Navigating the evolving cybersecurity landscape
The NIS2 Directive addresses the growing cybersecurity risks facing EU member states. It introduces a risk-based framework with stricter requirements for incident reporting, supply chain oversight, and business continuity. Non-compliance can result in significant penalties, making it crucial for industrial organizations to implement mature, auditable security programs.
IEC 62443 is the global standard for securing Industrial Automation and Control Systems (IACS). Originally developed by the International Electrotechnical Commission (IEC) in partnership with the International Society of Automation (ISA), the framework provides comprehensive guidance for asset owners, service providers, system integrators, and component manufacturers. It outlines a layered defense approach that is particularly effective for securing networks, systems, and remote access channels.
Key components of IEC 62443 for remote access security
The IEC 62443 series includes several essential standards:
- IEC 62443-2-1: Establishes cybersecurity risk management programs and incident response planning for asset owners.
- IEC 62443-2-4: Defines security requirements for service providers, including secure design, deployment, maintenance, and remote access.
- IEC 62443-3-2: Guides organizations through risk assessment and establishing necessary security levels.
- IEC 62443-3-3: Details mandatory technical security controls, including those specific to remote access.
- IEC 62443-4-1 / 4-2: Focuses on secure product development and component-level security.
These standards work together to ensure end-to-end accountability across the OT cybersecurity lifecycle.
How IEC 62443 aligns with NIS2 requirements
The table below outlines how key components of IEC 62443 map to specific NIS2 security obligations. This practical alignment supports a structured approach to compliance:
1. Risk management & Security measures
NIS2 requirement: implement risk-based security measures.
| IEC Standard | Description |
|---|---|
| IEC 62443-2-1 | Outlines cybersecurity risk management programs. |
| IEC 62443-3-2 | Helps assess risk and define security levels for industrial systems. |
| IEC 62443-4-2 | Provides security requirements for individual components. |
2. Supply chain security
NIS2 requirement: ensure cybersecurity in the supply chain.
| IEC Standard | Description |
|---|---|
| IEC 62443-2-4 | Defines security requirements for service providers (e.g., integrators, vendors). |
| IEC 62443-4-1 | Establishes secure product development practices. |
| IEC 62443-3-3 | System and networks security control. |
3. Incident reporting & response
NIS2 requirement: incident notification to national authorities within 24 hours (initial report) and 72 hours (detailed report).
| IEC Standard | Description |
|---|---|
| IEC 62443-2-1 | Requires asset owners to have incident response and recovery plans. |
| IEC 62443-2-4 | Requires service providers to have incident response and recovery plans. |
4. Access control & Identity management
NIS2 requirement: enforce strong access controls and identity management.
| IEC Standard | Description |
|---|---|
| IEC 62443-3-3 | Enforces security controls for systems and networks. |
| IEC 62443-4-2 | Provides security requirements for individual components. |
5. Business continuity & Resilience
NIS2 requirement: ensure operational continuity during cyber incidents.
| IEC Standard | Description |
|---|---|
| IEC 62443-2-1 | Requires backup, disaster recovery, and business continuity planning for IACS environments by Asset Owners. |
| IEC 62443-2-4 | Requires backup, disaster recovery, and business continuity planning for IACS environments by Service Providers. |
Practical IEC 62443 & NIS2 mapping for industrial remote access
To effectively secure industrial remote access, organizations can directly map IEC 62443 practices to specific NIS2 directives. Key mappings include:
| Chapter | Category | Measure | NIS2 Article 21 | IEC62443-2-1 | IEC62443-2-4 | IEC62443-3-3 |
|---|---|---|---|---|---|---|
| 3.1 | Access controls | Ensure the strength of authentication is appropriate | (g) basic cyber hygiene practices and cybersecurity training; | USER1.11 | SP.09.05 | SR1.7 |
| 3.2 | Access controls | Use Multi-Factor Authentication | (j) the use of Multi-Factor Authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate. | USER1.9 | SP.03.07 RE(1) | SR1.1 RE(2) |
| 3.3 | Access controls | Change of authentication credentials initially | (g) basic cyber hygiene practices and cybersecurity training; | USER1.1 | SP.09.07 | SR1.5 |
| 3.4 | Access controls | Implement authentication procedures based on least privilege principle | (i) human resources security, access control policies and asset management; | USER1.5 | SP.03.08 | SR2.1 |
| 3.5 | Access controls | Requires the reset of authentication credentials and the blocking of users after a predefined number of unsuccessful log-in attempts | (g) basic cyber hygiene practices and cybersecurity training; | USER1.15 | ---- | SR1.11 |
| 3.6 | Incident handling | Use tools to monitor and log activities | (b) incident handling; | EVENT1.6 | SP.08.02 | SR2.8 |
| 3.7 | Access controls | Ensure that it obtains approval from the asset owner prior to using each and every remote access connection | (g) basic cyber hygiene practices | NET3.2 | SP.07.04 | SR1.13 RE(1) |
| 3.8 | Network security | Network segmentation | (e) security in network and information systems acquisition | NET1.1 | SP.03.02 RE(2) | SR5.1 SR5.2 (with RE) |
| 3.9 | Network security | Security patch management | (g) basic cyber hygiene practices | COMP3.2 | SP11.xx | ---- |
| 3.10 | Network security | Deactivate unneeded connections and services | (g) basic cyber hygiene practices | COMP1.1 | SP.03.05 | SR7.7 |
| 3.11 | Network security | Protection against unauthorized software | (g) basic cyber hygiene practices | COMP2.1 | SP.10.05 | SR3.2 |
| 3.12 | Network security | Allow access to the network only to authorized devices | (e) security in network and information systems acquisition | USER 1.19 | SP.03.08 RE(3) | SR1.2 |
| 3.13 | Policies & Procedures | Establish, implement and apply a policy and procedures related to cryptography | (h) policies and procedures regarding the use of cryptography and, where appropriate, encryption; | DATA1.5 | SP.07.04 RE(1) | SR4.3 |
| 3.14 | Policies & Procedures | Applications used in the automation solution are commonly accepted by both the security and industrial automation communities | (g) basic cyber hygiene practices | ---- | SP.07.01 | ---- |
| 3.15 | Policies & Procedures | Provide detailed instructions for the installation, configuration, operation, and termination of the remote access | (g) basic cyber hygiene practices | NET3.2 | SP.07.02 | SR1.13 |
| 3.16 | Policies & Procedures | Regularly review the identities and, if no longer needed, deactivate | (g) basic cyber hygiene practices | USER1.2 | SP.09.03 | SR1.3 |
| 3.17 | Policies & Procedures | Maintain policies for management of privileged and system administration accounts | (i) human resources security, access control policies and asset management; | USER1.1 | SP.09.01 | SR1.3 |
Conclusion
Aligning IEC 62443 with the NIS2 Directive provides a robust framework for securing industrial remote access. With its standards-aligned architecture, Ewon by HMS Networks offers a practical and secure way for industrial organizations to implement these requirements—supporting regulatory compliance, reducing cybersecurity risk, and ensuring operational continuity.
In Part 3, we’ll dive into practical implementation: How to configure Ewon remote access services to meet NIS2 and IEC 62443 requirements.
Stay tuned!
_________________________________
https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
https://www.hms-networks.com/ewon