gateway icon  GATEWAY SELECTOR:

Connect Your:

To:

RTA's Blog

Why IEC 62443 Is Quickly Becoming Required for Industrial Vendors

Posted on by John Rinaldi
22
Apr

Industrial manufacturers are changing how they evaluate vendors. Cybersecurity is no longer treated as a feature or a future improvement. It is now a procurement requirement and a condition for trust. As a result, IEC 62443 is rapidly becoming the baseline standard manufacturers use to decide which vendors remain on approved vendor lists.

What are the Driving Factors Behind IEC 62443 Adoption?

This shift is not driven by vendors. Multiple forces are converging at once:

  • Boards now view cybersecurity as a business risk
  • Insurers are tightening coverage requirements
  • Governments are increasing expectations around software supply chain security
  • Manufacturers are under sustained pressure from cyberattacks, insurers, regulators and their boards of directors

Trust in Vendor Security Claims Has Eroded

For years, industrial vendors relied on informal assurances such as “secure by design” or “we’ve never had an incident.” That approach no longer works. Manufacturers are frequent targets of ransomware, phishing and malware, and many attacks exploit weaknesses in vendor software.

Business Consequences of Cyber Attacks

When incidents occur, manufacturers bear the consequences. They face downtime, financial losses, safety risks and regulatory scrutiny. As a result, customers now demand evidence of how products are built and maintained, not verbal promises.

New Regulatory Requirements

In Europe, the Cyber Resilience Act (CRA) introduces mandatory security requirements for connected products. In the United States, Executive Order 14028 raises expectations for secure software development. Federal agencies such as CISA reference IEC 62443 as a baseline framework for industrial cybersecurity.

Manufacturers are responding by evaluating vendors not just on functionality, but on secure development practices.

What IEC 62443 Actually Does

IEC 62443 is not a product feature or a software package. It is a framework that defines how industrial products should be designed, built, tested and maintained securely.

For product vendors, it emphasizes secure development lifecycle practices such as threat modeling, secure coding, formal reviews, vulnerability handling, controlled build environments and patch management. It also defines the security capabilities products are expected to support, including authentication, secure updates and communication integrity.

Most importantly, IEC 62443 replaces assumptions with documented, auditable processes.

The Cost of Waiting

Ignoring IEC 62443 rarely causes immediate failure. Instead, the impact appears during procurement reviews. Security questionnaires become harder to answer. Approval cycles slow. Contract language becomes more restrictive. Over time, approved vendor lists shrink.

Vendors who can demonstrate IEC 62443-aligned practices maintain market access. Those who cannot increasingly risk exclusion.

Getting Started

Adopting IEC 62443 typically takes 12 to 24 months and requires changes to development processes, documentation and training. It is not a quick fix.

Manufacturers are no longer asking if cybersecurity matters. They are deciding which vendors they can trust. IEC 62443 is quickly becoming the common language used to make that decision.

Avatar photo
John Rinaldi

John Rinaldi is a renowned automation strategist and the CEO of Real Time Automation (RTA). A leading voice in industrial networking, John has authored six books on essential protocols like EtherNet/IP, OPC UA and Industrial Ethernet, along with 500+ technical articles. He is a sought-after speaker and consultant, known for his ability to simplify complex data communication challenges and drive innovation in global industrial applications.