Focus: System security
IEC 62443-4-2 by a recognised scheme such as ISASecure or IECEE and granted certifi cation to a specifi c security level, commonly SL2 for components used in most industrial contexts. Both approaches have value. Compliance
off ers fl exibility and breadth of choice, and can be suffi cient under a risk- based approach when you understand your environment and threat profi le. Certifi cation delivers higher assurance, can simplify procurement in regulated sectors and provides very clear evidence for audits and regulatory engagement.
Moxa and IEC 62443-4-2 in real products Moxa is one vendor that has aligned product design with IEC 62443 and, in selected cases, gone through independent certifi cation. On the networking side are the Moxa
EDR-G9010 secure router family (Figure 1), and Moxa EDS-4000/G4000 managed switch series (Figure 2), available with IEC 62443-4-2 SL2-certifi ed variants. For operators, that certifi cation gives third- party assurance around controls such as authenticated management access and role-based administration, signed fi rmware images and secure update mechanisms, and security event logging with time- synchronised records that are ready for central collection. On the computing side, Moxa UC-8200
ARM-based industrial computers are off ered with SL2 “host device” certifi cation under IEC 62443-4-2. T ese platforms combine secure boot and signed update processes with support for hardware roots of trust such as TPMs and long-term support windows that suit OT maintenance cycles. Because certifi cation is always model-specifi c, it is important to verify the exact SKU during selection to confi rm its certifi cation status and scope.
Deployment patterns in the fi eld Adopting IEC 62443-aligned devices does not require a ‘big bang’ replacement. Typical, incremental patterns include: • Rail (EN 50155 environments) – Secure routers such as EDR-G9010 terminate VPNs from wayside or trackside equipment
and segment those networks from enterprise IT, while UC-series computers run protocol stacks, edge processing and local reporting. • Energy (substations and renewables) – Firewalls and secure routers enforce zones and conduits between IEDs, RTUs and the control centre, and hardened hosts run local applications and accept only signed, verifi ed updates. • Manufacturing cells and utilities with remote sites – Managed switches such as EDS-4000/G4000, with authenticated management and detailed event logging, give SOC teams earlier visibility of lateral movement, while certifi ed edge routers provide an audited perimeter for remote facilities with VPN backhaul. In each case, the principle is the same:
move the most critical edges and hosts onto platforms that implement IEC 62443-4-2 cleanly, so that every refresh step both reduces risk and improves your evidence base.
Aligning with UK and EU regulatory direction Regulatory frameworks are increasingly explicit about expectations on cyber resilience for essential and important entities. In the EU, NIS2 widens the range of organisations in scope and stresses risk management, access control, incident reporting and supply chain security. T e
Cyber Resilience Act adds obligations for manufacturers of products with digital elements, including secure-by-design principles and vulnerability handling. In the UK, the planned Cyber Security and Resilience Bill is expected to update and extend the existing NIS Regulations, with a continued focus on essential services and digital infrastructure. While these frameworks diff er in detail,
they share common themes: stronger governance, better risk management, greater visibility of controls and improved product security. IEC 62443-4-2 provides a practical way to demonstrate that your networking and computing platforms embody those themes in engineering, not just on paper. It becomes a bridge between regulatory language and the specifi cation sheets for routers, switches, gateways and industrial PCs.
A practical starting point For most OT environments, serious cyber incidents rarely begin with sophisticated, bespoke exploits. T ey start with weakly defi ned or poorly enforced boundaries, unpatched or opaque hosts, and devices that are diffi cult to manage or audit. IEC 62443-4-2 off ers a structured, testable route to improve those fundamentals. A pragmatic approach is to focus fi rst
Moxa EDS-4008 IEC 62443 Ethernet switch
on the control plane: routers, fi rewalls, switches and industrial PCs that shape traffi c and host critical applications. New procurements can specify IEC 62443-4-2 capabilities up front and, where justifi ed by risk or regulation, insist on independent certifi cation to SL2 for key components. Standardising on hardened host platforms for SCADA nodes, protocol translation, one-way transfer and edge analytics raises the baseline for everything that depends on them. Normalising logging and updates as routine activities, backed by products that support secure boot, signed fi rmware and verifi able patching, then turns security from an occasional project into part of day-to-day operations. Taken step by step, this moves OT networks and edge computing from “best eff orts” security to an approach you can map to standards, explain to regulators and, crucially, trust when something goes wrong.
www.electronicsworld.co.uk December 2025/January 2026 13
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48
