IEC 62443 vs. ISO 21434

Reading time: 4 minutes - Difficulty: Advanced
While IEC 62443 is the standard that dictates best practices for cybersecurity of industrial automation and control systems, ISO 21434 addresses the automotive market. Let us take a look at the common features and differences between the two cybersecurity frameworks.

IEC 62443: history and directions for Operational Technology

IEC 62443 is the international standard for cybersecurity in industrial control systems, which is the set of best practices geared toward the world of factory automation.

The standard was created 20 years ago by the SP99 committee established by ISA, International Society Automation & Control. It was later revised and adopted by IEC, the International Electrotechnical Commission, from which it takes its original name ISA 99/IEC 62443; today known simply as IEC 62443.
The standard stipulates that the lifecycle of industrial automation and control systems has three phases:

  • Assess
  • Implement
  • Maintain

The entire lifecycle of OT systems (Operational Technology, including, for example, DCS, SCADA, HMI and IIoT systems) includes an initial phase of OT cyber security assessment and vulnerability investigation, touches on the implementation phase of cyber security countermeasures, and suggests how to maintain security performance against cyber threats over time.

ISO 21434: origin and lifecycle of Automotive security

ISO 21434 sets out the requirements for the cybersecurity management system for newly approved smart vehicles.

Linked to UNECE Regulation No. 155, the standard is the work of the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE); hence it is called ISO/SAE 21434 – Road Vehicles Cybersecurity Engineering.


The need to protect the automotive market from cyber attacks, as is the case in many other contexts, stems from the fact that breaches to servers, remote access applications, or infotainment systems are rapidly growing, impacting the security and functionality of vehicles, and, consequently, the safety of property or people.

The lifecycle, for the purposes of the ISO 21434 management system, outlines the importance of organizational aspects to ensure the cybersecurity of end products, following the diagram above.

Do you want to contribute to our page?

Follow us on Linkedin

When to apply IEC 62443 vs. ISO 21434

As mentioned, IEC 62443 refers to industrial automation and control systems, IACS (Industrial Automation and Control System) to be precise. We are talking about Operational Technology, technologies that interface with operational processes, including the aforementioned industrial devices such as PLCs, HMIs and SCADAs.


On the contrary, the following fall within the categories of components covered by ISO 21434:

  • Gateway
  • Infotainment systems
  • Sensors
  • Cameras
  • Security systems
  • Communication systems in general


On the other hand, the following are deemed parts of the interface, and so are outside the scope of the standard:

  • External storage devices
  • Back-end servers
  • Connectivity systems
  • Diagnostic and maintenance applications


Different standards may be applied in this case, again IEC 62443, or ISO 27001, or NIST.