assessment reads against the per-practice maturity claim, and certification levels (SDLA Maturity Level 2, 3, or 4) reflect the lowest maturity across the practices included in the assessment scope.

The per-product evidence pack the SDL produces

The standard expects a defined artefact set per product rather than a single document. The pack below is the minimum durable set most supplier programmes maintain when they adopt IEC 62443-4-1 as the SDL anchor. Each artefact has a named owner, a refresh cadence, and a version history so reconstruction at certification time is replaced with a continuous operating trail.

Failure modes the standard surfaces

The standard is forgiving on the choice of tooling, the wording of the secure coding standard, and the structure of the per-product evidence pack. It is unforgiving about a small number of patterns that turn the SDL programme cosmetic rather than operational. The patterns below recur across supplier programmes and are the ones that erode certification credibility, customer-side security review confidence, and regulatory disclosure defensibility most reliably.

How IEC 62443-4-1 relates to adjacent regimes

IEC 62443-4-1 sits inside a busy OT and product-security regulatory and assurance neighbourhood. The relationships below are the ones programmes encounter most often when they read 4-1 against the rest of the operating regime. Suppliers shipping across regions and sectors use 62443-4-1 as the SDL anchor and read 62443-4-2, the wider 62443 family, NIST SSDF, OWASP SAMM, BSIMM, the EU Cyber Resilience Act, ISO/SAE 21434, and sector device-cybersecurity guidance as the contextual layers around it.

Where SecPortal fits in an IEC 62443-4-1 programme

SecPortal is the operating layer for the SDL evidence lifecycle, not a replacement for the product security programme strategy, the engineering accountability for the design and implementation, the certification body relationship, or the regulator dialogue the standard expects. The platform handles the SDL-side workstreams (per-practice evidence capture, per-product requirements and threat model record, code-scan and SAST and SCA evidence, SVV test plan and report, security-issue handling backlog, security update release record, customer-facing documentation versioning, certification assessment readiness pack) so the artefacts the standard expects are produced as structured records rather than reconstructed across email threads, document drives, and ticketing systems at certification time. The same workspace that hosts the SDL record hosts the security finding evidence, the credential lifecycle for the developer and build infrastructure, and the continuous monitoring of any IT-side supplier portals that touch the product update channel.

Honest scope for OT product suppliers: SecPortal does not certify products, does not act as a notified body, does not issue ISASecure SDLA certifications or 62443-4-1 conformity statements, does not replace the supplier accountability for the SDL discipline, does not ship runtime detection for control system components, does not auto-deploy security updates to deployed assets, does not integrate natively with named ticketing systems (Jira, ServiceNow, Slack, Teams), SIEM platforms, SOAR platforms, GRC platforms (OneTrust, Vanta, Drata, Archer, AuditBoard), or PLM systems. SecPortal also does not provide enterprise SSO or SCIM provisioning, does not perform automated approval routing for SDL practice gates, and does not maintain product certification customer logos, adoption metrics, ROI numbers, compliance guarantees, or any claim of pre-approved ISASecure SDLA or 62443-4-1 conformity. The verified capability stack covers the evidence-record discipline the standard expects across the eight practices; the certification path remains an exercise between the supplier, the assessor (ISASecure, TUV, and equivalent), and the regulator.

The SDL evidence (per-practice activity record, per-product requirements specification, threat model, design review, code review, SAST and SCA evidence, SVV test plan and report, security-issue handling backlog, security update release record, customer-facing documentation pack) reads against operational workflows that already exist as named use cases. The SDLC vulnerability handoff workflow carries the per-finding handoff discipline the SI, SVV, and DM practices produce. The PSIRT workflow carries the security-issue handling backlog the DM practice operates against. The SBOM and VEX publishing workflow carries the per-product component transparency the SR, SUM, and SG practices reference. The audit fieldwork evidence request workflow carries the certification assessment fieldwork-day evidence packaging the SDL record feeds.

For product security teams operating the SDL alongside the wider application security programme, the product security teams workspace covers the SDL operating model and the cross-team handoff the standard expects. For AppSec teams whose remit spans IT and OT product lines, the AppSec teams workspace bundles the platform with the engagement structure the SDL operating record reads against. For internal security teams at OT product supplier organisations carrying the programme- level accountability for the SDL discipline and the regulatory disclosure obligation, the internal security teams workspace covers the platform-level reporting and the cross-team handoff the SDL operating record sits on. For manufacturing security teams operating across both the IT-side enterprise and the OT-side product programme, the manufacturing security teams workspace covers the joint operating model 62443-4-1 reads against. For CISOs and security leaders accountable for the SDL programme posture and the named-decision accountability for product security claims, the CISOs and security leaders workspace covers the executive-layer reporting model that sits on top of the SDL operating record.

For deeper reading on the disciplines this standard reads against, the IEC 62443 family overview covers the wider standard and the asset-owner, integrator, and supplier role split that 4-1 sits inside. The NIST SSDF framework page covers the US federal anchor for secure software development that pairs with 62443-4-1 on cross-shippers. The OWASP SAMM framework page and the BSIMM framework page cover the broader application security maturity models the IT-side programmes typically read against, and which suppliers running both IT and OT product lines pair with 4-1. The EU Cyber Resilience Act framework page covers the EU regulation that increasingly references 62443-4-1 as a conformity assessment anchor for products with digital elements. The CISA Secure by Design framework page covers the US federal secure-by-design principles that operate alongside the standard for suppliers shipping into US federal customers. The container image signing operating model guide covers the secure software delivery discipline that the SUM practice references for signed-update delivery. The software bill of materials guide covers the SBOM discipline that the SR and SUM practices reference for component transparency and security update qualification.