IEC 62443-4-2
technical security requirements for industrial automation and control system components

IEC 62443-4-2 explained for OT product suppliers, AppSec teams, and product security teams

IEC 62443-4-2 (Security for industrial automation and control systems, Part 4-2: Technical security requirements for IACS components) is the international standard that defines the per-component technical security requirements industrial automation and control system components must meet at each Security Level. It is the technical-side anchor in the wider IEC 62443 family, paired with the process-side SDL requirements of IEC 62443-4-1. The standard reuses the seven foundational requirements (Identification and Authentication Control, Use Control, System Integrity, Data Confidentiality, Restricted Data Flow, Timely Response to Events, Resource Availability), elaborates per-component requirements (CRs) under each FR, defines Requirement Enhancements (REs) that lift the base CR to a higher Security Level, and assigns per-CR capability expectations at SL 1 through SL 4.

For OT product manufacturers, embedded device makers, ICS suppliers, industrial network equipment vendors, medical device manufacturers, IIoT platform suppliers, and host device suppliers shipping into asset owners that operate under 62443, the standard is the technical capability reference customer procurement evaluations, system integrators (under 62443-2-4), asset owners running 62443-3-2 risk assessments, certification bodies (ISASecure CSA, ISASecure EDSA, TUV-style assessors), and the conformity assessment routes under the EU Cyber Resilience Act all read against. For AppSec teams and product security teams inside supplier organisations producing per-CR evidence and per-Security-Level capability matrices alongside broader application security programmes, the standard is the OT component-side reference paired with system-level NIST SP 800-82 guidance for asset-owner deployments.

This page walks through the scope of the standard, the seven foundational requirements and their component requirements, the four Security Levels and how they layer through Requirement Enhancements, the per-component evidence pack the assessment produces, the failure modes the standard surfaces, the relationship with adjacent regimes (62443-4-1, 62443-3-3, the wider 62443 family, the EU Cyber Resilience Act, Common Criteria, UNECE R155), and where IEC 62443-4-2 sits alongside the security feature launch readiness evidence pack workflow, the PSIRT product security incident response workflow, and the SBOM and VEX publishing workflow. Suppliers that adopt 62443-4-2 as the per-component capability reference produce an evidence pack that holds up across the ISASecure CSA or EDSA assessment, customer-side procurement security evaluations, system-integrator readiness checks, and internal audit on one operating record.

What IEC 62443-4-2 covers

The standard is the international anchor for per-component technical security capability for industrial automation and control systems. It is structurally distinct from any single internal product security baseline and narrower than the wider 62443 family; the boundary is the component itself and the per-CR capability evidence the supplier produces against the per-Security-Level expectations. Read sequentially against the CR set, the standard answers what capability the component offers rather than how the customer-side zone-and- conduit architecture wraps it.

The seven foundational requirements and their component requirements

The seven foundational requirements are the structural core of the standard. Each FR elaborates a set of per-component requirements (CRs) and Requirement Enhancements (REs). The CR set is the structural baseline at each Security Level; the RE set is the structural pathway to higher Security Levels. Read sequentially across the FR set, the standard covers the full technical capability surface a component is expected to offer.

1. 1

   FR 1: Identification and Authentication Control (IAC)

   Requirements that establish who or what is requesting access to the component. CR 1.1 through CR 1.14 cover human user identification and authentication, software process and device identification and authentication, account management, identifier management, authenticator management, wireless access authentication, strength of public key authentication, authenticator feedback, unsuccessful login attempts, system use notification, access via untrusted networks, strength of password-based authentication, and identification and authentication for guest users. Higher Security Levels add multifactor authentication, public-key infrastructure, and stronger feedback obfuscation.

2. 2

   FR 2: Use Control (UC)

   Requirements that constrain what an authenticated identity is permitted to do. CR 2.1 through CR 2.13 cover authorisation enforcement, wireless use control, use control for portable and mobile devices, mobile code, session lock, session termination, concurrent session control, auditable events, audit storage capacity, response to audit processing failures, timestamps, non-repudiation, and use of physical diagnostic and test interfaces. Higher Security Levels add finer-grained authorisation, more rigorous session controls, and stronger physical interface protections.

3. 3

   FR 3: System Integrity (SI)

   Requirements that protect the integrity of the component, its data, and the communication channels it participates in. CR 3.1 through CR 3.14 cover communication integrity, malicious code protection (on host and embedded devices where applicable), security functionality verification, software and information integrity, input validation, deterministic output, error handling, session integrity, protection of audit information, software and firmware update authenticity, the use of physical diagnostic and test interfaces, and integrity check on the boot process. Higher Security Levels add stronger cryptographic protections and runtime integrity verification.

4. 4

   FR 4: Data Confidentiality (DC)

   Requirements that protect the confidentiality of information at rest and in transit. CR 4.1 through CR 4.3 cover information confidentiality, information persistence, and use of cryptography. Component type matters: embedded devices with constrained compute carry tailored cryptography expectations; host devices and software applications carry fuller expectations. Higher Security Levels expect stronger algorithms, stronger key management, and confidentiality protection across more interfaces.

5. 5

   FR 5: Restricted Data Flow (RDF)

   Requirements that constrain how data flows through the component and the networks it connects to. CR 5.1 through CR 5.4 cover network segmentation support, zone boundary protection, general purpose person-to-person communication restrictions, and application partitioning. The CR set is most consequential for network devices and gateways, where the boundary protection capability the component offers shapes the zone-and-conduit architecture the asset owner builds around it.

6. 6

   FR 6: Timely Response to Events (TRE)

   Requirements that ensure security-relevant events are recorded and surfaced for response. CR 6.1 through CR 6.2 cover audit log accessibility and continuous monitoring. The CR set reads against the operating-environment expectations under IEC 62443-2-1 and the asset-owner-side patch management cadence under IEC 62443-2-3. Higher Security Levels expect richer audit content, more reliable log delivery, and stronger tamper-evidence on the audit trail.

7. 7

   FR 7: Resource Availability (RA)

   Requirements that protect the availability of essential component functions under load, fault, or attack conditions. CR 7.1 through CR 7.8 cover denial-of-service protection, resource management, control system backup, control system recovery and reconstitution, emergency power, network and security configuration settings, least functionality, and control system component inventory. Availability is the foundational requirement most distinct from typical IT security regimes, reflecting the operational-technology priority on continuous safe operation.

The four Security Levels

The standard names four Security Levels (SL 1 through SL 4) per CR. A component capability matrix typically carries different Security Level claims across the seven FRs: a network device with strong cryptographic capability at SL 3 on FR 1 (authentication) and FR 4 (data confidentiality) but SL 2 on FR 6 (timely response to events) reflects the per-FR pattern. The ISASecure CSA or EDSA assessment reads the per-CR achieved Security Level rather than a single component-wide claim, and the component data sheet that ships with the product carries the same per-FR pattern.

The per-component evidence pack the assessment produces

The standard expects a defined artefact set per component rather than a single document. The pack below is the minimum durable set most supplier programmes maintain when they adopt IEC 62443-4-2 as the per-component capability reference. Each artefact has a named owner, a refresh cadence, and a version history so reconstruction at certification time is replaced with a continuous operating trail tied to firmware release.

Failure modes the standard surfaces

The standard is permissive on the choice of test tooling, the wording of the per-CR evidence narrative, and the structural format of the component security data sheet. It is unforgiving about a small number of patterns that turn the 62443-4-2 claim from a defensible technical capability claim into a marketing assertion. The patterns below recur across supplier programmes and are the ones that erode procurement-side confidence, certification credibility, and CRA conformity assessment defensibility most reliably.

How IEC 62443-4-2 relates to adjacent regimes

IEC 62443-4-2 sits inside a busy OT, product-security, and conformity-assessment neighbourhood. The relationships below are the ones programmes encounter most often when they read 4-2 against the rest of the operating regime. Suppliers shipping across regions and sectors use 62443-4-2 as the per-component capability reference and read 62443-4-1, 62443-3-3, the wider 62443 family, the EU Cyber Resilience Act, Common Criteria, and sector regulations as the contextual layers around it.

Where SecPortal fits in an IEC 62443-4-2 programme

SecPortal is the operating layer for the component evidence lifecycle, not a replacement for the product security programme strategy, the engineering accountability for the component design and implementation, the ISASecure assessor relationship, or the regulator dialogue the standard expects. The platform handles the 4-2-side workstreams (component scope declaration, per-CR capability matrix, Requirement Enhancement evidence records, per-CR test reports, vulnerability handling cross-reference, secure configuration baseline, end-of- life record, customer-facing component security data sheet) so the artefacts the standard expects are produced as structured records rather than reconstructed across email threads, document drives, and ticketing systems at certification time. The same workspace that hosts the component evidence record hosts the security finding record, the code-scan evidence, and the continuous monitoring of any IT-side supplier portals that touch the component update channel.

Honest scope for OT product suppliers: SecPortal does not certify components, does not act as a notified body, does not issue ISASecure CSA, ISASecure EDSA, or 62443-4-2 conformity statements, does not replace the supplier accountability for the component capability evidence, does not ship runtime detection or runtime integrity verification for control system components, does not auto-deploy security updates to deployed assets, and does not integrate natively with named ticketing systems (Jira, ServiceNow, Slack, Teams), SIEM platforms, SOAR platforms, GRC platforms (OneTrust, Vanta, Drata, Archer, AuditBoard), or PLM systems. SecPortal also does not provide enterprise SSO or SCIM provisioning, does not perform automated approval routing for component certification gates, and does not maintain component certification customer logos, adoption metrics, ROI numbers, compliance guarantees, or any claim of pre-approved ISASecure CSA, EDSA, or 62443-4-2 conformity. The verified capability stack covers the evidence-record discipline the standard expects across the seven FRs; the certification path remains an exercise between the supplier, the assessor, and the regulator.

The 4-2 component evidence (component scope declaration, per-CR capability matrix, Requirement Enhancement evidence records, per-CR test reports, vulnerability handling cross-reference, secure configuration baseline, end-of-life record, customer-facing component security data sheet) reads against operational workflows that already exist as named use cases. The SDLC vulnerability handoff workflow carries the per-finding handoff discipline the per-CR test report produces. The PSIRT workflow carries the security-issue handling backlog the vulnerability handling cross-reference feeds. The SBOM and VEX publishing workflow carries the per-component component-transparency record the CR 3.x system integrity claims and FR 6 timely response claims reference. The audit fieldwork evidence request workflow carries the ISASecure assessment fieldwork-day evidence packaging the per-CR capability matrix feeds.

For product security teams operating the per-component capability evidence alongside the wider application security programme, the product security teams workspace covers the component evidence operating model and the cross-team handoff the standard expects. For AppSec teams whose remit spans IT and OT product lines, the AppSec teams workspace bundles the platform with the engagement structure the component capability matrix reads against. For internal security teams at OT product supplier organisations carrying the programme-level accountability for the component evidence and the regulatory disclosure obligation under the EU Cyber Resilience Act, the internal security teams workspace covers the platform-level reporting and the cross-team handoff the component operating record sits on. For manufacturing security teams operating across both the IT-side enterprise and the OT-side product programme, the manufacturing security teams workspace covers the joint operating model 62443-4-2 reads against. For CISOs and security leaders accountable for the component security claim posture and the named-decision accountability for product security data sheet content, the CISOs and security leaders workspace covers the executive-layer reporting model that sits on top of the component evidence record.

For deeper reading on the disciplines this standard reads against, the IEC 62443 family overview covers the wider standard and the asset-owner, integrator, and supplier role split that 4-2 sits inside. The IEC 62443-4-1 framework page covers the process-side companion that pairs with 4-2 on the same product evidence record. The EU Cyber Resilience Act framework page covers the EU regulation that increasingly references 62443-4-2 as a conformity assessment anchor for products with digital elements placed on the EU market. The NIST SP 800-82 framework page covers the US federal OT cybersecurity guide that pairs with 62443-4-2 on the asset-owner-side deployment of the component into the operating environment. The container image signing operating model guide covers the secure software delivery discipline that the CR 3.x firmware update authenticity requirements reference. The software bill of materials guide covers the SBOM discipline that the CR 3.x integrity and FR 6 timely response requirements reference for component transparency and security update qualification.