title: IEC 62443
IEC 62443 Industrial Cybersecurity
IEC 62443 is the international standard for cybersecurity in industrial automation and control systems (IACS). Vigo maps 37 system requirements across 7 foundational requirements, targeting IT infrastructure around OT environments — MES servers, historian databases, jump hosts, and network switches.
Coverage Summary
| Foundational Requirement | Name | Requirements |
|---|---|---|
| FR 1 (IAC) | Identification and Authentication Control | 8 |
| FR 2 (UC) | Use Control | 7 |
| FR 3 (SI) | System Integrity | 7 |
| FR 4 (DC) | Data Confidentiality | 2 |
| FR 5 (RDF) | Restricted Data Flow | 4 |
| FR 6 (TRE) | Timely Response to Events | 2 |
| FR 7 (RA) | Resource Availability | 7 |
Quick Start
cp example-configs/stockpile/modules/compliance/iec-62443/*.vgo.example /srv/vigo/stockpile/modules/
for f in /srv/vigo/stockpile/modules/iec62443-*.vgo.example; do mv "$f" "${f%.example}"; done
cp example-configs/stockpile/compliance-roles.vgo.example /srv/vigo/stockpile/compliance-roles.vgo
Assign the iec-62443 role to nodes:
envoys:
- match: "*.example.com"
roles: [iec-62443]
Then publish and verify: vigocli config publish && vigocli report iec62443
Generating Reports
vigocli report iec62443
vigocli report iec62443 --format html --output iec62443-report.html
Pre-Built Modules
Five modules cover IEC 62443 enforcement for IT infrastructure around OT:
| Module | Controls | Purpose |
|---|---|---|
iec62443-zone-segmentation |
SR 5.1–5.4 | Zone-based firewall rules, IP forwarding disabled, anti-spoofing |
iec62443-access-control |
SR 1.1–1.10, SR 2.1–2.2 | SSH hardening, PAM password policies, account lockout, MFA |
iec62443-system-integrity |
SR 3.1–3.9 | AIDE file integrity, ClamAV, USB blacklist, session timeout |
iec62443-audit-logging |
SR 6.1–6.2, SR 2.8–2.12 | auditd rules, log rotation, NTP sync, retention |
iec62443-availability |
SR 7.1–7.8, SR 4.1, SR 4.3 | Resource limits, backups, disk monitoring, inventory |
Security Levels
IEC 62443 defines four security levels (SL 1–4). Vigo modules enforce SL 2–3 controls for IT infrastructure:
| Level | Target | Vigo Coverage |
|---|---|---|
| SL 1 | Casual violation | Baseline SSH hardening, login banners, service disabling |
| SL 2 | Intentional violation with low resources | Zone firewalls, PAM policies, auditd, AIDE, session timeouts |
| SL 3 | Intentional violation with moderate resources | MFA, strong crypto, USB blacklisting, immutable audit logs |
| SL 4 | Intentional violation with extensive resources | Requires hardware security modules and physical controls beyond software enforcement |
Key Capabilities for Industrial Environments
| IEC 62443 Need | Vigo Implementation |
|---|---|
| Zone and conduit model | nftables modules with per-zone CIDRs via vars |
| Asset inventory | 25 trait collectors, fleet-wide live query |
| Patch management | Package executor, fleet-wide task dispatch |
| Access control | SSH hardening, PAM modules, account lockout, MFA |
| System integrity | AIDE FIM, ClamAV, USB blacklist, kernel hardening |
| Audit trail | auditd rules, tamper-evident hash chain, configurable retention |
| Backup and recovery | Automated daily config backup, Litestream replication |
| Offline convergence | Agent operates without server connectivity — ideal for air-gapped zones |
| Configuration drift | 15-second convergence cycle, automatic remediation |
Offline Convergence for Air-Gapped Environments
IEC 62443 environments frequently include semi-connected or air-gapped zones. Vigo's agent supports offline convergence:
- Agent caches last-known desired state locally
- Continues enforcing policy when the server is unreachable
- Reports results on reconnection with full history
- No data loss during network outages
Adjacent Frameworks
IEC 62443 modules cross-map to related industrial and regulatory frameworks:
| Framework | Overlap | Use Case |
|---|---|---|
| NERC CIP | SR 5.x maps to CIP-005 (ESP), SR 6.x to CIP-007 (monitoring) | Energy sector |
| NIST 800-53 | Strong overlap on AC, AU, CM, SC, SI families | Federal/defense manufacturing |
| ISO 27001 | A.9, A.12, A.13 map to FR 1, FR 3, FR 5 | International certification |
| FDA 21 CFR Part 11 | Audit trail integrity, access control | Pharmaceutical manufacturing |
| CMMC | Overlaps with NIST 800-171/800-53 controls | Defense industrial base |
Controls Not Covered
| Requirement | Title | Why |
|---|---|---|
| SR 4.2 | Information Persistence | Application-level data retention policies |
| SR 7.5 | Emergency Power | Physical/electrical infrastructure |
| Zone/Conduit design | Network architecture | Organizational design decisions, not software enforcement |
| SL 4 controls | State-sponsored threat resistance | Requires hardware security modules, TEMPEST shielding |