IEC TS 62443-6-2-2025 PDF

Full title and description

St IEC TS 62443-6-2-2025 — Security for industrial automation and control systems - Part 6-2: Security evaluation methodology for IEC 62443-4-2. This Technical Specification defines a methodology to achieve repeatable and reproducible evaluation results for IACS components being assessed against the technical requirements of IEC 62443-4-2. It clarifies the evaluation approach but does not itself define a certification scheme or replace the secure development lifecycle requirements of IEC 62443-4-1.

Abstract

IEC TS 62443-6-2:2025 provides an evaluation methodology aimed at standardizing how components are tested and assessed for compliance with IEC 62443-4-2 technical security requirements. It focuses on repeatability and reproducibility of evaluation activities, defines evaluation boundaries and evidence requirements, and explicitly excludes prescribing specific testing tools or establishing full certification schemes; it requires that products have been developed according to IEC 62443-4-1 secure development lifecycle practices.

General information

• Status: Published (Technical Specification).
• Publication date: 21 January 2025.
• Publisher: IEC (International Electrotechnical Commission).
• ICS / categories: 25.040.40 (Industrial process measurement and control).
• Edition / version: Edition 1.0 (ED1).
• Number of pages: 62 pages.

(Publication metadata and bibliographic details as published by the IEC webstore.)

Scope

Specifies an evaluation methodology to support achieving repeatable and reproducible evaluation results for IACS components under evaluation against the requirements of IEC 62443-4-2. The document does not define a complete certification scheme or program, does not itself specify the process evaluations of the secure development lifecycle (IEC 62443‑4‑1 is a prerequisite), and does not mandate particular tools for activities such as vulnerability or penetration testing. It is focused on components developed in accordance with IEC 62443‑4‑1 and is not intended for components outside that development lifecycle.

Key topics and requirements

• Evaluation methodology framework for component assessments against IEC 62443-4-2.
• Guidance to ensure repeatable and reproducible test execution and evidence collection.
• Definition of evaluation boundaries, component-level test cases, and acceptance criteria mapped to IEC 62443-4-2 technical requirements.
• Requirements for documentation, test evidence, and reporting to support objective evaluation results.
• Clarification that secure development lifecycle conformance (IEC 62443-4-1) is a prerequisite for component evaluation.
• Explicit exclusion of prescribing specific testing tools or defining a certification scheme within this TS.

Typical use and users

Used by conformity assessment bodies, testing laboratories, product vendors (component manufacturers), certification schemes, and procurement teams to structure component-level security evaluations. Integrators and asset owners may consult the methodology to understand evaluation expectations and to interpret evaluation reports produced against IEC 62443-4-2.

Related standards

IEC TS 62443-6-2 is part of the IEC 62443 family and is explicitly tied to IEC 62443-4-2 (technical security requirements for IACS components) and to IEC 62443-4-1 (secure product development lifecycle requirements). Implementers and assessors should use this TS in conjunction with IEC 62443-4-2 and ensure the product development lifecycle conforms to IEC 62443-4-1.

Keywords

IEC 62443, security evaluation, evaluation methodology, IACS components, reproducibility, repeatability, component testing, secure development lifecycle, 62443-4-2, 62443-4-1.

FAQ

Q: What is this standard?

A: IEC TS 62443-6-2:2025 is a Technical Specification that defines a methodology for evaluating industrial automation and control system (IACS) components against the technical requirements of IEC 62443-4-2 to achieve repeatable and reproducible results.

Q: What does it cover?

A: It covers the evaluation approach, test evidence and reporting expectations, and methods to ensure evaluations can be repeated and reproduced. It does not establish a certification scheme nor prescribe specific vulnerability or penetration testing tools. IEC 62443-4-1 conformance is required for products assessed under this methodology.

Q: Who typically uses it?

A: Conformity assessment bodies, independent test laboratories, product vendors seeking objective component evaluation, certification scheme developers, procurement and compliance teams, and advanced integrators or asset owners reviewing component security evaluations.

Q: Is it current or superseded?

A: This Technical Specification was published on 21 January 2025 and is the current edition (Edition 1.0) with an IEC stability date indicated through 2027 in the IEC bibliographic record. Users should check national adoptions or corrigenda for any updates or national implementation dates.

Q: Is it part of a series?

A: Yes — it is part of the IEC 62443 series (security for industrial automation and control systems) and is specifically intended to support evaluations against IEC 62443-4-2 while referencing the secure development lifecycle requirements of IEC 62443-4-1.

Q: What are the key keywords?

A: Security evaluation methodology, IEC 62443, IACS components, reproducible testing, component assessment, secure development lifecycle, 62443-4-2, 62443-4-1.