Regulatory Toolkit

IEC 62443
IACS Security Tabletop Exercise Toolkit

The international standard for Industrial Automation and Control System (IACS) security explicitly requires incident response testing. Map your exercises to IEC 62443-2-1 Clause 4.3.3, Security Levels 1–4, and the 7 Foundational Requirements — with automated evidence generation built in.

Start Your First IEC 62443 Exercise → Download Buyer's Guide

⚠️ This toolkit is an educational resource for exercise program design. Skyhigh Cybersecurity does not provide IEC 62443 certification, formal assessment, or conformity testing services. Engage an accredited certification body for official IEC 62443 certification requirements.

4
Standard Series
SL 1–4
Security Levels
7
Foundational Requirements
Explicit
IR Testing Requirement (2-1 §4.3.3)
IEC 62443 — Structure & IACS Applicability
IEC 62443 is the definitive international standard series for securing Industrial Automation and Control Systems (IACS). Unlike most cybersecurity frameworks, it explicitly mandates incident response testing — making tabletop exercises a compliance requirement, not just best practice.
📚
Four-Series Standard Structure
Series 1 — General: Concepts, terms, and security metrics.
Series 2 — Policies & Procedures: Targets Asset Owners and OSSPs (Operation Service & Support Providers). Includes the explicit IR testing requirement.
Series 3 — System: IACS security risk assessment and system-level requirements (SL 1–4).
Series 4 — Component: Technical requirements for IACS components and software.
🏭
Who Must Comply
IEC 62443 applies to any organization operating Industrial Automation and Control Systems — including: oil & gas refineries, chemical plants, power generation and transmission, water and wastewater treatment, pharmaceutical manufacturing, food & beverage production, and any ICS/SCADA operator. OSSPs (MSSPs providing OT services) are governed by IEC 62443-2-4.
§4.3.3 — The Explicit Tabletop Requirement
IEC 62443-2-1, Clause 4.3.3 (Incident Response and Recovery Planning) requires that IACS operators establish incident response procedures AND periodically test them. This is one of the few international cybersecurity standards that makes exercise testing an explicit, auditable compliance requirement — not merely recommended practice.
Security Levels (SL) — Exercise Targeting
IEC 62443-3-3 defines four Security Levels based on the sophistication of the threat actor. Design tabletop exercises to match your target SL for each IACS zone or conduit.
SL 1
Casual / Unintentional
Protection against accidental or unintentional violations. Covers basic operator errors, misconfiguration, and opportunistic malware.
→ Ransomware from phishing, misconfigured HMI, accidental data modification
SL 2
Intentional — Simple Means
Protection against intentional violation using simple means with low resources and general IACS knowledge.
→ Insider threat, contractor credential abuse, basic OT network scanning
SL 3
Intentional — Sophisticated
Protection against sophisticated attacks using IACS-specific knowledge, moderate resources, and IACS skills.
→ Nation-state SCADA targeting, PLC logic manipulation, targeted supply chain attack
SL 4
Intentional — State-Level
Protection against sophisticated state-sponsored attacks with extended resources, advanced IACS skills, and high motivation.
→ Safety system manipulation, multi-site coordinated attack, critical national infrastructure targeting
IEC 62443 Requirements Mapping
Skyhigh tabletop exercises map across multiple IEC 62443 parts and Foundational Requirements (FRs).
Standard Part / Clause Requirement Description Coverage Skyhigh Evidence
2-1§4.3.3 Incident Response and Recovery Planning — requires periodic testing of IR procedures Core Every tabletop exercise IS the §4.3.3 test. Dated AAR + evidence package = audit artifact
2-1§4.2.3 Risk Assessment — identify and evaluate IACS cybersecurity risks Supporting AAR gap analysis maps to risk register; scenario selection validates risk prioritisation methodology
2-1§4.3.4 Business Continuity Planning — maintain operations during and after cyber events Direct BC/DR scenarios test manual operations fallback; recovery timeline evidence for auditors
2-4SP.03.01 Incident Management for OSSPs / service providers — MSSP-specific incident handling requirements Direct MSSP-client exercises using per-client portal; SLA fulfillment evidence via client-agreements module
3-2Security Risk Assessment Scenario-based risk assessment for IACS zones and conduits Supporting Scenario library covers zone-based and conduit threats; MITRE ATT&CK for ICS mapping
3-3FR 6 — Timely Response IACS shall respond to events in a timely manner (SL 1–4 metric varies) Core MTTD/MTTR metrics captured per step; response time evidence against SL-appropriate benchmarks
3-3FR 7 — Resource Availability IACS shall be available when needed; protection against DoS and resource exhaustion Direct Availability and BC/DR scenarios test recovery procedures; downtime impact analysis in AAR
3-3FR 1, FR 2, FR 5 ID & Auth Control (FR 1); Use Control (FR 2); Restricted Data Flow / Zone Integrity (FR 5) Supporting Scenarios test credential abuse (FR 1), privilege escalation (FR 2), and lateral movement across zones (FR 5)

FR = Foundational Requirement per IEC 62443-3-3. §2-1 refers to IEC 62443-2-1 (Policies & Procedures for Asset Owners).

How Skyhigh Supports IEC 62443 Compliance
🧪
§4.3.3 IR Testing — Built In
Every Skyhigh tabletop exercise constitutes a dated, documented §4.3.3 incident response test. The auto-generated AAR, timestamped session log, and evidence package are designed to satisfy IEC 62443-2-1 audit requirements. No additional documentation layer needed — the platform generates audit artifacts automatically.
§4.3.3 EvidenceDated AARSession LogAudit Package
🏭
IACS-Specific Scenario Library
Skyhigh's 65+ scenarios include OT/ICS-native scenarios covering Modbus/DNP3/IEC 61850 protocols, PLC/RTU compromise, SCADA remote access abuse, HMI manipulation, and Safety Instrumented System (SIS) tampering — all mapped to relevant SL levels and IEC 62443 FRs.
PLC/RTU ScenariosSCADA ScenariosSIS TamperingSL-Tagged
⏱️
FR 6 Timely Response Evidence
Capture per-step response timestamps automatically. Generate MTTD and MTTR metrics that demonstrate compliance with FR 6 (Timely Response to Events) at your target Security Level. Compare against IEC 62443-appropriate sector benchmarks in the analytics dashboard.
MTTD CaptureMTTR CaptureFR 6 EvidenceSL Benchmarks
IEC 62443 — Scenario Library
These scenarios are designed to test IACS security at specific Security Levels — generating §4.3.3 compliance evidence across FR 1 through FR 7.
SL 2 · FR 1, FR 2
SCADA Remote Access Compromise
A compromised remote access credential from an OEM vendor is used to access the SCADA historian and attempt lateral movement to the DCS. Tests identity & auth control (FR 1) and use control (FR 2).
FR 1FR 2§4.3.3
SL 3 · FR 3, FR 5
PLC / RTU Firmware Manipulation
Attacker with deep ICS knowledge pushes malicious ladder logic to a substation RTU through a compromised engineering workstation. Tests system integrity (FR 3), data flow control (FR 5), and inter-zone communication.
FR 3FR 5§4.3.3
SL 3 · FR 5, FR 6
Zone/Conduit Breach — Lateral Movement
An attacker moves from Level 3 (MES) to Level 2 (Control) via an improperly configured conduit. Tests zone & conduit integrity (FR 5), detection of unauthorized cross-zone traffic (FR 6), and incident containment speed.
FR 5FR 6§4.3.3
SL 3–4 · FR 7
Safety Instrumented System Tampering
A sophisticated actor targets the SIS (Safety Instrumented System) to suppress safety shutdowns during a deliberate process fault. Tests resource availability (FR 7) and response to safety-critical system compromise at SL 3–4.
FR 7FR 3§4.3.3
2-4 · SP.03.01 — MSSP
Third-Party OSSP Incident Response
An MSSP (OSSP) managing IEC 62443-2-4 compliance exercises its SP.03.01 incident handling procedures with a client whose OT network is under active attack. Tests service provider incident management and client notification SLA.
SP.03.01§4.3.3
SL 2 · FR 6, FR 7 · §4.3.4
Industrial Ransomware — OT Impact
Ransomware encrypts the Historian and Engineering workstations. Production continues on manual fallback. Tests timely response (FR 6), resource availability (FR 7), business continuity (§4.3.4), and recovery timeline documentation.
FR 6FR 7§4.3.3§4.3.4
Evidence Artifacts Generated
Skyhigh produces dated, structured artifacts that satisfy IEC 62443-2-1 §4.3.3 audit requirements directly — no manual compilation needed.
📄
§4.3.3 Test Record
Dated, signed-off exercise record — the primary audit artifact for IR testing compliance
🗺️
FR Coverage Matrix
Map of which Foundational Requirements (FR 1–7) were addressed and which have gaps
⏱️
FR 6 Response Metrics
Timestamped MTTD/MTTR data demonstrating Timely Response to Events at target SL
🔧
Gap Remediation Log
Structured improvement plan from AAR findings — maps to §4.2.3 risk treatment records

Explore the Full Regulatory Toolkit Library

Skyhigh exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

🏛️ CISA CTEP ⚡ NERC CIP 🇪🇺 NIS2 Directive 🇺🇸 NIST CSF 2.0 ⚙️ IEC 62443 🏭 NIST SP 800-82 🏦 DORA ✈️ TSA Directives 🏥 HIPAA / HC3 🛡️ CMMC 2.0 🌐 ISO 27001 🔴 CISA CPG

Start Building Your IEC 62443 Exercise Program

Launch your first §4.3.3-compliant incident response test in under an hour. Free plan available.

Start Free Today → View Pricing Contact Sales