Skip to main content
ISA/IEC 62443 is the international standard series for cybersecurity in Industrial Automation and Control Systems (IACS). This document maps Binarly Transparency Platform (BTP) capabilities to the standard parts relevant to product manufacturers, system integrators/service providers, and asset owners operating in OT/ICS environments.
This mapping covers BTP’s direct analytical and reporting capabilities. ISA/IEC 62443 compliance requires organizational, operational, and network-level controls that extend beyond binary analysis tooling. Where BTP provides supporting evidence rather than full coverage, this is explicitly noted.

Applicable Standard Parts

BTP maps to four standard parts across three distinct ISA/IEC 62443 stakeholder roles:
PersonaStandard Parts
Manufacturers / Product Suppliers62443-4-1 (SDL), 62443-4-2 (Component Requirements)
System Integrators / Service Providers62443-2-4 (Service Provider Program), 62443-3-3 (System Requirements)
Asset Owners62443-2-1 (Asset Owner Program), 62443-2-3 (Patch Management), 62443-3-3 (System Requirements)
Standard PartTitleBTP Relevance
IEC 62443-4-1Secure Product Development Lifecycle RequirementsPrimary — BTP supports all 8 SDL practices as a binary verification layer
IEC 62443-4-2Technical Security Requirements for IACS ComponentsPrimary — BTP verifies component-level security posture
IEC 62443-2-3Patch Management in the IACS Environment (TR)Primary — SBOM + VEX enable patch applicability assessment
IEC 62443-2-4Security Program Requirements for IACS Service ProvidersPrimary — BTP enables independent third-party binary verification
IEC 62443-3-3System Security Requirements and Security LevelsPrimary — BTP provides SL-3/SL-4 assurance evidence for system-level SRs
IEC 62443-2-1Security Program Requirements for IACS Asset OwnersSupporting — BTP evidence supports risk-based procurement and continuous compliance
Parts 62443-1-x (general terminology), 62443-3-2 (risk assessment methodology), and 62443-3-1 (security technologies TR) address foundational and organizational requirements that are outside BTP’s analytical scope.

Coverage Summary

Coverage levels: Full — BTP directly addresses the requirement. Partial — BTP addresses specific aspects; additional controls required. Evidence — BTP produces artifacts that support compliance evidence; implementation is outside BTP’s scope. Not Covered — Outside BTP’s analytical scope.
Requirement AreaStandard ReferenceBTP Coverage
Third-party component inventory (SBOM)62443-4-1 Practice 2Full
Binary integrity verification62443-4-1 Practice 4 / 62443-4-2 CR 3.4Full
Unsafe function / prohibited API detection62443-4-1 Practice 4Full
Binary hardening verification (ASLR, stack canaries, NX, PIE, RELRO, CFI)62443-4-1 Practice 3 / 62443-4-2 CR 3.xFull
Security verification & vulnerability testing62443-4-1 Practice 5Full
CVE tracking and vulnerability disclosure62443-4-1 Practice 6Full
Patch status communication (VEX)62443-4-1 Practice 7 / 62443-2-3Full
Cryptographic material inventory (CBOM)62443-4-2 FR 4 (DC) / 62443-4-1 Practice 2Full
Weak / non-compliant cryptography detection62443-4-2 CR 4.1–4.3Full
Post-quantum cryptography readiness62443-4-2 FR 4 (future)Full
Supply chain integrity and tampering detection62443-4-1 Practice 2 / FR 3 (SI)Partial
Vulnerability exploitability assessment (Reachability)62443-4-2 FR 3 (SI) / 62443-2-3Full
CISA KEV-tracked vulnerability prioritization62443-2-3Full
Cross-image patch regression tracking62443-4-1 Practice 7 / 62443-2-3Full
Malicious code detection62443-4-2 FR 3 (SI)Full
Suspicious code and obfuscation detection62443-4-2 FR 3 (SI)Full
UEFI / firmware-specific vulnerability classes62443-4-2 EDR requirementsFull
Hardcoded credential and secret detection62443-4-2 FR 1 (IAC)Partial
Access control enforcement62443-4-2 FR 2 (UC)Evidence
Network segmentation and data flow control62443-4-2 FR 5 (RDF)Not Covered
Vulnerability intelligence for incident response (VEX, CISA KEV, reachability)62443-4-2 FR 6 (TRE)Partial
Patching downtime reduction via reachability prioritization62443-4-2 FR 7 (RA)Partial
Third-party binary malware verification (SP.03.02)62443-2-4Full
Third-party CVE monitoring incl. undisclosed dependencies (SP.09.01)62443-2-4Full
SL-3/SL-4 malicious code protection (SR 3.2)62443-3-3Full
Binary configuration and hardening verification (SR 7.6)62443-3-3Partial
Risk-based procurement via binary SBOM delta62443-2-1Evidence
Continuous compliance verification before OT deployment62443-2-1Evidence

IEC 62443-4-1: Secure Product Development Lifecycle

IEC 62443-4-1 defines 8 SDL practices that product suppliers must implement. BTP supports all 8 practices as a binary verification layer in the development pipeline.
Requirement: Security governance, policy, organizational roles, and SDL support infrastructure.BTP Support (Evidence):
  • BTP enforces RBAC with granular roles across organization, product, and image scopes, supporting separation of duties requirements.
  • SSO (SAML/OIDC) and mandatory MFA enforce identity governance requirements.
  • SOC 2 Type 2 certification (available at trust.binarly.io) provides independent third-party attestation of BTP’s security controls.
  • On-premises deployment option (Binarly v3) supports air-gapped or isolated environments required for sensitive ICS product development.
  • API-driven CI/CD integration supports systematic SDL enforcement rather than ad-hoc scanning.
Gaps: Organizational policy authoring, governance documentation, and role assignment workflows are outside BTP’s scope.
Requirement: Threat modeling, product security requirements, third-party and open-source component security requirements including component inventory.BTP Support (Full):BTP directly addresses the component inventory and third-party risk requirements that 62443-4-1 Practice 2 mandates:
  • Binary-derived SBOM (CycloneDX and SPDX): generated from actual compiled binaries rather than vendor-declared manifests, revealing components regardless of documentation accuracy. This satisfies the component inventory obligation for downstream integrators and asset owners.
  • CBOM (CycloneDX): cryptographic material inventory of every algorithm, protocol, key, and certificate in the binary, used to assess cryptographic security requirements (FR 4).
  • Transitive dependency tracking: 8 linkage types (direct, static, dynamic, build, derived, vendored, project, unspecified) provide full traceability of how third-party components are incorporated.
  • Dependency vulnerability mapping: CVE exposure for all detected components including nested transitive dependencies.
The binary-derived approach matters for 62443 compliance: declared SBOMs from vendors frequently omit components. BTP’s ground-truth analysis closes this gap.
ArtifactFormatRelevant 62443-4-1 Requirement
SBOMCycloneDX, SPDXMaintain software component inventory; assess third-party component security requirements
CBOMCycloneDXIdentify cryptographic requirements for all dependencies
Findings ReportPDF, JSON, CSVDocument security issues from third-party and open-source dependencies
Requirement: Secure architecture, attack surface reduction, least privilege by design, design-level security controls.BTP Support (Full for verification; Evidence for design):BTP verifies that secure-by-design requirements were actually implemented in the binary:Binary hardening verification — detects missing mitigations that represent design failures:
MitigationFinding ClassArchitecture
Stack canary / SSPmitigation/missing-stack-canariesPOSIX
ASLR / PIEmitigation/posix/pie-disabledPOSIX
NX / DEPmitigation/posix/nx-disabledPOSIX
RELROmitigation/posix/relro-disabledPOSIX
Fortify Sourcemitigation/posix/fortify-source-disabledPOSIX
Control Flow Integritymitigation/missing-control-flow-integrityPOSIX / UEFI
UEFI Memory Protectionmitigation/uefi/memory-protection-misconfigurationUEFI
Microcode updatesmitigation/uefi/outdated-intel-microcode-versionUEFI
A component that fails these checks does not meet the secure-by-design baseline for its target Security Level.Attack surface indicators:
  • Unstripped binaries exposing symbol information (weakness/posix/not-stripped)
  • RPATH issues enabling library injection attacks (weakness/posix/rpath-set)
  • Linux kernel hardening configuration findings (weakness/linux/kernel-configuration)
Requirement: Secure coding guidelines, prohibited function lists, static analysis (SAST), and code review.BTP Support (Full):BTP performs binary-level static analysis equivalent to post-compilation SAST — detecting implementation failures that survive code review:Prohibited/unsafe function detection:
  • weakness/posix/unsafe-functions/summary: detects use of strcpy, sprintf, gets, and other functions prohibited by secure coding standards (CERT C, MISRA)
  • Unsafe function usage maps directly to the “prohibited functions list” requirement in 62443-4-1 Practice 4
Binary analysis capabilities:
  • Compiled binary analysis catches issues that source-level SAST misses (inlined functions, LTO artifacts, compiler-introduced patterns)
  • Works without access to source code — critical for third-party component verification
  • Supports architectures used in IACS: x86, ARM32/64, Xtensa
Firmware-specific implementation checks:
  • UEFI SMM handler vulnerabilities: SMRAM corruption, SMM callouts, unsafe pointer dereferences
  • Malicious or suspicious code patterns: packed ELF, code obfuscation, ifuncs abuse, PT_NOTE conversion to PT_LOAD
BTP integrates into CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins, bash) to enforce these checks at every build.
Requirement: Security test plans, penetration testing, fuzz testing, dynamic analysis (DAST), regression testing.BTP Support (Full for binary V&V; Evidence for active testing):BTP provides binary-level verification and validation that complements active testing:Vulnerability verification:
  • Known vulnerability detection (CVE-mapped) with confidence scoring derived from detection method reliability
  • Unknown vulnerability detection via FwHunt/VulHunt rules for zero-day class vulnerabilities in UEFI, BMC, and embedded firmware
Reachability Analysis — exploitability contextualization:BTP’s Reachability Analysis provides four-tier exploitability classification, directly addressing the 62443-4-1 requirement to assess whether identified vulnerabilities are exploitable in the product context:
Reachability TierExploitability AssessmentV&V Relevance
DirectReachable from main/entry-pointHighest priority for V&V
ExportedReachable from exported interfacesHigh — exploitable from component boundary
ReferencedReachable via code referencesMedium — requires component interaction
UndeterminedCannot be statically determinedRequires dynamic testing to resolve
Undetermined reachability findings show where active penetration testing or fuzz testing is needed to resolve exploitability.Regression testing support:
  • Cross-image comparison via the Compare feature and the Compare Findings API tracks security regressions between builds to confirm previously remediated vulnerabilities have not been reintroduced.
Requirement: Patch development, patch distribution documentation, end-of-life policy, patch verification.BTP Support (Full):Patch verification via cross-image comparison:
  • Scan the patched binary and compare against the pre-patch baseline using the Compare Findings feature
  • API endpoint: POST /api/v4/grids/findings:gridList with filters for both image IDs provides machine-readable delta output for automated patch verification in release pipelines (see Compare Findings API)
VEX status lifecycle management:
  • Update VEX status from under_investigationaffectedfixed as patches progress
  • VEX artifacts accompany firmware update packages to inform downstream asset owners of what was remediated
Patch applicability for asset owners (62443-2-3 integration):
  • SBOM enables asset owners to determine whether a patched component is present in their deployed systems
  • VEX with fixed status and component version range data enables patch prioritization without requiring manual analysis
End-of-life component detection:
  • Dependency findings identify components with known EOL status where the CVE backlog has ceased to be addressed by upstream maintainers
Requirement: Product security documentation for integrators and asset owners, hardening guides.BTP Support (Full for artifact generation; Evidence for authoring):BTP generates the technical artifacts included in security guideline packages delivered with IACS components:
ArtifactContentSecurity Guideline Use
SBOM (CycloneDX / SPDX)Complete software component inventoryEnables asset owners to assess CVE exposure in their deployment
CBOM (CycloneDX)Cryptographic algorithm, key, certificate inventoryInforms cryptographic configuration guidance and PQC migration planning
VEX (OpenVEX / CycloneDX)Vulnerability exploitability statusDocuments known vulnerability handling for integrators
PQC Compliance Report (PDF / JSON)NIST-aligned post-quantum readiness assessmentExecutive summary + algorithm migration timeline for customers
Findings Report (PDF / JSON / CSV)Full security posture with severity and confidenceHardening guidance evidence package for integrators
The PQC report matters most for IACS components with 10–20+ year operational lifespans that will outlive current cryptographic standards.

IEC 62443-4-2: Component Security Requirements

IEC 62443-4-2 defines Component Requirements (CRs) for embedded devices (EDR), host devices (HDR), network devices (NDR), and software applications (SAR) across the 7 Foundational Requirements (FRs) at Security Levels 1–4.
Scope: Unique entity identification, authentication mechanisms, credential management.BTP Coverage: PartialBTP detects credential and authentication failures embedded in firmware, but does not enforce authentication policy at runtime.Directly detected violations:
Finding ClassCR ViolationDescription
secret/credentialsCR 1.5 — Authenticator managementHardcoded usernames and passwords in binary
secret/api-credentialsCR 1.5Hardcoded API keys and service credentials
secret/private-keyCR 1.5Embedded private keys that compromise PKI-based authentication
secret/leakedCR 1.5Credentials confirmed active/valid via external validation
secret/oauth-tokenCR 1.5OAuth and JWT tokens embedded in firmware
crypto/certificate-expiredCR 1.8 — PKI certificatesExpired authentication certificates
crypto/certificate-self-signedCR 1.8Self-signed certificates bypassing trust chain
crypto/certificate-untrusted-rootCR 1.8Certificates not anchored to trusted roots
crypto/weak-rsa-parametersCR 1.8RSA keys below minimum strength requirements
Gap: Authentication enforcement (IAC at SL 2–4: MFA, hardware tokens, certificate lifecycle management) is a runtime/operational control outside BTP’s scope.
Scope: Least-privilege access control, RBAC enforcement, audit logging of access decisions.BTP Coverage: EvidenceBTP itself implements use control requirements for the platform (RBAC, MFA, SSO), but does not perform automated analysis of access control logic in analyzed binaries.BTP platform-level UC compliance:
  • Granular RBAC: Admin, Analyst, and Viewer roles scoped to Organization, Product, and Image levels
  • All access decisions are logged; audit trail is available for compliance review
  • Mandatory MFA and SSO (SAML/OIDC) enforce authentication before use control is applied
For analyzed components: Use control logic in firmware (privilege separation, permission checking) requires manual review of binary logic or source code analysis. BTP’s reachability analysis can contextualize whether privilege-controlled paths are accessible to untrusted inputs, but automated UC policy verification is not a current BTP capability.
Scope: Protection of hardware, software, and communications against unauthorized modification; secure boot; firmware integrity; malware protection.BTP Coverage: Full.FR 3 (System Integrity) is the foundational requirement most directly addressed by binary analysis:Secure boot and firmware integrity (EDR 3.4):
  • UEFI Secure Boot bypass vulnerabilities: vulnerability/uefi/secure-boot-bypass
  • PKfail and related supply chain compromise of platform keys: supply-chain/pkfail
  • UEFI boot script vulnerabilities enabling pre-boot compromise
  • BootGuard policy violations
Firmware integrity verification gaps:
  • mitigation/missing-control-flow-integrity: Control Flow Integrity absent — enables hijacking of execution after integrity bypass
  • mitigation/uefi/memory-protection-misconfiguration: UEFI memory protection policies not enforced
  • weakness/posix/not-stripped: Symbols present, reducing reverse engineering barrier for integrity attacks
Malicious and suspicious code (CR 3.8 — Malware protection):
  • malware/known-malware: Binary contains signatures matching known malicious firmware implants
  • malware/uefi-hook-installation: Hooks into UEFI boot services — hallmark of firmware persistence implants
  • malware/malicious-behavior: Behavioral patterns indicative of malicious intent
  • suspicious/packed-elf: Binary packing used to evade integrity scanning
  • suspicious/obfuscated-code: Code obfuscation inconsistent with legitimate firmware
  • suspicious/reverse-text: Anti-analysis technique indicating potential tampering
  • suspicious/pt-note-conversion: PT_NOTE to PT_LOAD conversion — common ELF rootkit technique
Communication integrity:
  • Detection of weak or absent integrity mechanisms in protocol implementations
  • POSIX and UEFI-level unsafe operations enabling memory corruption attacks against integrity controls
Scope: Protection of sensitive data at rest and in transit; encryption algorithm requirements; key management.BTP Coverage: Full.The CBOM and cryptographic finding classes cover FR 4 directly:Weak or non-compliant algorithms:
Finding ClassFR 4 Violation
crypto/weak-hash-algorithmInsecure hashing (MD5, SHA-1) for data integrity/confidentiality
crypto/weak-encryption-algorithmDES, 3DES, RC4, or other deprecated ciphers
crypto/weak-mac-algorithmWeak HMAC or MAC constructions
crypto/deprecated-protocolSSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
crypto/weak-rsa-parametersRSA keys below 2048-bit (CR 4.3 minimum)
crypto/weak-ec-parametersEC curves below recommended strength
Certificate and key management (CR 4.2, EDR 4.1):
Finding ClassFR 4 Violation
crypto/certificate-expiredExpired TLS/signing certificates
crypto/certificate-self-signedSelf-signed certs bypassing trust chain
crypto/certificate-untrusted-rootCertificates from non-trusted anchors
secret/private-keyPrivate keys embedded in firmware — catastrophic DC failure
crypto/pkcs7-weak-signatureWeakly signed code or data bundles
Post-quantum readiness (CR 4.x for long-lifecycle components): The PQC Compliance Report identifies all cryptographic algorithms vulnerable to quantum attacks (RSA, ECC, Diffie-Hellman, SHA-1/SHA-256 for signatures), providing:
  • Executive summary with compliance status vs. NIST PQC standards (FIPS 203/204/205)
  • Per-algorithm migration urgency ratings
  • Component-level quantum exposure inventory from CBOM
IACS components with 10–20 year operational lifespans will outlive the cryptographic algorithms protecting them today.
Scope: Network segmentation, zone/conduit enforcement, firewall controls, unidirectional gateways.BTP Coverage: Not Covered.FR 5 is a network-architectural control requirement. BTP analyzes firmware and software binaries for security vulnerabilities — it does not perform network traffic analysis, firewall rule validation, or zone/conduit topology verification.Network security tools (firewalls, unidirectional gateways, network monitoring platforms) address FR 5 compliance.Adjacent BTP value: Detection of hardcoded IP addresses and network credentials (secret/credentials) that could undermine intended network segmentation controls.
Scope: Security event detection, audit log generation, intrusion detection, incident response.BTP Coverage: Partial — enables TRE but does not provide operational monitoring.BTP generates the vulnerability intelligence that feeds timely response workflows:Direct contribution:
  • VEX documents with under_investigation and affected status formalize the identification phase of incident response for known vulnerability classes
  • CISA KEV integration flags findings requiring mandatory 14-day remediation per CISA BOD 22-01
  • Reachability analysis contextualizes urgency: Direct reachability findings require immediate response; undetermined reachability enables risk-based prioritization
Gap: Audit log generation, SIEM integration, real-time intrusion detection, and incident response orchestration are operational controls outside BTP’s scope. SIEM/SOC platforms address FR 6 for operational environments.
Scope: DoS resilience, redundancy, resource usage monitoring, backup and recovery.BTP Coverage: Partial.In OT environments, patching is operationally disruptive — downtime in production systems has direct physical and financial consequences. Unnecessary patching of vulnerabilities that cannot actually be reached is a significant availability risk. BTP’s Reachability Analysis reduces this risk:
  • Reduces unnecessary patching downtime: By classifying vulnerabilities as Direct, Exported, Referenced, or Undetermined reachability, BTP allows operators to defer patching of unreachable code without compromising the system’s security posture.
  • DoS-relevant vulnerability isolation: CVSS Availability Impact filtering (CVSS Vector Filtering) isolates findings that directly threaten availability, such as those causing resource exhaustion or service disruption.
  • Vulnerability classes threatening availability: Missing mitigations (CFI, stack canaries) enable memory corruption attacks weaponizable for DoS; specific CVE classes are flagged with CVSS Impact scores indicating availability impact.
Gap: Operational availability controls — redundant architectures, failover mechanisms, backup/restore procedures, and uptime monitoring — are outside BTP’s analytical scope. Infrastructure and HA platforms address those requirements.

IEC 62443-2-4: Service Provider Requirements

IEC 62443-2-4 defines the security program capabilities that system integrators and service providers must offer when delivering integration and maintenance activities to IACS asset owners. It requires service providers to independently verify that the components they integrate are free from malicious code and continuously monitored for new vulnerabilities — without necessarily having access to vendor source code. Service providers can fulfill these obligations with BTP’s black-box binary analysis:
62443-2-4 RequirementBTP Capability
SP.03.02 — Malware Protection: Verify that delivered third-party software is free from malicious code and firmware implantsBTP scans any binary image without source code access, detecting firmware backdoors, UEFI implants, supply chain tampering, and suspicious code patterns across all 238 finding classes
SP.09.01 — Vulnerability Monitoring: Maintain continuous monitoring of third-party components for newly disclosed CVEs, including vulnerabilities not disclosed by the original vendorBinary-derived SBOM reveals statically linked dependencies that vendor manifests routinely omit; BTP maps CVE exposure across all detected components including hidden transitive dependencies
Patch applicability assessment before deploymentSBOM + VEX enable service providers to determine whether a vendor-issued patch applies to their specific integrated configuration before scheduling disruptive maintenance windows
Independent verification of vendor security claimsBinary-derived SBOM delta vs. vendor-declared SBOM surfaces undisclosed components, flagging supply chain risk that vendor self-attestation would not reveal
The core value for 62443-2-4 is the shift from “trust the vendor” to “verify the binary.” Most compliance tooling for service providers relies on vendor-provided SBOMs and self-attestation. BTP converts the opaque binary into an auditable artifact. This enables independent verification that third-party software meets the asset owner’s Target Security Level (SL-T), regardless of vendor claims.

IEC 62443-3-3: System Security Requirements

IEC 62443-3-3 defines 110 system-level Security Requirements (SRs) across the 7 Foundational Requirements at Security Levels 1–4. BTP maps directly to the SRs where binary analysis provides concrete verification evidence, particularly at SL-3 and SL-4 where defense against intentional attacks is required.
SRTitleBTP CoverageBTP Capability
SR 3.2Malicious Code ProtectionFullSemantic malware detection identifies firmware implants, backdoors, and Secure Boot bypasses (e.g., LogoFAIL, PKfail) that signature-based AV misses. Provides the higher assurance level required for SL-3/SL-4, where protection against sophisticated intentional violations is mandated.
SR 7.6Network and Security Configuration SettingsPartialBTP extracts configuration metadata from binaries — insecure protocol configurations (SSL/TLS versions, deprecated ciphers), hardening status (RELRO, PIE, NX), and credential artifacts — to verify that third-party software meets the hardening baseline mandated by the system design. Active network configuration enforcement is outside BTP’s scope.
SR 3.4Software and Information IntegrityFullDetects integrity violations in firmware binaries: unsigned code, missing CFI, tampered binaries (obfuscated/packed/reversed code), and supply chain compromise artifacts.
SR 1.1 / SR 1.5Human User Identification / Authenticator ManagementPartialDetects hardcoded credentials, embedded private keys, and expired PKI certificates in system components that violate authentication integrity requirements. Runtime IAC enforcement is outside scope.
SL-3 and SL-4 relevance: At SL-3 (protection against sophisticated attacks with OT-specific knowledge) and SL-4 (protection against state-level APT attacks), SR 3.2 requires going beyond signature-based malware detection. BTP’s semantic analysis — which identifies behavioral patterns, code structure anomalies, and known implant families — meets the depth required at these security levels. Simple AV scanning does not satisfy SL-3/SL-4 for SR 3.2.

IEC 62443-2-3: Patch Management

IEC 62443-2-3 is a Technical Report defining patch management requirements for IACS asset owners and the obligations of product suppliers to support patching activities. BTP supports both product suppliers (demonstrating patch delivery) and asset owners (assessing patch applicability and urgency):

For Product Suppliers

62443-2-3 RequirementBTP Capability
Maintain component inventory subject to patchingBinary-derived SBOM provides ground-truth component list with versions
Communicate CVE exposure to asset ownersVEX documents communicate affected / fixed / not_affected status per CVE per component version
Verify patch efficacyCross-image comparison confirms vulnerability resolution between pre-patch and post-patch builds
Document patch scopeFindings delta report identifies exactly which vulnerabilities were remediated in each release

For Asset Owners

62443-2-3 RequirementBTP Capability
Assess patch applicability to deployed systemsSBOM enables matching vendor-issued SBOMs against known component inventory
Prioritize patches by exploitabilityVEX affected status + Reachability tier + CVSS vector filtering enables risk-based prioritization
Prioritize mandatory patchesCISA KEV integration flags actively exploited vulnerabilities requiring mandatory remediation
Document patching decisionsFindings export (PDF / JSON / CSV) provides auditable record of known vulnerabilities and remediation status

Generating ISA/IEC 62443 Compliance Artifacts

BTP generates all standard-required compliance artifacts via API or UI export.
1

Upload and scan the firmware binary

Upload the firmware image and wait for scan completion. For CI/CD integration, use the CI/CD Integration pipeline.
2

Generate SBOM (62443-4-1 Practice 2 / 62443-2-3)

curl -H "Authorization: Bearer ${TOKEN}" \
  "${BINARLY_API_URL}/api/v4/products/${PRODUCT_ID}/images/${IMAGE_ID}/sbomReport:cycloneDX?contentType=json" \
  -o sbom-cyclonedx.json

# Also available: sbomReport:spdx
3

Generate CBOM (62443-4-2 FR 4 / DC)

curl -H "Authorization: Bearer ${TOKEN}" \
  "${BINARLY_API_URL}/api/v4/products/${PRODUCT_ID}/images/${IMAGE_ID}/cbomReport:cycloneDX" \
  -o cbom-cyclonedx.json
4

Generate VEX (62443-4-1 Practice 6–7 / 62443-2-3)

curl -H "Authorization: Bearer ${TOKEN}" \
  "${BINARLY_API_URL}/api/v4/products/${PRODUCT_ID}/images/${IMAGE_ID}/vexReport:openVEX" \
  -o vex-openvex.json

# Also available: vexReport:cycloneDX
5

Generate PQC Report (62443-4-2 FR 4 — long-lifecycle components)

# JSON for machine consumption
curl -H "Authorization: Bearer ${TOKEN}" \
  "${BINARLY_API_URL}/api/v4/products/${PRODUCT_ID}/images/${IMAGE_ID}/cryptographicMaterialsReport?mode=pqc-compliance&contentType=json" \
  -o pqc-compliance.json

# PDF for human review and audit packages
curl -H "Authorization: Bearer ${TOKEN}" \
  "${BINARLY_API_URL}/api/v4/products/${PRODUCT_ID}/images/${IMAGE_ID}/cryptographicMaterialsReport?mode=pqc-compliance&contentType=pdf" \
  -o pqc-compliance.pdf
6

Export Findings Report (62443-4-1 Practice 5 / 62443-4-2 all FRs)

# Full findings report for audit package
curl -H "Authorization: Bearer ${TOKEN}" \
  "${BINARLY_API_URL}/api/v4/products/${PRODUCT_ID}/images/${IMAGE_ID}/findingsReport:pdf?mode=full" \
  -o findings-full.pdf

# Machine-readable for automated compliance gates
curl -H "Authorization: Bearer ${TOKEN}" \
  "${BINARLY_API_URL}/api/v4/products/${PRODUCT_ID}/images/${IMAGE_ID}/findingsReport:json" \
  -o findings.json
For a single-command script that downloads all artifacts, see Compliance Artifacts — Automation Script.

Known Limitations

The following ISA/IEC 62443 requirements are outside BTP’s scope as a binary analysis platform:
Do not use BTP as the sole evidence source for these requirement areas. Complementary controls are required to achieve a complete compliance posture.
Requirement AreaStandard ReferenceRecommended Approach
Network segmentation, zone/conduit enforcementFR 5 (RDF)Industrial firewalls, unidirectional gateways, network security monitoring platforms
Real-time operational event monitoring and SIEMFR 6 (TRE)Industrial SIEM, OT-aware IDS (e.g., Claroty, Dragos, Nozomi)
Redundancy, failover, and uptime monitoringFR 7 (RA) — operationalInfrastructure redundancy design, HA platforms, availability monitoring
Access control enforcement and RBAC in firmwareFR 1/2 (IAC/UC)Runtime security testing, source code review, penetration testing
Security management policies and governance62443-4-1 Practice 1GRC platforms, policy management tools
Threat modeling and security requirements definition62443-4-1 Practice 2Threat modeling tools (STRIDE, PASTA), security requirements management
Active penetration testing and fuzz testing62443-4-1 Practice 5Dynamic testing tools, dedicated firmware pentest engagements
Organizational patch management workflows62443-2-3 (procedural)Vulnerability management platforms, asset owner patch workflows
Service provider governance, contracts, and audit programs62443-2-4 (non-technical)Contract requirements, service provider audit programs, GRC platforms
Asset owner security program governance62443-2-1 (non-technical)GRC platforms, CSMS/Security Program management tools

SBOM Export

Generate binary-derived Software Bills of Materials in CycloneDX and SPDX formats.

CBOM Export

Inventory all cryptographic algorithms, keys, and certificates in analyzed binaries.

VEX Export

Communicate vulnerability exploitability status to downstream integrators and asset owners.

PQC Compliance Report

Assess post-quantum cryptography readiness for long-lifecycle IACS components.

Reachability Analysis

Understand exploitability context for vulnerability prioritization.

Finding Classes

Complete reference of all 238 finding classes and their security significance.