IEC 62443 requires zones, conduits, access control, and authenticated communications for industrial control systems. BlastShield implements all of these natively — through a software overlay that works on your existing OT infrastructure, including legacy devices that can never be patched.
IACS Security Mgmt System
System Security Requirements
Component Security Requirements
IEC 62443 is the international standard series for security in Industrial Automation and Control Systems (IACS). Developed by ISA and adopted by IEC, it provides a comprehensive framework that applies to asset owners, system integrators, and product suppliers across every sector that operates industrial control infrastructure — manufacturing, energy, oil and gas, water, transportation, and beyond.
Unlike NERC CIP (which is mandatory for specific US bulk power entities), IEC 62443 is increasingly referenced by regulators worldwide and required by critical infrastructure operators in Europe, Asia, and the Middle East. It is the de facto language of OT security compliance globally.
The standard's core model — Zones and Conduits — provides the architectural framework for segmenting IACS networks into logical groups of assets with similar security requirements, and controlling all communication between those groups. BlastShield is purpose-built to implement this model.
Security Levels (SL): IEC 62443 defines four Security Levels, from SL1 (protection against casual violations) to SL4 (protection against sophisticated state-sponsored attacks). Most critical infrastructure operators target SL2 — protection against intentional violation by an entity with moderate motivation and skills. BlastShield satisfies SL2 requirements across all applicable Foundational Requirements.
Who adopts IEC 62443? Asset owners building IACS security programs, system integrators responsible for delivering secure ICS solutions, and product suppliers certifying components for critical infrastructure use. If your organization operates, integrates, or supplies industrial control systems, IEC 62443 is your compliance framework.
Protection against casual or coincidental violations; no specific intent to breach the system.
Protection against intentional violation using simple means with low motivation. Most regulatory mandates target this level.
Protection against intentional violation using sophisticated means with moderate resources. Nation-state adjacent.
Protection against intentional violation using highly sophisticated means with extended resources. Nation-state level threat.
CRA compliance for OT operators has two distinct dimensions. BlastShield addresses both.
A logical grouping of assets with the same security level and policy requirements. Assets in a zone can communicate internally without crossing a conduit.
A logical path grouping communications between zones. Every conduit is a controlled access point with defined authentication, encryption, and authorization requirements.
How BlastShield maps to this model: The BlastShield Security Gateway acts as the conduit control point between zones. Assets within a zone communicate through BlastShield's overlay network. Every inter-zone communication is a BlastShield-authenticated tunnel — no credentials, no policy, no tunnel. The Orchestrator defines which users and devices belong to which zone, and which conduits they may traverse. Changes propagate in real time without firewall rule changes or downtime.
IEC 62443-3-3 defines 51 System Security Requirements (SRs) across seven Foundational Requirements (FRs). Below are the SRs most directly addressed by BlastShield.
SR / FR
Requirement
What It Demands
How BlastShield Delivers
SL Coverage
FR 1 · SR 1.1
Human User Identification & Authentication
Identify and authenticate all human users before access
All human users must be uniquely identified and authenticated prior to access. At SL2+, MFA is required.
BlastShield Authenticator provides phishing-resistant passwordless MFA — biometric + QR challenge-response + device keystore. Every human user is cryptographically identified before establishing any tunnel. No passwords exist to steal.
SL2 / SL3
FR 1 · SR 1.2
Software Process and Device Identification & Authentication
Identify and authenticate software processes and devices
Automated processes and devices must be authenticated before they can access IACS components.
BlastShield Agents install on servers and endpoints, requiring device-level authentication before any connection is permitted. Non-authenticated devices are invisible and unreachable — they cannot initiate or receive IACS communications.
SL2
FR 2 · SR 2.1
Authorization Enforcement
Enforce authorization on all access to IACS components based on least-privilege principles
Grant each user or process only the minimum access necessary. Deny access to everything else. Role-based and/or attribute-based access control.
The BlastShield Orchestrator enforces least-privilege access at the application and device level. Each user or role is explicitly mapped to the specific PLCs, HMIs, SCADA systems, or other IACS components they require. Attempting to reach anything outside that scope returns no response — the target is invisible to unauthorized requestors.
SL2 / SL3
FR 2 · SR 2.1
Remote Session Termination
Terminate remote sessions after inactivity or upon demand
Automatic session termination after configurable inactivity period. Ability to manually terminate active sessions.
BlastShield sessions respect configurable timeout and termination policies. Administrators can terminate any active session from the Orchestrator console immediately. BlastAccess session recording captures all activity up to the moment of termination for forensic completeness.
SL2
FR 3 · SR 3.1
Communication Integrity
Protect the integrity of transmitted information
Ensure that data in transit between IACS components or between users and IACS components is protected from unauthorized modification.
All BlastShield tunnels use strong authenticated encryption. Point-to-point tunnels guarantee that data in transit cannot be intercepted or modified — even on the same flat Layer 2 network segment. This is particularly critical for legacy OT protocols that offer no native encryption.
SL2 / SL3
FR 3 · SR 3.3
Security Functionality Verification
Verify that security functions perform as intended
Provide mechanisms to verify that security controls are operating correctly. Generate audit records sufficient to verify security function behavior.
The BlastShield Orchestrator provides real-time visibility into access policy state, active sessions, authentication events, and access denials. All events are logged. Periodic policy reviews and access reports are available for compliance verification without relying on network packet capture.
SL2
FR 5 · SR 5.1
Network Segmentation
Segment the IACS network from other networks using boundary protection devices
Implement zones with controlled conduits. Deny all inter-zone traffic not explicitly authorized. Protect against unauthorized access originating from external networks or adjacent zones.
BlastShield's software-defined segmentation creates cryptographic zone boundaries without hardware changes. Layer 2 and Layer 3 segmentation prevents lateral movement within and between zones. A compromised device in Zone A cannot probe, reach, or affect Zone B — even on the same physical network segment.
SL2 / SL3
FR 5 · SR 5.2
Zone Boundary Protection
Monitor and control communications at zone boundaries
Implement controls that monitor traffic crossing zone boundaries. Block disallowed communications. Provide alerting on anomalous boundary activity.
The BlastShield Security Gateway is the enforcement point for every zone boundary. It permits only authenticated, authorized tunnel connections. All other inbound traffic — scans, probes, unauthenticated protocol requests — is silently dropped. Every crossing attempt (permitted or denied) is logged.
SL2
FR 5 · SR 5.4
Application Partitioning
Partition applications and services to limit the scope of a security incident
Separate safety-critical functions from non-critical functions. Ensure that compromise of one application cannot directly affect another.
BlastShield's microsegmentation enables application-level isolation. Each IACS function — safety controllers, historian, SCADA, engineering workstation — can be assigned to its own logical zone with independent access policies. A compromise of the historian cannot be leveraged to access the safety controller, even if they share a physical network.
SL2 / SL3
FR 4 · SR 4.1
Information Confidentiality
Protect the confidentiality of information at rest and in transit
Prevent unauthorized disclosure of IACS-related information during transmission and storage.
All BlastShield communications are encrypted end-to-end. There are no plaintext credentials, no unencrypted control traffic between zones, and no exposed management interfaces. Network Cloaking ensures that even asset existence is not disclosed to unauthorized parties.
SL2
The hardest part of IEC 62443 compliance isn't the architecture — it's the 15-year-old PLCs and RTUs at the center of it. BlastShield protects these assets without requiring any changes to them.
Legacy IACS components with known, unpatched CVEs are isolated in their own zone with a BlastShield boundary. The vulnerabilities exist — but they are never reachable. No scan can find them. No exploit can land on them.
The BlastShield Security Gateway protects assets that cannot run any software — old PLCs, embedded controllers, proprietary hardware. The gateway handles authentication and access control on behalf of the protected device.
IEC 62443 requires security without compromising availability. BlastShield deploys as a software overlay — no IP changes, no production outages, no firewall rule migrations. Zones and conduits are live in hours, not months.
IEC 62443 requires that remote access to IACS components travel through a defined, authenticated conduit. BlastShield's SRA solution implements exactly this — a verified, encrypted, least-privilege conduit for every remote maintenance session, with session recording.
Unlike NERC CIP, which applies to a specific regulated sector, IEC 62443 is the security standard for any organization operating industrial automation and control systems.
Our European compliance specialists help OT operators develop a defensible compensating control architecture that addresses both CRA and NIS2 — before enforcement deadlines arrive.
Privacy Policy | Cookie Policy | © 2025 BlastWave, Inc. All Rights Reserved
This website uses cookies to ensure you get the best experience. More Info