EN IEC 62443 – the 10 most important cybersecurity principles in industrial automation

EN IEC 62443: industrial automation is becoming ever more tightly intertwined with IT networks and the Internet of Things, bringing major benefits—but also new risks. Machines that used to be isolated are now often remotely monitored, updated, and connected to the cloud, which creates opportunities for cyberattacks. It is therefore no surprise that Regulation (EU) 2023/1230 for the first time explicitly requires machine manufacturers, integrators, and users to take cybersecurity into account already at the machine design stage, as well as during operation and modernization of equipment. Malicious digital interference can lead to accidents or failures for which the machine manufacturer will be legally responsible. In practice, this means implementing a range of new protective measures—both technical and organizational—to meet legal requirements and protect industrial control systems against today’s OT (Operational Technology) threats.

Earlier regulations did not cover malicious actions; now the consequences are attributed to the manufacturer.

There is not yet a dedicated EU harmonized standard exclusively for machine cybersecurity, but as part of the conformity assessment, the manufacturer may refer to recognized standards. A particularly important role is played here by the IEC/ISA 62443 family of standards, widely respected in industry. The latest part, EN IEC 62443-2-1:2025, describes how to establish a comprehensive security management program for control systems (Cyber Security Management System), covering, among other things, risk analysis, policies and procedures, organizational structures, training, and continuous monitoring and improvement of safeguards. Below we present the 10 most important cybersecurity principles in industrial automation that, in a practical way, implement the requirements of the new regulations and standards, helping protect both OT infrastructure and the safety of people and processes.

1. Include cyber threats in the risk assessment

The foundation is a deliberate, informed risk analysis for automation systems, which from now on must also consider cyberattacks alongside traditional mechanical or electrical hazards. As early as the machine design stage, the manufacturer is required to analyze potential cyberattack scenarios (e.g., remote takeover of a controller, sabotage of settings, ransomware locking the HMI) and assess their impact on safety and operational continuity. In practice, this means the need to inventory all devices and software that make up the control system and identify critical points—which assets are most exposed and what damage their compromise would cause. Then, appropriate countermeasures must be selected for each risk. For example, if a PLC controls an industrial robot, a key risk is taking control of it and triggering dangerous movements—countermeasures may include network isolation of the PLC, strong access authentication, and command monitoring. A risk assessment that includes cyber threats is now a legal requirement and forms the foundation of a 62443-aligned security program (the first step is precisely the risk analysis). This allows the organization to understand which areas to prioritize for protective actions first.

2. Segment the network and minimize the attack surface (EN IEC 62443

Another key principle is a secure control system architecture. Design control systems with cybersecurity in mind—so that attack opportunities are limited already at the network and hardware level. Above all, segment OT networks and separate them from office networks and the Internet using firewalls and demilitarized zones (DMZs). In practice, this means implementing a zones & conduits architecture in line with reference models (e.g., Purdue), so that, for example, devices at the production level are not directly visible from the corporate or public network. Preventing direct access to controllers from the Internet is an absolute baseline—if a machine must transmit data externally, do it via a secure intermediary server rather than exposing the controller directly online.

The second pillar of a secure architecture is minimising the attack surface. Remove unnecessary access points and features that are not required for the machine to operate. Disable unused network interfaces, ports, and services so a potential attacker has fewer paths into the system. Select industrial components with built-in security support (e.g., controllers with authentication mechanisms and protocol encryption). Design the system so that software updates can be performed securely—new regulations indicate that secure update mechanisms and measures to reduce system “attackability” must be planned already at the design stage. For example, using segmentation and firewalls will allow selected system zones to be updated in the future without exposing the entire system to risk during the update process. A well-designed industrial network should also follow the Defense in Depth (layered protection) principle—multiple successive safeguards at different levels, so that breaching one barrier does not immediately grant full access to the system.

3. Control user identities and permissions

Access management in an OT environment must be highly restrictive. You need to define precisely who has access to what in the control system—and enforce it consistently. Every user (e.g., a maintenance engineer, operator, remote service technician) should have a unique account assigned to a specific individual—sharing administrative accounts or using default passwords provided by the device manufacturer is prohibited. Accounts must be granted only the minimum permissions required, in line with the principle of least privilege—for example, an HMI operator does not need access to network switch configuration, and a maintenance technician should not have IT domain administrator privileges.

Implementing strong authentication mechanisms is essential. Enforce strong passwords (sufficiently long and complex) and periodic password changes. Where possible, deploy multi-factor authentication (MFA)—for example, a token or mobile app for a remote service engineer connecting to a controller. The IEC 62443 standard emphasises proper management of credentials, passwords, and users in industrial systems. In practice, this also means regular account reviews (immediately removing or blocking access for people who should no longer have it, e.g., after an employee leaves or a contractor’s work ends).

All administrative access attempts should be monitored and logged (more on this in principle 5). In addition, it is worth applying a two-person rule for the most critical operations—for example, changing a safety controller configuration should require confirmation by a second authorised person. Tight control of identities and permissions will make it harder for potential attackers to move through the OT network even if they manage to get in, and it will also minimise the risk of errors or misuse by staff. Remember that, according to reports, one of the biggest weak points is weak/default passwords and poor user management—so this area requires a firm policy.

4. Protect the integrity of control systems (EN IEC 62443)

The integrity of software and configuration in control systems—such as PLCs, SCADA systems, HMI panels, or industrial network devices—must be strictly protected against unauthorised changes. The new EU regulation explicitly points to the need to protect machinery against unauthorised software modification, highlighting the requirement to control the integrity of control systems. In practice, this means implementing mechanisms that prevent changes to control logic without proper authorisation.

Examples of good practice include: using write-protection features in controllers (many PLCs have a run/prog mode switch or a password that prevents downloading new logic), applying digital signatures or checksums to verify that the device program has not been altered, and enabling version and change control for configuration files. Every change made to the control program should be planned, authorised by a responsible person, and recorded in the documentation. During conformity assessment, the machine manufacturer must now demonstrate what protective measures were applied—for example, that the control logic and key settings are protected against unwanted interference.

You must not overlook physical security of OT systems as a key part of protecting integrity. An attacker with physical access to a control cabinet could, for example, connect an unauthorized device or reset a controller to factory settings. That’s why you should control who can access the infrastructure—locking control cabinets, applying tamper seals to communication ports, and supervising areas with critical equipment—all of which makes direct manipulation more difficult. System integrity also means ensuring that only approved devices and software are in use—your security policy should state, for instance, that unverified or unregistered devices must not be connected to the OT network. This approach reduces the likelihood that someone will quietly introduce a malicious device or modified firmware into the system.

5. Monitor systems and log events

Continuous monitoring of activity in the industrial network and on devices is essential for early incident detection. Many industrial companies are only beginning to build this capability—yet one requirement in new regulations is logging both authorized and unauthorized interference in safety-related control systems. You should therefore implement mechanisms to collect event logs from key OT components: controllers (diagnostic event logs, error logs, login attempts), HMI/SCADA operator stations, industrial servers, and network devices (firewalls, switches). Particular attention should be paid to logging configuration and software changes—every PLC program upload, recipe change, or change to safety parameters should leave an audit trail in the logs (who changed what, and when). This is not only a security requirement, but also valuable audit evidence of compliance.

Beyond simply recording events, active monitoring and analysis are also necessary. In OT environments, it is worth deploying dedicated IDS/IPS systems or SIEM solutions adapted to industrial protocols, capable of detecting suspicious activity in the control network (e.g., unusual commands sent to controllers, network scanning, or communication outside established patterns). Ongoing monitoring of all system changes—such as updates, installation of new software, or firmware changes—has been recognized as one of the key protection criteria in industrial networks. This makes it possible to spot potential security breaches sooner. For example, if communication appears overnight between a controller and an unknown IP address, or a PLC program is changed outside a planned maintenance window, the monitoring system should generate an alert.

It is important that OT monitoring is assigned to a specific team or individual, and that collected logs are reviewed regularly. Companies that already have an IT SOC should consider integrating OT data or establishing a separate OT SOC. Rapid detection and response to an incident can often prevent an attack from escalating before it causes physical damage or production downtime. Remember: what we don’t measure or observe, we can’t protect effectively. Many attacks on industrial environments were discovered only after the fact—so proactive monitoring is now a necessity, not a luxury.

6. Manage updates and vulnerabilities

Managing software updates and patching vulnerabilities in industrial systems is one of the most challenging—and most important—tasks. OT environments often have long equipment lifecycles (20 years or more) and require continuous operation, which makes regular updates difficult. Nevertheless, new regulations require the manufacturer to provide the ability to update software when vulnerabilities are identified, without creating a new risk. In practice, this means: already at the design stage, choose components for which the manufacturer guarantees support and security patches; plan maintenance windows for updates in the machine operating schedule; and test patches offline before deploying them in production.

The first step is maintaining an up-to-date inventory of all components in the OT system—along with information on firmware and software versions and installed patches. This allows you to quickly assess which elements are exposed when a new vulnerability advisory appears. It is worth subscribing to security bulletins from automation vendors and using databases such as CVE. When a vulnerability affecting, for example, a PLC or a SCADA system is disclosed, you should assess the risk (whether your instance is affected and how severe the flaw is in your context) and decide whether to update or apply temporary mitigations. If a vendor patch is available, it should be deployed at the earliest feasible opportunity—after prior testing in a lab environment or on a mirrored system. In production, every update should be carried out carefully and in accordance with procedure, so as not to disrupt the process or reduce functional safety.

If, for any reason, you can’t patch a given vulnerability immediately (e.g., because it would require an extended production shutdown), implement compensating controls. These may include additional firewall rules that block the relevant attack vector, a system configuration change that removes the risk, or even physically disconnecting the vulnerable device until it can be updated. The key point is not to ignore vulnerability information—missing software updates are one of the main reasons attacks on industrial environments succeed. Keep a register of available updates and their deployment status. It is also good practice to periodically audit the system for missing patches and verify configuration compliance against security benchmarks. This will make your OT infrastructure an increasingly difficult target—regular controller and software updates significantly improve your level of protection.

7. Ensure secure remote access (EN IEC 62443)

Remote access to machines and control systems is often essential—for example, for OEM servicing, expert support, or convenient oversight of distributed infrastructure. However, every remote connection is a potential entry point for an attacker, so it must be implemented as securely as possible. The overriding rule is: no uncontrolled connections from the Internet into the OT network. Separating the control network from the public network is one of the core recommendations—it eliminates many threats. Of course, in practice it isn’t always possible to fully isolate OT, for example when you want to service a machine remotely or send data to the cloud. That’s why you need dedicated, secured remote-access channels.

Use a VPN or other encrypted tunnelling for remote connections—never connect to a controller over the Internet using an “unencrypted” protocol. Remote access should pass through a DMZ within the industrial network, where an intermediary server or gateway is located. Consider using specialised solutions for OT remote access (also known as Industrial Remote Access Gateways) that authenticate the user and device identity, tunnel only approved protocols, and provide full session recording. Multi-factor authentication is practically mandatory for access from outside the plant—passwords alone are not enough; add, for example, a hardware token or a mobile app to confirm sign-in. The principle of least privilege also applies here: a remote user should have access only to selected devices and functions, not the entire network.

A good practice is to implement remote access on demand—meaning the connection is enabled only when needed (e.g., for service work), with approval from the responsible on-site employee. Once the work is complete, remote access is closed. This reduces the “window” during which the system is exposed. Also monitor remote session activity—your SIEM/monitoring system should highlight events originating from remote users. Limit the use of remote access to only the tasks that are truly necessary. For example, a remote expert may need to view HMI data, but changes to controller configuration should require a higher level of authorisation. Providing secure remote access can be an organisational and technical challenge, but it is essential—many OT incidents started with poorly secured remote connections (e.g., an exposed VPN port protected by a trivial password). Don’t let that happen: design your remote-access architecture as carefully as your on-site protections.

8. Perform backups and test system recovery

Regular backups are the last line of defence against the impact of a successful attack or a failure. In an industrial environment, losing critical control data or device configurations can halt production for a long time, so it is absolutely essential to maintain up-to-date backups of all critical OT components. A backup policy for industrial automation should include, among other things: copies of PLC programs, SCADA system configurations, process databases, network device configurations, as well as virtual machines or industrial servers, if used. According to experts, having a procedure for creating backups and restoring the system is one of the fundamental OT security requirements—a backup alone is useless if you cannot quickly restore machine operation.

Backups should be performed regularly, according to a defined schedule, tailored to how frequently the system changes. If, for example, programs on the production line are updated once per quarter, backups should be taken at least after every significant change. Store all backups in a secure location—ideally isolated from the production network (offline), so ransomware or other malware cannot encrypt or delete them. A common approach is the 3-2-1 rule: three copies on two different media, including one stored off-site.

Just as important as making backups is testing the restore procedure. What good are copies if, in an emergency, you can’t use them efficiently? At least from time to time, run a drill to restore the configuration from a backup—can you get the controller running again on new hardware? Does the HMI project backup actually let you recreate the operator screen? Testing is best done under controlled conditions (e.g., on test devices), but every so often it’s also worth simulating a failure of a key component and rehearsing full disaster recovery. This will confirm how long it takes to restore control and whether the procedures are complete.

Having robust backups and a contingency plan not only minimizes downtime after an attack, but also provides confidence in regulatory compliance—under new requirements, continuity of safe machine operation throughout the entire lifecycle must be ensured. Backups are part of ensuring that continuity. In the worst-case scenario (e.g., sabotage of the machine’s software), backups enable engineers to restore equipment operation quickly, helping you avoid massive financial and reputational losses.

9. Train staff and build a cybersecurity culture

The human factor plays a huge role in industrial security—both as the weakest link and, potentially, the strongest line of defense when staff are aware of the threats. That’s why regular training and awareness-raising for everyone involved in operating and maintaining OT systems is absolutely essential. IEC 62443-2-1 highlights the importance of a clear organizational structure and training, specifying roles, responsibilities, and the required level of cybersecurity awareness among personnel. Put simply: every employee, from the operator to the maintenance manager, must understand the basics of cyber threats in their work environment and know the protective procedures.

The training program should be tailored to the audience. Automation engineers should learn secure practices (e.g., how to configure controllers correctly so they don’t leave backdoors, how to respond to unusual system security alarms). Production operators should be able to recognize suspicious symptoms (e.g., strange HMI behavior that may indicate malware) and know who to report them to. The IT department should learn the specifics of industrial networks to collaborate more effectively with OT on safeguards. Even management should receive basic awareness training on the potential consequences of an attack on a production facility and why investments in security are so important.

Building a cybersecurity culture means that following the rules becomes a natural part of the job. This is achieved, among other things, by: promoting good practices (e.g., recognizing employees who identified and reported a vulnerability or incident), zero tolerance for bypassing safeguards (e.g., using personal USB drives in control systems, connecting unknown laptops to the production network), and ongoing communication about threats. It’s worth organizing periodic refresher sessions or short phishing drills to keep staff alert. If the company already has security policies and procedures, make sure they don’t just sit on a shelf—employees must know and understand them. Often, stopping an attack in its early stages depends on a fast response from staff (e.g., disconnecting an infected machine from the network). A threat-aware, well-trained team therefore becomes the most important “firewall” for OT infrastructure.

10. Establish policies and continuously improve OT security in line with EN IEC 62443

The final principle is a systematic approach and continuous improvement. Cybersecurity in industrial automation is not a project you “do” and tick off—it is a continuous risk management process. You need to establish formal OT security policies and procedures that serve as a compass for the entire organization. These policies should define, among other things: scope of responsibility (who is responsible for control system security—dedicated roles or OT Security teams are often created), access rules, requirements for suppliers and integrators (e.g., certification, a defined Security Level for components under IEC 62443), incident response and vulnerability reporting procedures, requirements for backups, updates, audits, and so on. Such a set of rules ensures consistency—security stops being discretionary and becomes managed.

Putting policies in place is only the first step. What really matters is implementing a mechanism for ongoing review and continuous improvement of these rules. The threat landscape evolves, new technologies emerge (e.g., IoT, AI in industry), and new vulnerabilities appear—so the organisation must adapt. That is why, at least once a year (or more often if the context requires it), OT policies and procedures should be reviewed for relevance and effectiveness. It is worth using internal audits or external experts who will verify whether day-to-day practice aligns with the adopted standards and identify gaps to be addressed. Continuity in the security approach also means that cybersecurity accompanies the machine throughout its life cycle—from design, through operation, to modifications and decommissioning. For example, any significant digital change (a new communication module, a firmware update, integration with a new IT system) should trigger a renewed risk and compliance assessment to confirm that safeguards still meet the requirements. This is now a formal requirement—after a “significant modification” of a machine, the manufacturer or user must assess whether it has introduced new hazards and, if necessary, whether protective measures have been strengthened.

Continuous improvement is supported by the previously mentioned standard EN IEC 62443-2-1:2025, which sets out structured requirements for an IACS security programme (Industrial Automation and Control Systems). Implementing such a programme in line with the standard means establishing, maintaining, and continually improving a set of policies, procedures, and practices that reduce risk to an acceptable level in a systematic and repeatable way. The standard emphasises that safeguards should include technical, physical, procedural, and compensating measures, and that the organisation should strive for maturity in each of these areas. In short, you need to build a coherent OT cybersecurity management system within the company—one that stays alive and evolves along with the business.

This approach helps avoid the trap of thinking that a one-off investment in hardware or software will solve the problem. As specialists point out, protecting an organisation’s digital assets is an ongoing process, not a one-time rollout of a specific solution. By building a strategy based on the principles above and updating it regularly, we will prepare our industrial systems for current and future challenges—while also meeting legal requirements, customer expectations, and our own security standards. Cyber threats in automation will continue to change, but with solid foundations and a strong security culture, we can respond to them effectively.

Sources: New requirements of Regulation (EU) 2023/1230 recommendations of the EN IEC 62443 standard