IEC 62443 compliance assessment for Indonesian industrial operators

Industrial control systems — SCADA for electrical substations, DCS in oil refineries, PLC in water treatment facilities — were built for reliability and continuity, not for cybersecurity. When those two goals meet in a single increasingly connected network, the gap between them becomes a real risk. IEC 62443 is the international framework that bridges that gap using a language understood by both OT teams and information security teams.

This page explains the IEC 62443 series structure, the regulatory context in Indonesia, and the assessment process we use to help industrial operators understand their OT security posture and prioritize improvements.

This page is intended as general guidance. It is not certification advice, and any assessment needs to be scoped to the specific conditions of each facility.

Structure of the IEC 62443 series

IEC 62443 is not a single document but a series of standards divided into four groups based on audience and scope.

The 62443-1 group provides the foundation: terminology, concepts, and the security model that forms the shared language for the entire series. The 62443-2 group is aimed at asset owners and service providers, covering security management and requirements for IACS service providers. The 62443-3 group addresses system requirements, including 62443-3-2 for risk assessment and 62443-3-3 for system security requirements and Security Level definitions. The 62443-4 group contains requirements for OT component manufacturers.

For industrial operators, the 62443-2 and 62443-3 groups are the most relevant because they govern what asset owners must do with the systems they operate.

Security levels and how to measure them

IEC 62443-3-3 defines four Security Levels (SL) based on the capability of the attacker they are designed to resist.

SL 1 protects against casual or coincidental violation. SL 2 protects against intentional violation using simple means with low motivation. SL 3 protects against attacks using sophisticated means with adequate resources, including actors with advanced expertise. SL 4 is intended for the highest-criticality systems, protecting against the most sophisticated attacks with large motivation and resources.

The assessment process involves two distinct numbers. Security Level Target (SL-T) is the number set by the asset owner based on consequence analysis: what is the worst-case impact if this zone is compromised? Security Level Capability (SL-C) is the actual capability of the current system. The gap between the two, SL-T minus SL-C, is the focus of the remediation roadmap.

Zone and conduit model

Before Security Levels can be assigned, the OT network needs to be mapped into zones and conduits. This is the central concept in IEC 62443-3-2.

A Security Zone is a grouping of assets that share the same function, criticality, and security requirements. For example, the control system for a gas turbine might form one zone, while the historian network and operator interfaces sit in a separate zone. A Conduit is the communication path between zones, whether a physical network link or a data protocol. Each conduit must have appropriate controls because it is the transit point between zones with different trust levels.

Accurate zone and conduit modeling is the most consequential step in the assessment. If zone boundaries are unclear or do not reflect actual network topology, all subsequent Security Level measurements become unreliable.

Regulatory context in Indonesia

Presidential Regulation 82/2022 on the Protection of Critical Information Infrastructure requires operators to secure their information systems. For OT environments, IEC 62443 is the international standard most frequently referenced in BSSN guidelines for ICS/SCADA security.

Beyond regulatory obligations, oil and gas operators partnering with international companies under Production Sharing Contracts often face IEC 62443 requirements written directly into EPC contracts. This means compliance with the standard is not only a regulatory matter but also a condition of doing business with international partners.

The assessment process we follow

Our IEC 62443 assessment follows five sequential stages.

The first stage is asset discovery and current state. We use a passive approach to map OT assets, network topology, and active communication protocols without disrupting live operations. The output is a documented asset inventory and an OT network architecture diagram.

The second stage is risk assessment per IEC 62443-3-2. Working with the client's OT and security teams, we identify Security Zones and Conduits, then establish SL-T for each zone based on consequence analysis. What are the operational, safety, environmental, and business impacts if this zone is compromised?

The third stage is gap analysis. We measure the actual SL-C of each zone against the established SL-T, using the foundational requirements from IEC 62443-3-3 as the benchmark. The result is a gap map per zone showing which controls are adequate and which fall short.

The fourth stage is findings and roadmap. Each gap is prioritized by risk and translated into specific remediation steps. We avoid generic recommendation lists and focus on actions that can be started with the resources available.

The fifth stage is reporting. We produce two documents: an executive summary for management explaining the main risks and priorities, and a technical report containing a gap heatmap by zone and conduit for OT and security teams.

How Alpha Code helps

Our team approaches OT environments from an operational as well as a security perspective. We work with control systems that are running live, where even minor disruption has real operational consequences. Our approach always begins with passive discovery before touching any configuration.

After the assessment, we do not leave clients with a report that is difficult to translate into action. We work through the findings with OT and management teams to make sure the remediation roadmap is understood and can be executed by the teams already in place.

Next steps

Understanding your OT posture against IEC 62443 does not have to start with a full assessment. An initial conversation about your network topology, critical assets, and existing security concerns is enough to define the right scope. If you want to start there, our team is ready to help.