The IEC 62443 series defines requirements for Industrial Automation and Control Systems (IACS) security, covering the full supply chain from asset owners to component suppliers. CyberICS provides purpose-built exercises mapped to IEC 62443-2-1 CSMS requirements, Security Levels SL-1 through SL-4, and all seven Foundational Requirements (FR1–FR7) — with audit-ready evidence for ISASecure certification programmes.
The IEC 62443 series spans four parts covering concepts, policies, systems, and components. CyberICS exercises directly support Parts 2 and 3 requirements.
Establishes common terminology, risk assessment methodology, and the security lifecycle concept that underpins all subsequent parts. Part 1 defines the scope and vocabulary for IACS security across asset owners, integrators, and component suppliers.
Requirements for the Cybersecurity Management System (CSMS). IEC 62443-2-1 is the primary operational standard for asset owners, defining CSMS elements, policies, and procedures. Requirement SP.03.01 (security programme management) is addressed through structured exercise evidence demonstrating a functioning security programme.
The zone and conduit model (IEC 62443-3-3 clause 4.3.3) defines how IACS systems are segmented and how Security Level targets are assigned per zone. Part 3 maps system security requirements to Security Level targets and achieved levels — forming the basis for gap analysis between current and target security posture.
Component-level security requirements for products and embedded systems. Part 4 applies to component suppliers and addresses software development lifecycle, embedded security features, and component security assurance levels. CyberICS embedded exercises test component failure scenarios and failure mode responses relevant to Part 4 validation.
Every CyberICS exercise is mapped to one or more Foundational Requirements and aligned to a target Security Level — giving you structured evidence for SL gap analysis and CSMS documentation.
Protection against casual or coincidental violation. Suitable for systems where the primary threat is unintentional actions by authorised users or simple, opportunistic attacks with low motivation and skill.
Protection against intentional violation using simple means. Adversary has low resources, generic IACS skills, and low motivation. Represents the baseline Security Level for most critical infrastructure environments.
Protection against intentional violation using sophisticated means. Adversary has moderate resources, IACS-specific skills, and moderate motivation. Required for environments with significant public safety or national security impact.
Protection against intentional violation using sophisticated means with extended resources. Nation-state level adversary capability. Reserved for the most critical IACS assets where compromise could cause catastrophic consequences.
| FR | Title | Requirement Description | CyberICS Exercise Coverage |
|---|---|---|---|
| FR 1 | Identification & Authentication Control | Unique identification of all users, devices, and software processes that use the IACS; authentication of identity prior to granting access | Credential abuse and identity spoofing scenarios exercise detection of authentication failures and IAM procedure gaps |
| FR 2 | Use Control | Enforce the privileges of authenticated entities; ensure that only authorised actions are permitted, including use restrictions on devices and software | Privilege escalation exercises test authorisation controls and validate least-privilege enforcement in IACS environments |
| FR 3 | System Integrity | Ensure the integrity of the IACS by protecting against unauthorised change; detect and report integrity violations | Supply chain compromise and firmware manipulation exercises test integrity verification procedures and change detection workflows |
| FR 4 | Data Confidentiality | Ensure the confidentiality of information on communication channels and in data repositories to the degree necessary to protect the IACS from compromise | Data exfiltration scenarios exercise classification procedures, historian data protection, and confidentiality incident response |
| FR 5 | Restricted Data Flow | Segment the IACS using zones and conduits to limit unnecessary data flow; prevent information from passing to or from unauthorised sources | Zone and conduit breach exercises directly test the effectiveness of network segmentation controls and conduit configuration |
| FR 6 | Timely Response to Events | Respond to security violations by notifying proper authorities; reporting evidence of the violation; and taking timely corrective action | Incident response exercises measure detection-to-response timelines against SL targets; AI AAR produces event response documentation for CSMS records |
| FR 7 | Resource Availability | Ensure the availability of the IACS to legitimate entities including personnel, devices, and communications infrastructure under all intended operating conditions | Denial-of-service and cascading failure exercises test availability response procedures and resilience under SL-3 and SL-4 threat scenarios |
IEC 62443 reference: 62443-2-1 CSMS clause SP.03.01 (Security Programme) is directly evidenced through CyberICS structured exercise programme records. Zone segmentation requirements are governed by 4.3.3 of the IEC 62443 series.
Three core capabilities work together to deliver, document, and evidence your IEC 62443-2-1 CSMS obligations and Security Level readiness.
Live Session mode delivers real-time, multi-participant IACS tabletop exercises with timestamped participant records. All steps, responses, and facilitator actions are logged — creating auditable CSMS documentation for IEC 62443-2-1 compliance.
Immediately after each exercise, CyberICS generates a structured AAR documenting gaps, recommendations, and IEC 62443 FR references — in the language your team worked in. AAR output serves directly as SP.03.01 security programme evidence.
The Compliance Dashboard generates per-framework IEC 62443 evidence packages — a 6-page audit PDF covering exercise log, FR 1–FR 7 controls coverage, Security Level gap analysis, remediation plan, and attestation page for auditor review.
Every CyberICS exercise generates four categories of compliance evidence supporting IEC 62443-2-1 CSMS demonstration requirements and ISASecure programme documentation.
62443-2-1 CSMS documentation package. AI-generated PDF with FR gap analysis, corrective actions, and Security Level references available within minutes of exercise completion.
Current vs. Target Security Level gap analysis per zone. Maps identified deficiencies to the SL delta and provides prioritised remediation to close the gap.
FR 1–7 coverage evidence per exercise. Each exercise maps to one or more Foundational Requirements with coverage status and gap documentation for CSMS records.
SP.03.01 security programme evidence package demonstrating a structured, recurring exercise programme aligned to ISASecure CSMS certification requirements.
Six high-fidelity IEC 62443 scenarios covering the most common IACS threat vectors — mapped to specific Foundational Requirements and Security Level targets.
Threat actor pivots from DMZ into control zone via misconfigured conduit. Tests zone segmentation enforcement and access control procedures mapped to IEC 62443 clause 4.3.3.
Attacker manipulates SIS ladder logic during a maintenance window. Tests SIS security procedures, integrity verification, and timely response to events under FR 6 requirements.
Rogue firmware deployed to a remote PLC array via a compromised maintenance laptop. Tests firmware verification procedures, system integrity controls, and availability response under FR 7.
Phishing campaign harvests SCADA operator credentials. Tests identity management procedures, MFA gaps, and privileged account controls mapped to IEC 62443 FR 1 and FR 2 requirements.
Adversary extracts 18 months of grid operational data through a misconfigured historian DMZ. Tests data classification, confidentiality controls, and network segmentation mapped to FR 4 and FR 5.
Coordinated disruption across control centres triggers cascading failures. Tests mutual aid procedures, recovery operations, and SL-3 escalation procedures for FR 6 timely response and FR 7 availability.
Plus 59 additional scenarios across Manufacturing, Pharma, Oil & Gas, Chemical, and more. Browse the full library →
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with 3 free exercises aligned to FR1–FR7 — no credit card required.
Also explore: NIST SP 800-82 Toolkit · NIST CSF 2.0 Toolkit · NERC CIP Toolkit