Standards & Safety 14 min read

Compliance with IEC 62443 in MRO: Patch Management and Secure Maintenance of Industrial Control Systems

Technical analysis: Cyber security IEC 62443 for industrial control systems: patching and maintenance

Conformidade com IEC 62443 em MRO: Gestão de Patches e Manutenção Segura de Sistemas de Controle Industrial - UNITEC-D Industrial MRO
Este artigo técnico aborda a importância da conformidade com a norma IEC 62443 para a cibersegurança em sistemas de controle industrial (IACS), com foco na gestão de patches e práticas de manutenção s

1. Introduction: The Essentiality of Cybersecurity in Industrial Operations

The convergence between Information Technology (IT) and Operational Technology (OT) in modern industries has introduced a new risk vector for operational continuity and security. Industrial Control Systems (ICS), which include SCADA, PLCs and DCS, are the heart of many manufacturing operations, and their vulnerability can result in unplanned downtime, significant financial losses, environmental damage and even casualty accidents. The international standard IEC 62443, developed by Technical Committee 65 (TC65) of the International Electrotechnical Commission (IEC), establishes a framework for addressing cybersecurity in industrial automation and control systems (IACS).

This article, from the perspective of maintenance engineering and design, focuses on the application of IEC 62443, specifically on patch management and secure maintenance practices, critical elements for operational resilience. Strict implementation of these guidelines not only protects digital assets, but also ensures compliance with Brazilian regulations such as NR-10 (Safety in Installations and Services in Electricity) and NR-12 (Safety at Work in Machinery and Equipment), which depend on the integrity and availability of control systems to guarantee the physical safety of operators and the process.

2. Scope and Applicability: Who and What Must Comply

The IEC 62443 standard is applicable to all industrial control systems, regardless of the sector. This includes, but is not limited to, manufacturing, energy, water treatment, petrochemicals, mining, automotive, and food and beverage. In the Brazilian context, any manufacturing facility that uses automation systems is subject to the need to apply the principles of IEC 62443 to mitigate cyber risks.

Key components and systems that fall within the scope include:

  • Programmable Logic Controllers (PLCs)
  • Distributed Control Systems (DCS)
  • Supervision and Data Acquisition Systems (SCADA)
  • Remote Input/Output (I/O) Devices
  • Human-Machine Interfaces (HMIs)
  • Industrial communication networks (Ethernet/IP, PROFINET, Modbus TCP)
  • Servers and workstations that manage or interact with these systems
  • Smart field devices (sensors, network-capable actuators)

Compliance is the primary responsibility of facility owners and operators, but it also extends to systems integrators, component suppliers and maintenance service providers (MRO), who must ensure their offerings and practices are aligned with cybersecurity requirements.

3. IEC 62443 Key Requirements for MRO

IEC 62443 is a series of documents, each covering specific aspects. For MRO, the most relevant parts include IEC 62443-2-3 (Patch Management in IACS Environments), IEC 62443-2-4 (Requirements for IACS Service Providers), and IEC 62443-3-3 (System Security Requirements and Security Levels). The table below summarizes the critical requirements for patch management and secure maintenance:

Key Requirement Description Standard IEC 62443 Reference Typical Implementation Timeframe
Asset Inventory Management Maintain an updated inventory of hardware, software, firmware and versions of all IACS, with criticality levels and dependencies. 2-3, 3-3 Continuous, with quarterly review
Vulnerability Assessment Systematic process to identify and assess vulnerabilities in IACS, including scanning and analyzing manufacturer reports. 2-3, 3-3 Semiannually or according to new threats
Patch and Update Management Formal procedures for acquiring, testing, deploying, and documenting security patches and firmware updates. 2-3 Defined by criticality (e.g. critical patches within 7 days of testing)
Remote Access Control Implementation of secure methods for remote access (VPN, MFA) by maintenance teams and external suppliers. 2-4, 3-3 Immediate for new accesses; annual review
Secure Setup Definition and application of secure configuration baselines for all IACS components, removing unnecessary services and ports. 3-3 At installation; annual review
Secure Backup and Recovery Creating and testing regular secure backups of IACS configurations and data, with cyber disaster recovery plans. 3-3 Daily/weekly backup; semester test
Supplier/Service Provider Security Cybersecurity requirements included in contracts with MRO vendors and systems integrators. 2-4 When contracting services; annual review

4. Impact on MRO Operations

The implementation of IEC 62443 requires a transformation in Maintenance, Repair and Operation (MRO) practices. Maintenance is no longer just about physical functionality, but also about the integrity and cybersecurity of systems.

4.1. Preventive and Predictive Maintenance

Maintenance activities must now incorporate safety checks. This includes auditing security logs, checking firmware integrity, confirming that patches have been applied correctly, and evaluating security configurations. Condition monitoring tools must be protected from tampering and their communications must be encrypted. For example, a temperature sensor that operates at 120°C and a pressure sensor that monitors 10 bar must have their data transmitted via secure protocols to avoid manipulation that could lead to failures or accidents.

4.2. Acquisition of Spare Parts

The purchasing department must consider cybersecurity as an essential criterion when selecting suppliers and components. Spare parts for IACS must come from reliable sources, with a guarantee of authenticity and, ideally, safety certifications. UNITEC-D GmbH, for example, works with suppliers who adhere to a secure development life cycle (SDLC) for their products, ensuring that components such as PLCs, I/O modules or HMIs are securely designed from the outset.

4.3. Documentation and Procedures

MRO documentation must be expanded to include:

  • Detailed patch management plans, including maintenance windows and rollback plans.
  • Standard operating procedures (SOPs) for safe maintenance, including physical and logical access.
  • Records of all firmware and software updates, with date, version and person responsible.
  • Complete inventory of IACS assets and their security configurations (baselines).
  • Cyber ​​incident response plans, integrated with disaster recovery plans.

5. Component and Spare Parts Requirements

Cybersecurity starts at the component level. When purchasing spare parts for IACS, it is essential to consider requirements that go beyond electrical and mechanical functionality. IEC 62443-4-2 (Technical Security Requirements for IACS Components) details these requirements.

Critical components such as PLCs, communication modules, industrial network devices and HMIs must have:

  • Secure Boot: To ensure that only authentic, untampered firmware is loaded.
  • Data Encryption: To protect data in transit and at rest.
  • Strong Authentication: Support for multiple authentication factors for administrative access.
  • Secure Firmware Updates: Mechanisms that validate the integrity and authenticity of updates.
  • Tamper Detection Protection: Features that detect unauthorized physical access attempts.
  • Security Event Recording (Logging): Ability to record events relevant to auditing.

UNITEC-D GmbH understands the criticality of these requirements. We supply components that are certified to recognized standards, ensuring that spare parts do not introduce new vulnerabilities. For example, a 15 kW frequency inverter, an electric motor with an MTBF greater than 80,000 hours, or a proximity sensor with a tolerance of ±0.1 mm must be not only reliable in its main function, but also secure in its cyber aspect, with verifiable firmware and support for security updates.

6. Compliance Checklist for Maintenance Managers

This practical checklist can assist maintenance managers and security teams in assessing compliance with IEC 62443, focusing on patch management and maintenance:

  1. Is there a complete and up-to-date inventory of all IACS assets (hardware, software, firmware, versions, location)?
  2. Does each IACS asset have a criticality level and a security zone/conduit designation?
  3. Is there a formal documented process for identifying and assessing vulnerabilities in IACS?
  4. Is there a patch management plan that defines the frequency, responsible parties and procedures for applying security patches?
  5. Are patches tested in a non-production environment before deploying to operating systems?
  6. Are there rollback plans for each patch or firmware update?
  7. Are all firmware and software updates obtained directly from the manufacturers or from trusted sources?
  8. Is remote access to IACS controlled via VPN with multi-factor authentication (MFA)?
  9. Are all maintenance tools (laptops, USBs) regularly scanned and protected against malware?
  10. Are USB ports and other physical interfaces on IACS disabled or physically secured when not in use?
  11. Do maintenance user accounts have the minimum privileges necessary for their tasks (Principle of Least Privilege)?
  12. Have the factory default passwords been changed on all IACS equipment?
  13. Are regular and secure backups of IACS configurations and data performed? Are backups tested?
  14. Is there a cyber incident response plan that includes IACS?
  15. Do maintenance teams receive regular training in cybersecurity and IEC 62443 procedures?
  16. Do contracts with MRO service providers include cybersecurity clauses and require compliance with IEC 62443?
  17. Are replacement components purchased from reliable suppliers that guarantee product authenticity and safety?
  18. Is there a process for safely disposing of IACS components, ensuring the elimination of sensitive data?
  19. Is network segmentation (zones and conduits) implemented to isolate critical control systems?
  20. Are periodic IEC 62443 compliance audits carried out by third parties or qualified internal staff?

7. Common Non-Compliance Issues

Security audits and assessments in industrial environments often reveal deficiencies that prevent compliance with IEC 62443:

  • Outdated Software and Firmware: Many systems operate with old versions, containing known and exploitable vulnerabilities. Lack of maintenance windows for updates is a contributing factor.
  • Lack of Asset Inventory: Not having an accurate and up-to-date list of all IACS components prevents effective patch and vulnerability management.
  • Default or Weak Passwords: Using factory default credentials or easily guessable passwords is a common entry point for attackers.
  • Insecure Remote Access: Use of direct RDP, VPNs without MFA, or third-party access without strict control.
  • Lack of Network Segmentation: Interconnected OT and IT networks without adequate firewalls or security zones.
  • Insecure Maintenance Tools: Infected laptops or USB devices introducing malware into systems.
  • Inability to Test Patches: Lack of test environments (laboratories or simulators) to validate patches before deployment in production.
  • Exclusive Dependence on Suppliers: Not having an internal plan to manage patches, blindly trusting suppliers, who may have update cycles that differ from operational needs.

8. Penalties and Liability for Non-Compliance

Non-compliance with cybersecurity guidelines, such as those established by IEC 62443, can lead to severe consequences, with legal, financial and reputational implications in Brazil:

  • Regulatory Fines and Sanctions: Although IEC 62443 is not a law, its non-application may lead to violations of other regulations. For example, cyber incidents that result in the leakage of personal data may incur fines under the General Data Protection Law (LGPD) of up to 2% of the company's revenue in Brazil, limited to R$50 million per infraction.
  • Operational Losses: A cyber attack can cause prolonged production downtime. It is estimated that the average cost of an hour of downtime in large industries can vary from R$50,000 to R$500,000, depending on the sector and the scale of the operation.
  • Reputational Damage: Cybersecurity incidents can erode the trust of customers, partners and investors, resulting in loss of contracts and market value.
  • Accidents and Civil/Criminal Liability: The manipulation of industrial control systems by a cyber attack can lead to equipment failures, explosions, chemical leaks or other serious accidents, violating NR-10 and NR-12. This can result in lawsuits for property damage, bodily injury and even wrongful death for those responsible.
  • Recovery Costs: The costs to investigate an incident, remediate systems, restore data and strengthen post-attack security are substantial and can easily exceed millions of dollars.
  • Impact on Insurance: Insurance companies may deny coverage for losses arising from cyberattacks if the company does not demonstrate diligence in implementing recognized security measures.

9. Conclusion

Cybersecurity in industrial control systems is not an additional cost, but a fundamental investment in business continuity, worker safety and environmental protection. IEC 62443 provides a clear roadmap for building robust defenses, and patch management and secure maintenance are cornerstones of that resilience. Compliance with these standards not only mitigates risks, but also raises the operational standard of the Brazilian industry, aligning with global best practices.

At UNITEC-D GmbH, we understand the complexity and criticality of these requirements. We offer a range of components and spare parts that meet the highest quality and safety standards, sourced from manufacturers that incorporate cybersecurity at every stage of the product lifecycle. To ensure your MRO operations are equipped with certified and reliable components essential for IEC 62443 compliance and the safety of your plant, visit our E-catalog.

Access the UNITEC-D E-catalog to explore our product range.

10. References

  • IEC 62443-1-1: Security for industrial automation and control systems - Part 1-1: Terminology, concepts and models. Ed. 2.0 (2018-04).
  • IEC 62443-2-3: Security for industrial automation and control systems - Part 2-3: Patch management in IACS environments. Ed. 1.0 (2015-08).
  • IEC 62443-2-4: Security for industrial automation and control systems - Part 2-4: Requirements for IACS service providers. Ed. 1.0 (2015-08).
  • IEC 62443-3-3: Security for industrial automation and control systems - Part 3-3: System security requirements and security levels. Ed. 1.0 (2013-08).
  • IEC 62443-4-2: Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components. Ed. 1.0 (2019-09).
  • ABNT NBR ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements.
  • Regulatory Standard NR-10: Safety in Electrical Installations and Services. Ministry of Labor and Employment, Brazil.
  • Regulatory Standard NR-12: Workplace Safety in Machines and Equipment. Ministry of Labor and Employment, Brazil.
  • Law No. 13,709/2018 (General Personal Data Protection Law - LGPD), Brazil.

Related Articles