iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
IEC

IEC PAS 62443-2-2:2025

(Main)

Security for industrial automation and control systems – Part 2-2: IACS security protection scheme

Security for industrial automation and control systems – Part 2-2: IACS security protection scheme

IEC PAS 62443-2-2: 2025 provides guidance on the development, validation, operation, and maintenance of a set of technical, physical, and process security measures called Security Protection Scheme (SPS). The document’s goal is to provide the asset owner implementing an IACS Security Program (SP) with mechanisms and procedures to ensure that the design, implementation and operation of an SPS manage the risks resulting from cyberthreats to each of the IACS included in its operating facility.
The document is based on contents specified in other documents of the IEC 62443 series and explains how these contents can be used to support the development of technical, physical, and process security measures addressing the risks to the IACS during the operation phase.

General Information

Status
Published
Publication Date
10-Mar-2025
ICS
25.040.40 - Industrial process measurement and control
35.100.05 - Multilayer applications
Technical Committee
TC 65 - Industrial-process measurement, control and automation
Drafting Committee
WG 10 - TC 65/WG 10
Current Stage
PPUB - Publication issued
Start Date
11-Apr-2025
Due Date
11-Mar-2025
Completion Date
11-Mar-2025
Ref Project

Buy Standard

IEC PAS 62443-2-2:2025 - Security for industrial automation and control systems – Part 2-2: IACS security protection scheme Released:11. 03. 2025 Isbn:9782832702994IEC PAS 62443-2-2:2025 - Security for industrial automation and control systems – Part 2-2: IACS security protection scheme Released:11. 03. 2025 Isbn:9782832702994
PreviousNext
Technical specification
IEC PAS 62443-2-2:2025 - Security for industrial automation and control systems – Part 2-2: IACS security protection scheme Released:11. 03. 2025 Isbn:9782832702994
English language
44 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


IEC PAS 62443-2-2 ®
Edition 1.0 2025-03
PUBLICLY AVAILABLE
SPECIFICATION
Security for industrial automation and control systems –
Part 2-2: IACS security protection scheme

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

IEC Secretariat Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform IEC Products & Services Portal - products.iec.ch
The advanced search enables to find IEC publications by a Discover our powerful search engine and read freely all the
variety of criteria (reference number, text, technical publications previews, graphical symbols and the glossary.
committee, …). It also gives information on projects, replaced With a subscription you will always have access to up to date
and withdrawn publications. content tailored to your needs.

IEC Just Published - webstore.iec.ch/justpublished
Electropedia - www.electropedia.org
Stay up to date on all new IEC publications. Just Published
The world's leading online dictionary on electrotechnology,
details all new publications released. Available online and once
containing more than 22 500 terminological entries in English
a month by email.
and French, with equivalent terms in 25 additional languages.

Also known as the International Electrotechnical Vocabulary
IEC Customer Service Centre - webstore.iec.ch/csc
(IEV) online.
If you wish to give us your feedback on this publication or need

further assistance, please contact the Customer Service
Centre: sales@iec.ch.
IEC PAS 62443-2-2 ®
Edition 1.0 2025-03
PUBLICLY AVAILABLE
SPECIFICATION
Security for industrial automation and control systems –

Part 2-2: IACS security protection scheme

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 25.040.40; 35.100.05 ISBN 978-2-8327-0299-4

– 2 – IEC PAS 62443-2-2:2025 © IEC 2025
CONTENTS
FOREWORD . 4
INTRODUCTION . 6
1 Scope . 7
2 Normative references . 7
3 Terms, definitions, abbreviated terms and acronyms . 8
3.1 Terms and definitions . 8
3.2 Abbreviated terms and acronyms . 10
4 Relationship between this document and other documents . 10
5 Security program and security protection scheme . 11
5.1 Relationship between security program and security protection scheme. 11
5.2 Process steps for the generation of a Security Protection Scheme . 12
6 Security protection ratings . 14
6.1 Overview. 14
6.2 Use of the maturity model defined in IEC 62443-2-1 for the determination of
SPR values . 15
6.3 Use of alternative SPR matrixes for internal purposes . 17
6.4 Grouping of security requirements . 18
6.5 Tracing to SPEs and sub-SPEs . 18
6.6 Views . 19
6.7 SPR and SL types . 20
6.7.1 General . 20
6.7.2 SL types for products . 20
6.7.3 SPR types used in an IACS life cycle . 20
7 Principal roles. 22
7.1 Overview. 22
7.2 Asset owner . 23
7.3 Integration service provider . 24
7.4 Maintenance service provider . 24
7.5 Product supplier . 24
7.6 Other roles . 25
8 Duties and activities in the IACS life cycle related to the security protection
scheme . 25
8.1 Overview. 25
8.2 Generation of the cybersecurity requirement specification (CRS) . 26
8.3 Design and implementation of the security measures . 27
8.4 Generation and documentation of the process security measures . 30
8.5 Validation of the security protection scheme . 30
8.5.1 Overview . 30
8.5.2 Validation of the technical security measures . 31
8.5.3 Validation of the process security measures . 32
8.5.4 Prediction of the SPR values, SPR-I . 32
8.6 Periodic revalidation of the SPS during operation . 33
Annex A (informative) Example of methodology for SPR verification . 34
A.1 Overview. 34
A.2 Detailed assessment, requirements-based . 34
A.3 Detailed assessment, risk-based . 35

A.4 Simplified evaluation, questions-based . 35
Annex B (informative) Maturity level assessment . 36
B.1 General . 36
B.2 Overall assessment work process . 36
B.3 Maturity level assessment procedure . 36
B.4 Security program maturity level assessment attributes . 39
B.5 ML assessment documentation . 42
Bibliography . 44

Figure 1 – Simplified asset owner security protection scheme (SPS) life cycle . 7
Figure 2 – Security program and security protection scheme . 12
Figure 3 – Process steps for generating a security protection scheme . 13
Figure 4 – Maturity model . 15
Figure 5 – Determination of the SPR value by using the maturity model of
IEC 62443-2-1 . 16
Figure 6 – Example of visualizing the fulfilment of a system security requirement with
an SPR value . 17
Figure 7 – Examples of alternative SPR matrix for internal purposes . 18
Figure 8 – Example of a dashboard for the generic view . 20
Figure 9 – Use of SPR and SL types in the IACS life cycle . 22
Figure 10 – Roles and responsibilities overview . 23
Figure 11 – Life cycle phases and roles . 26
Figure 12 – Iterations in the IACS life cycle . 26
Figure 13 – Activities and responsibilities for the generation of the CRS (simplified
view) . 27
Figure 14 – Activities and responsibilities for the design and implementation of the
technical security measures applied to the automation solution (simplified view). 28
Figure 15 – Activities and responsibilities for the documentation of process security
measures (simplified view) . 30
Figure 16 – Example of the determination of the SL value which can be met with
capabilities provided by the technical security measures . 31
Figure 17 – Example of the prediction of the SPR value . 32
Figure B.1 – Example ML assessment based on IEC 62443-2-1 . 43

Table B.1 – Assessment MLs . 36
Table B.2 – Maturity level assessment procedure . 37
Table B.3 – Security program maturity level assessment attributes . 39

– 4 – IEC PAS 62443-2-2:2025 © IEC 2025
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS –

Part 2-2: IACS security protection scheme

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

IEC
IEC 62443-2-1:2024(Main)
Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners

IEC 62443-2-1:2024 specifies asset owner security program (SP) policy and procedure requirements for an industrial automation and control system (IACS) in operation. This document uses the broad definition and scope of what constitutes an IACS as described in IEC TS 62443‑1‑1. In the context of this document, asset owner also includes the operator of the IACS.
This document recognizes that the lifespan of an IACS can exceed twenty years, and that many legacy systems contain hardware and software that are no longer supported. Therefore, the SP for most legacy systems addresses only a subset of the requirements defined in this document. For example, if IACS or component software is no longer supported, security patching requirements cannot be met. Similarly, backup software for many older systems is not available for all components of the IACS. This document does not specify that an IACS has these technical requirements. This document states that the asset owner needs to have policies and procedures around these types of requirements. In the case where an asset owner has legacy systems that do not have the native technical capabilities, compensating security measures can be part of the policies and procedures specified in this document.
This edition includes the following significant technical changes with respect to the previous edition:
a) revised requirement structure into SP elements (SPEs),
b) revised requirements to eliminate duplication of an information security management system (ISMS), and
c) defined a maturity model for evaluating requirements.

  • Standard
    189 pages
    English and French language
    sale 15% off
IEC
IEC 62443-2-4:2023(Main)
Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers

IEC 62443-2:2023 specifies a comprehensive set of requirements for security-related processes that IACS service providers can offer to the asset owner during integration and maintenance activities of an Automation Solution. Because not all requirements apply to all industry groups and organizations, Subclause 4.1.4 provides for the development of "profiles" that allow for the subsetting of these requirements. Profiles are used to adapt this document to specific environments, including environments not based on an IACS.
NOTE 1 The term "Automation Solution" is used as a proper noun (and therefore capitalized) in this document to prevent confusion with other uses of this term. Collectively, the security processes offered by an IACS service provider are referred to as its Security Program (SP) for IACS asset owners. In a related specification, IEC 62443-2-1 describes requirements for the Security Management System of the asset owner.
NOTE 2 In general, these security capabilities are policy, procedure, practice and personnel related. Figure 1 illustrates the integration and maintenance security processes of the asset owner, service provider(s), and product supplier(s) of an IACS and their relationships to each other and to the Automation Solution. Some of the requirements of this document relating to the safety program are associated with security requirements described in IEC 62443-3-3 and IEC 62443-4-2.
NOTE 3 The IACS is a combination of the Automation Solution and the organizational measures necessary for its design, deployment, operation, and maintenance.
NOTE 4 Maintenance of legacy system with insufficient security technical capabilities, implementation of policies, processes and procedures can be addressed through risk mitigation.

  • Standard
    194 pages
    English and French language
    sale 15% off
IEC
IEC TS 62872-1:2019(Main)
Industrial-process measurement, control and automation - Part 1: System interface between industrial facilities and the smart grid

IEC 62872-1:2019(E) defines the interface, in terms of information flow, between industrial facilities and the “smart grid”. It identifies, profiles and extends where required, the standards needed to allow the exchange of the information needed to support the planning, management and control of electric energy flow between the industrial facility and the smart grid.
The scope of this document specifically excludes the protocols needed for the direct control of energy resources within a facility where the control and ultimate liability for such control is delegated by the industrial facility to the external entity (e.g. distributed energy resource (DER) control by the electrical grid operator).

  • Technical specification
    101 pages
    English language
    sale 15% off
IEC
IEC 62443-2-4:2015(Main)
Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers

IEC 62443-2-4:2015 specifies requirements for security capabilities for IACS service providers that they can offer to the asset owner during integration and maintenance activities of an Automation Solution. The contents of the corrigendum of August 2015 have been included in this copy.

  • Standard
    180 pages
    English language
    sale 15% off
  • Standard
    389 pages
    English and French language
    sale 15% off
IEC
IEC 62443-2-4:2015/COR1:2015(Corrigendum)
Corrigendum 1 - Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers

Specifies the test methods to be used for testing polymeric insulating and sheathing material of electric cables for power distribution and telecommunications including cables used on ships.[
]Gives the methods for the ozone resistance test, hot set test and mineral oil immersion test, which apply to elastomeric compounds.

  • Standard
    10 pages
    English and French language
    sale 15% off
  • Standard
    10 pages
    English and French language
    sale 15% off
IEC
IEC TR 62443-2-3:2015(Main)
Security for industrial automation and control systems - Part 2-3: Patch management in the IACS environment

IEC TR 62443-2-3:2015(E) describes requirements for asset owners and industrial automation and control system (IACS) product suppliers that have established and are now maintaining an IACS patch management program. This Technical Report recommends a defined format for the distribution of information about security patches from asset owners to IACS product suppliers, a definition of some of the activities associated with the development of the patch information by IACS product suppliers and deployment and installation of the patches by asset owners. The exchange format and activities are defined for use in security related patches; however, it may also be applicable for non-security related patches or updates.

  • Technical report
    61 pages
    English language
    sale 15% off
IEC
IEC 62443-2-1:2010(Main)
Industrial communication networks - Network and system security - Part 2-1: Establishing an industrial automation and control system security program

IEC 62443-2-1:2010 defines the elements necessary to establish a cyber security management system (CSMS) for industrial automation and control systems (IACS) and provides guidance on how to develop those elements. This standard uses the broad definition and scope of what constitutes an IACS described in IEC/TS 62443-1-1. The elements of a CSMS described in this standard are mostly policy, procedure, practice and personnel related, describing what shall or should be included in the final CSMS for the organization. This bilingual version (2012-04) corresponds to the monolingual English version, published in 2010-11.

  • Standard
    159 pages
    English language
    sale 15% off
  • Standard
    338 pages
    English and French language
    sale 15% off
IEC
IEC TR 62443-3-1:2009(Main)
Industrial communication networks - Network and system security - Part 3-1: Security technologies for industrial automation and control systems

IEC/TR 62443-3-1:2009(E) provides a current assessment of various cybersecurity tools, mitigation counter-measures, and technologies that may effectively apply to the modern electronically based IACSs regulating and monitoring numerous industries and critical infrastructures. It describes several categories of control system-centric cybersecurity technologies, the types of products available in those categories, the pros and cons of using those products in the automated IACS environments, relative to the expected threats and known cyber vulnerabilities, and, most important, the preliminary recommendations and guidance for using these cybersecurity technology products and/or countermeasures.

  • Technical report
    102 pages
    English language
    sale 15% off
IEC
IEC TS 62453-53-31:2025(Main)
Field Device Tool (FDT) Interface Specification - Part 53-31: Communication implementation for CLI and HTML – IEC 61784 CP 3/1 and CP 3/2

IEC TS 62453-53-31:2025 provides information for integrating the PROFIBUS[1] technology into the CLI-based implementation of FDT interface specification (IEC TS 62453-43).
This document specifies implementation of communication and other services based on IEC 62453‑303-1.
This document neither contains the FDT specification nor modifies it.
[1] PROFIBUS™ is a trade name of the non-profit organization PROFIBUS Nutzerorganisation e.V. (PNO). This information is given for the convenience of users of this document and does not constitute an endorsement by IEC of the trade name holder or any of its products. Compliance to this document does not require use of the registered logos for PROFIBUS™. Use of the registered logos for PROFIBUS™ requires permission of PNO.

  • Technical specification
    68 pages
    English language
    sale 15% off
IEC
IEC TS 62453-43:2024(Main)
Field device tool (FDT) interface specification – Part 43: Object model integration profile – CLI and HTML

IEC TS 62453-43:2024 specifies how the common FDT principles are implemented based on the CLI technology and web technologies for graphical user interfaces. The specification includes the object behaviour and object interaction via. NET Standard interfaces and JavaScript APIs. Emphasis has been placed on support of distributed Frame Application architectures.
This document specifies FDT version 3.0.

  • Technical specification
    361 pages
    English language
    sale 15% off