Skip to content

   We secure embedded systems

IEC 62443-4-2 Engineering Assessment

Identify architectural security gaps and prepare your product for IEC 62443 certification and upcoming regulations. 

You have interest in an assessment? 

Technical Product Evaluation for IEC 62443-4-2 

Manufacturers of embedded and industrial devices are increasingly facing new cybersecurity requirements that impact product development and architecture decisions.

You might encounter situations such as:

  • A customer requires IEC 62443 certification for your product
  • You want to prepare your product architecture for upcoming regulations such as the Cyber Resilience Act (CRA)
  • Your security architecture has evolved over time and you want to evaluate whether the existing security mechanisms are implemented effectively.

Our technical product evaluation helps you assess your product against the IEC 62443-4-2 component security requirements and identify what changes are needed to reach your target Security Level (SL).

What we can provide

We focus exclusively on component-level security (IEC 62443-4-2) and perform a structured technical assessment of your product:

  • Architecture review (hardware, firmware, software)  

  • Mapping implemented security mechanisms to IEC 62443-4-2 requirements 

  • Security Level gap analysis

  •  Identification of missing or insufficient security mechanisms 

  •  Technical recommendations and implementation roadmap 

Designed for embedded components

This service addresses manufacturers of:

  • Networked embedded devices
  • Industrial communication devices
  • Secure gateways and edge devices
  • Connected control units
  • Security-critical IoT components

 

When this assessment is useful

 This evaluation is particularly useful if you: 

  • prepare for IEC 62443 product certification
  • want to understand the gap between your product and security level targets
  • want to evaluate security architecture before (re-)design
  • want to align your product with upcoming requirements (e.g. CRA)
  • obtain an independent technical evaluation before continuing development or engaging certification bodies

We analyze security-relevant components 

  • Authentication mechanisms
  • Access control
  • Secure boot & firmware update
  • Cryptographic mechanisms
  • Key management
  • Logging & monitoring
  • Communication interfaces
  • Protection against manipulation

Mapping to IEC 62443-4-2 requirements 

Structured evaluation against seven foundational requirements (FR) defined in IEC 62443-4-2:

    1. FR1 – Identification & Authentication Control
    2. FR2 – Use Control
    3. FR3 – System Integrity
    4. FR4 – Data Confidentiality
    5. FR5 – Restricted Data Flow
    6. FR6 – Timely Response to Events
    7. FR7 – Resource Availability

Why work with us

We are not certification consultants. We are embedded security engineers who translate IEC 62443-4-2 requirements into concrete product architectures. After the assessment we are able to help you implementing missing security features into your product.

We combine:

  • Hardware & firmware security expertise
  • Cryptography know-how
  • Secure architecture design
  • Practical implementation experience

We do not only identify gaps. We show how to close them. 

After the assessment, we can support:

  • Secure architecture redesign
  • Secure boot & update concepts
  • Cryptographic integration
  • Hardware root-of-trust concepts
  • Security design reviews

How the assessment works

  • Initial technical discussion
  • Scope definition and target Security Level
  • Architecture evaluation
  • Gap analysis and recommendations
  • Results workshop with your engineering team

Frequently Asked Questions (FAQ)

What is the goal of the IEC 62443-4-2 assessment?

 

 

The goal is to evaluate how well your product architecture meets the technical security requirements defined in IEC 62443-4-2.

The assessment provides clarity on:

  • your current Security Level capability (SL-C)
  • architectural gaps
  • technical risks
  • required implementation steps to reach the desired Security Level.

It helps engineering teams understand where their product stands before investing in certification or large redesign efforts.

When should we perform such an assessment?

 

 

Typical starting points include:

  • preparing for IEC 62443 certification
  • planning a new product (generation)
  • integrating secure boot or cryptography
  • evaluating firmware update security
  • aligning product security with upcoming regulatory requirements.

Many companies perform the assessment before committing to large (re-)design efforts.

 

Which products are suitable for this assessment?

 

 

The assessment is designed for networked and security-critical embedded components, for example:

  • gateways
  • embedded controllers
  • communication devices
  • edge computing systems
  • connected industrial IoT components
Is this a certification or compliance audit?

 

 

Our assessment focuses on the technical product architecture and does not validate compliance with IEC 62443. We analyze how the product implements security mechanisms and identify what would need to change to reach the desired Security Level. This typically happens before formal certification processes begin. 

 

 

Does the assessment include IEC 62443-4-1 process consulting?

 

 

No. IEC 62443-4-1 focuses on the secure development lifecycle and organizational processes. Our assessment concentrates on the technical product requirements defined in IEC 62443-4-2. 

What Security Levels are covered?

 

 

IEC 62443 defines four Security Levels:

  • SL1-Protection against casual or accidental misuse
  • SL2-Protection against intentional misuse using simple means
  • SL3-Protection against sophisticated attackers
  • SL4-Protection against highly sophisticated attackers

The assessment helps determine whether the current product architecture can realistically support the targeted Security Level.

Can we perform the evaluation internally?

 

 

In many cases, companies start with an internal analysis. Teams often encounter challenges such as:

  • interpreting IEC 62443 requirements correctly
  • mapping requirements to the existing architecture
  • identifying architectural security gaps
  • estimating the effort required to reach a target Security Level

An external engineering assessment can provide an independent technical perspective and help avoid blind spots.

Will this assessment automatically lead to certification?

 

 

No. The assessment is a technical evaluation and serves to determine whether the product architecture can fulfill the necessary security characteristics and significantly reduce the risk of redesign in preparation for subsequent certification. 

How does this differ from penetration testing?

 

 

Penetration testing focuses on finding exploitable vulnerabilities in an existing implementation. The IEC 62443-4-2 engineering assessment evaluates whether the product architecture is capable of meeting the required security properties. Both approaches complement each other, but they address different stages of the product lifecycle.

Is our product “complex enough” for IEC 62443?

 

 

The IEC 62443 does not only apply to large industrial systems.

The requirements apply to any networked component used in industrial automation environments, including:

  • gateways
  • controllers
  • communication devices
  • embedded IoT components
  • and others

If your product connects to other industrial systems, supports remote access, or handles firmware updates, IEC 62443 requirements are likely relevant.

 

What information do we need to provide?

 

 

We review documentation such as:

  • product architecture diagrams
  • firmware update mechanisms
  • authentication concepts
  • communication protocols
  • cryptographic mechanisms
  • logging and monitoring capabilities

 

Do we need to know our target Security Level before the assessment?

 

 

Not necessarily. The assessment can help determine which Security Level is realistic based on:

  • the application context
  • expected threat scenarios
  • product architecture constraints
How much effort is required from our engineering team?

 

 

The assessment is designed to minimize disruption to ongoing development.

Typical involvement includes:

  • a kickoff workshop
  • access to relevant architecture documentation
  • technical discussions with engineers
What deliverables do we receive?

 

 

The assessment typically results in:

  • a structured gap overview against IEC 62443-4-2
  • identification of key security weaknesses
  • Security Level readiness evaluation
  • prioritized engineering recommendations
  • a technical roadmap for further implementation.

The goal is to provide practical guidance for engineering teams, not only a compliance checklist.

What if our product is far from meeting the requirements?

 

 

This situation can arise, particularly with products that were developed before cybersecurity standards became widespread. However, the assessment is not intended to classify a product as “unsuitable.”

Instead, it determines:

  • which requirements are already met

  • where architectural improvements are needed

  • which changes are critical and which are optional.

This shall help development teams prioritize realistic next steps.

Can the assessment lead to further engineering support?

 

 

Yes. If architectural changes are necessary, the assessment serves as a starting point for:

  • (Re)designing the security architecture

  • Integrating cryptography

  • Implementing a secure boot process

  • Ensuring security during firmware updates

  • Integrating a hardware trust foundation.

The assessment itself is designed as an independent technical evaluation.

Is this relevant for smaller engineering teams?

 

 

Yes. From our point of view, smaller development teams often benefit most from a structured evaluation because security requirements can significantly impact architecture decisions. The assessment helps teams focus on the most relevant security mechanisms first.

What happens after the assessment?

 

 

The results support internal decisions such as:

  • architecture redesign priorities
  • integration of security mechanisms
  • preparation for certification programs
  • planning of future product generations

You can continue with an implementation projects, or use the results for internal development.

How do we start?

 

 

The first step is a short technical discussion to understand:

  • the product architecture
  • the intended market and regulatory context
  • the targeted Security Level

Based on this information we define the assessment scope and prepare a tailored proposal.