Synced 16 Jun 2026 15:24 UTC Account
← Home
ISA/IEC 62443 · industrial & OT (IACS) security

Run a risk-based patch & vulnerability program for your OT

IEC 62443 expects you to know your components' vulnerabilities, patch them on a risk basis, and keep SBOMs across the supply chain. IsItPatched gives you the inputs — known CVEs, what's actively exploited, the minimum safe version, and exportable SBOM/VEX/risk evidence.

Scan your SBOM → Monitor your components Export IEC 62443 pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for every 62443 role

Asset owners

Operators of IACS/OT. Run a risk-based patch-management process (62443-2-3): patch what's exploited first, track end-of-life components.

System integrators

Assess the components you deploy — known CVEs, exploited status and the safe version to specify.

Product suppliers

Track third-party components and ship SBOMs + VEX (62443-4-1 / 4-2) as part of a secure development lifecycle.

62443 practices → what IsItPatched gives you

Patch management (62443-2-3)

OT can't patch everything at once — so patch on risk. IsItPatched flags actively-exploited (CISA KEV) and high-EPSS CVEs and the minimum safe version, giving you a defensible "fix these first" queue.

See actively-exploited CVEs →

SBOM & component transparency (4-1 / 4-2)

Drop in a CycloneDX or SPDX SBOM for a per-component verdict, and export a CycloneDX VEX — the supply-chain transparency 62443 expects.

Scan an SBOM →

Vulnerability handling

Continuous identification across the component lifecycle, with a prioritised patch queue and exportable evidence of the process.

Open your dashboard →

End-of-life / legacy OT

OT runs for decades. End-of-life tracking and minimum-safe-version guidance flag components that can no longer be patched — a core IACS risk.

End-of-life calendar →

Export your evidence — today, free

  • Machine-readable SBOM scan (CycloneDX / SPDX → OSV)
  • CycloneDX VEX document (exploitability + remediation per component)
  • Software risk register (CSV / print-to-PDF) citing the exact versions you run
  • A prioritised, risk-based patch queue — the heart of a 62443-2-3 program

Sign in (free, no password) to sync your component stack and generate these from your dashboard.

Build your evidence →

Straight with you: IsItPatched is an informational tool built on public vulnerability data (NVD · CISA KEV · OSV · endoflife.date). It supports specific ISA/IEC 62443 practices — vulnerability identification, risk-based patch prioritisation, and SBOM/component transparency — but it is not legal advice and not a 62443 certification or conformity assessment. Confirm your obligations with a qualified advisor. Disclaimer.

IEC 62443 — frequently asked

What is ISA/IEC 62443?

ISA/IEC 62443 is the international series of standards for the cybersecurity of Industrial Automation and Control Systems (IACS) — the OT that runs manufacturing, energy, water and critical infrastructure. It defines requirements for asset owners, system integrators and product suppliers, including vulnerability handling, patch management, and software transparency (SBOMs).

How does IsItPatched help with IEC 62443?

IEC 62443-2-3 expects a risk-based patch-management process, and 62443-4-1/4-2 expect product suppliers to track third-party components and produce SBOMs. IsItPatched gives you the inputs: which components/products have known CVEs, which are actively exploited (CISA KEV) so you can prioritise, the minimum safe version to move to, a machine-readable SBOM scan and VEX, and a risk register you can keep as evidence.

Does IsItPatched make my system IEC 62443 compliant?

No. IsItPatched is an informational tool built on public vulnerability data. It supports specific 62443 practices — vulnerability identification, risk-based patch prioritisation and SBOM/component transparency — but it is not legal advice and not a 62443 certification or conformity assessment.

Also subject to the EU Cyber Resilience Act? See our CRA edition →