AS IEC 62443 · national standard

Australia's national OT cybersecurity standard. Now assessable.

IEC 62443 assessment for Australian critical infrastructure

The IEC 62443 series is now AS IEC 62443, Australia's national standard for securing industrial automation and control systems. It is the framework the SOCI Act and the AESCSF point operators toward. Cyber Node assesses your control system against it the way an engineer reads a plant, not the way an IT firm reads a network diagram for the first time. Zones and conduits, security-level targets, and the foundational requirements, tested against what the site actually runs. Paper alignment is not the same as technical validation.

By Matt Breuillac, Director, Cyber Node

Scope a 62443 assessment OT capability

The standard

What IEC 62443 actually is, and what we assess against

IEC 62443 is a series, not a single document. Each part below governs a different slice of industrial control system security. Cyber Node assesses against the parts that apply to an asset owner running a plant. The canonical source is the ISA/IEC 62443 series, now adopted in Australia as AS IEC 62443.

  • 62443-2-1: security programme for asset owners

    The cybersecurity management system around your control environment. We assess whether the policies, roles, and operational practices you claim are real and followed on site, not just written in a binder.

  • 62443-3-2: risk assessment, zones and conduits

    The segmentation design. We review how the system is divided into zones, how conduits carry traffic between them, and whether the boundaries hold up against an attacker who already has a foothold in enterprise IT.

  • 62443-3-3: system requirements and security levels

    The technical control set. We test the system against the seven foundational requirements at your target security level, and report each gap between the level you claim and the level the system actually meets.

  • 62443-4-2: component requirements

    The controllers, workstations, and network devices themselves. Where components carry a 62443-4-2 capability claim, we validate it against the deployed configuration rather than the datasheet.

The three concepts a buyer needs

Zones, security levels, and the seven foundational requirements

Most of IEC 62443 reduces to three ideas. An assessment is mostly about validating these against the live environment.

Architecture

Zones and conduits

Group assets with a shared security need into a zone. Every connection crossing a zone boundary is a conduit that must be controlled and monitored. This is where most real-world OT compromise is contained or not.

Target

Security levels SL 1 to 4

SL 1 resists casual or coincidental violation. SL 2 resists intentional attack with simple means. SL 3 resists sophisticated means and moderate resources. SL 4 resists a well-resourced, ICS-skilled adversary. You set a target per zone; we test against it.

Control set

Seven foundational requirements

Identification and authentication, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. Every system requirement in the standard maps back to one of these seven.

What we deliver, what we refer

IEC 62443 engagement scope, honestly

In scope for Cyber Node

Technical gap assessment against your target SL

  • Zones and conduits architecture review (62443-3-2)

  • Security-level gap assessment against 62443-3-3

  • Passive assessment of live ICS, active testing on a replica or in a window

  • Report mapped to the SOCI Act CIRMP and the AESCSF

  • Remediation guidance an engineer can hand to a controls vendor

Out of scope, we refer

Certification, safety, and product SDLC

  • Formal IEC 62443 certification

    Issued by accredited certification bodies. We produce the evidence; they certify.

  • Product supplier certification (62443-4-1)

    Secure development lifecycle audit for vendors. Different track.

  • Functional safety (IEC 61508 / 61511, SIL)

    Refer to functional safety engineers. We flag the interface, not the SIL rating.

  • Full CIRMP authoring and programme management

    GRC consultancies and internal risk teams.

Matt Breuillac, founder of Cyber Node

Why an engineer assesses your plant

Matt Breuillac, MIEAust

Chemical and process engineer turned cybersecurity specialist. Shell Prelude FLNG, Albemarle Kemerton lithium hydroxide, AREVA nuclear, Kazakhstan ISL uranium. An IEC 62443 assessment of a live process plant is a safety conversation as much as a security one, and that is a hard thing to lead if you have never stood on the deck plate.

Read Matt’s story

IEC 62443 FAQ

Common questions

Yes. The IEC 62443 series has been adopted as AS IEC 62443, Australia's national standard for the cybersecurity of industrial automation and control systems. It is the framework Australian critical infrastructure operators are expected to align OT security to, alongside the SOCI Act and, for energy, the AESCSF.

IEC 62443 is one of the recognised frameworks an entity can use to meet the cyber hazard requirements of a Critical Infrastructure Risk Management Program under the SOCI Act. It does not replace the CIRMP itself. Cyber Node writes assessment reports so the same evidence supports IEC 62443, the SOCI Act, and AESCSF where all three apply. See the OT capability page.

Yes. Passive assessment is the default posture on a live production environment. Architecture review, configuration review, and traffic analysis happen without active probing. Active testing only runs against a test bench, an air-gapped replica, or during a planned maintenance window agreed in writing with the operator.

IEC 62443 is an international standard for the technical security architecture and lifecycle of industrial control systems. The AESCSF is an Australian energy-sector maturity framework run through AEMO. They overlap. IEC 62443 gives you the technical zone, conduit, and security-level design; the AESCSF gives you the sector maturity target. Cyber Node assesses against both.

No. Formal IEC 62443 certification is issued by accredited certification bodies, not by Cyber Node. We deliver the technical gap assessment and architecture validation against your target security level, then the report your certification body or auditor needs. Product supplier certification under 62443-4-1 and 4-2 is also a referral.

Go deeper

Related pages

Capability

OT and ICS cybersecurity

The engineering-led OT practice this assessment sits inside. SCADA, DCS, historian, and edge, scoped the way industrial sites actually run.

Open

Geography

Penetration testing Perth

WA-based delivery and Pilbara on-site capability for upstream resources and energy operators.

Open

Frameworks

Compliance hub

Every framework Cyber Node tests against, from the SOCI Act through APRA CPS 234, ISO 27001, SOC 2, and the Essential Eight.

Open

IEC 62443 engagement

Validate the architecture, not the binder

Talk to the lead engineer about your site, your zones, and your target security level. Fixed-price proposal within 48 hours of the scoping call.

Book a scoping call See the OT methodology