iTeh Standards logo
EURUSD
Your shopping cart is empty.
IEC

IEC 62443-2-1:2024

(Main)

Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners

Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners

IEC 62443-2-1:2024 specifies asset owner security program (SP) policy and procedure requirements for an industrial automation and control system (IACS) in operation. This document uses the broad definition and scope of what constitutes an IACS as described in IEC TS 62443‑1‑1. In the context of this document, asset owner also includes the operator of the IACS.
This document recognizes that the lifespan of an IACS can exceed twenty years, and that many legacy systems contain hardware and software that are no longer supported. Therefore, the SP for most legacy systems addresses only a subset of the requirements defined in this document. For example, if IACS or component software is no longer supported, security patching requirements cannot be met. Similarly, backup software for many older systems is not available for all components of the IACS. This document does not specify that an IACS has these technical requirements. This document states that the asset owner needs to have policies and procedures around these types of requirements. In the case where an asset owner has legacy systems that do not have the native technical capabilities, compensating security measures can be part of the policies and procedures specified in this document.
This edition includes the following significant technical changes with respect to the previous edition:
a) revised requirement structure into SP elements (SPEs),
b) revised requirements to eliminate duplication of an information security management system (ISMS), and
c) defined a maturity model for evaluating requirements.

Sécurité des systèmes d’automatisation et de commande industrielles - Partie 2-1: Exigences de programme de sécurité pour les propriétaires d’actif IACS

IEC 62443-2-1:2024 spécifie les exigences de politiques et de procédures du programme de sécurité (SP) du propriétaire d’actif pour un système d’automatisation et de commande industrielle (IACS) opérationnel. Le présent document utilise, au sens large, la définition et le domaine d’application de ce qui constitue un IACS décrit dans l’IEC TS 62443‑1-1. Dans le contexte du présent document, le propriétaire d’actif inclut également l’opérateur de l’IACS.
Le présent document reconnaît que la durée de vie d’un IACS peut dépasser vingt ans et que de nombreux systèmes patrimoniaux contiennent du matériel et du logiciel qui ne sont plus pris en charge. Par conséquent, le SP de la plupart des systèmes patrimoniaux ne concerne qu’un sous-ensemble des exigences définies dans le présent document. Les exigences en matière de correctifs de sécurité, par exemple, ne peuvent pas être satisfaites si l’IACS ou le logiciel composant n’est plus pris en charge. De même, le logiciel de sauvegarde de la plupart des systèmes plus anciens n’est pas disponible pour tous les composants de l’IACS. Le présent document ne précise pas qu'un IACS doit satisfaire à ces exigences techniques. Il indique qu’il est nécessaire que le propriétaire d’actif dispose de politiques et de procédures relatives à ces types d'exigences. Dans le cas où le propriétaire d'actif possède des systèmes patrimoniaux qui ne comportent pas des capacités techniques natives, des mesures de sécurité compensatoires peuvent faire partie des politiques et procédures spécifiées dans le présent document.
Cette édition inclut les modifications techniques majeures suivantes par rapport à l'édition précédente:
a) la structure des exigences a été révisée en éléments SP (SPE – SP element);
b) les exigences ont été révisées pour éliminer la répétition d'un système de management de la sécurité de l'information (SMSI); et
c) un modèle de stabilisation a été défini pour l'évaluation des exigences.

General Information

Status
Published
Publication Date
06-Aug-2024
ICS
25.040.40 - Industrial process measurement and control
35.100.05 - Multilayer applications
Technical Committee
TC 65 - Industrial-process measurement, control and automation
Drafting Committee
WG 10 - TC 65/WG 10
Current Stage
PPUB - Publication issued
Start Date
07-Aug-2024
Completion Date
09-Aug-2024
Ref Project

Relations

Revises
IEC 62443-2-1:2010 - Industrial communication networks - Network and system security - Part 2-1: Establishing an industrial automation and control system security program
Effective Date
05-Sep-2023
IEC 62443-2-1:2024 - Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners Released:7. 08. 2024 Isbn:9782832294598IEC 62443-2-1:2024 - Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners Released:7. 08. 2024 Isbn:9782832294598
PreviousNext
Standard
IEC 62443-2-1:2024 - Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners Released:7. 08. 2024 Isbn:9782832294598
English and French language
189 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


IEC 62443-2-1 ®
Edition 2.0 2024-08
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
HORIZONTAL PUBLICATION
PUBLICATION HORIZONTALE
Security for industrial automation and control systems –
Part 2-1: Security program requirements for IACS asset owners

Sécurité des systèmes d’automatisation et de commande industrielles –
Partie 2-1: Exigences de programme de sécurité pour les propriétaires d’actif
IACS
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni
utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et
les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Secretariat Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform IEC Products & Services Portal - products.iec.ch
The advanced search enables to find IEC publications by a Discover our powerful search engine and read freely all the
variety of criteria (reference number, text, technical publications previews, graphical symbols and the glossary.
committee, …). It also gives information on projects, replaced With a subscription you will always have access to up to date
and withdrawn publications. content tailored to your needs.

IEC Just Published - webstore.iec.ch/justpublished
Electropedia - www.electropedia.org
Stay up to date on all new IEC publications. Just Published
The world's leading online dictionary on electrotechnology,
details all new publications released. Available online and once
containing more than 22 500 terminological entries in English
a month by email.
and French, with equivalent terms in 25 additional languages.

Also known as the International Electrotechnical Vocabulary
IEC Customer Service Centre - webstore.iec.ch/csc
(IEV) online.
If you wish to give us your feedback on this publication or need

further assistance, please contact the Customer Service
Centre: sales@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.

Recherche de publications IEC -  IEC Products & Services Portal - products.iec.ch
webstore.iec.ch/advsearchform Découvrez notre puissant moteur de recherche et consultez
La recherche avancée permet de trouver des publications IEC gratuitement tous les aperçus des publications, symboles
en utilisant différents critères (numéro de référence, texte, graphiques et le glossaire. Avec un abonnement, vous aurez
comité d’études, …). Elle donne aussi des informations sur les toujours accès à un contenu à jour adapté à vos besoins.
projets et les publications remplacées ou retirées.

Electropedia - www.electropedia.org
IEC Just Published - webstore.iec.ch/justpublished
Le premier dictionnaire d'électrotechnologie en ligne au monde,
Restez informé sur les nouvelles publications IEC. Just
avec plus de 22 500 articles terminologiques en anglais et en
Published détaille les nouvelles publications parues.
français, ainsi que les termes équivalents dans 25 langues
Disponible en ligne et une fois par mois par email.
additionnelles. Egalement appelé Vocabulaire

Electrotechnique International (IEV) en ligne.
Service Clients - webstore.iec.ch/csc

Si vous désirez nous donner des commentaires sur cette
publication ou si vous avez des questions contactez-nous:
sales@iec.ch.
IEC 62443-2-1 ®
Edition 2.0 2024-08
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Security for industrial automation and control systems –

Part 2-1: Security program requirements for IACS asset owners

Sécurité des systèmes d’automatisation et de commande industrielles –

Partie 2-1: Exigences de programme de sécurité pour les propriétaires d’actif

IACS
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040.40, 35.100.05 ISBN 978-2-8322-9459-8

– 2 – IEC 62443-2-1:2024 © IEC 2024
CONTENTS
FOREWORD . 6
INTRODUCTION . 8
1 Scope . 10
2 Normative references . 11
3 Terms, definitions, abbreviated terms and conventions . 11
3.1 Terms and definitions . 11
3.2 Abbreviated terms and acronyms . 15
3.3 Conventions . 16
4 Concepts . 17
4.1 Use of this document . 17
4.1.1 Applicable roles . 17
4.1.2 Use of this document by asset owners . 17
4.1.3 Use of this document by service providers and product suppliers. 19
4.2 Maturity level (ML) definitions . 20
4.3 Security levels (SLs) . 21
4.4 Requirements definitions . 21
4.4.1 Requirements organization . 21
4.4.2 Requirements cross-references . 22
4.4.3 Requirement conventions . 22
5 Conformance and assessment . 22
5.1 Overview. 22
5.2 Conformity evidence . 23
5.3 Requirements evaluation and profiles . 24
5.3.1 Overview . 24
5.3.2 Evaluation of risk to requirements . 24
5.3.3 Profiles . 24
5.3.4 Conformity assessment for the asset owner role . 25
6 SPE 1 – Organizational security measures . 25
6.1 Purpose . 25
6.2 ORG 1 – Security related organization and policies. 25
6.2.1 ORG 1.1: Information security management system (ISMS) . 25
6.2.2 ORG 1.2: Background checks . 26
6.2.3 ORG 1.3: Security roles and responsibilities . 26
6.2.4 ORG 1.4: Security awareness training . 27
6.2.5 ORG 1.5: Security responsibilities training . 27
6.2.6 ORG 1.6: Supply chain security . 28
6.3 ORG 2 – Security assessments and reviews . 28
6.3.1 ORG 2.1: Security risk mitigation . 28
6.3.2 ORG 2.2: Processes for discovery of security anomalies . 29
6.3.3 ORG 2.3: Secure development and support . 30
6.3.4 ORG 2.4: SP reviews . 30
6.4 ORG 3 – Security of physical access . 30
6.4.1 ORG 3.1: Physical access control . 30
7 SPE 2 – Configuration management . 31
7.1 Purpose . 31

7.2 CM 1 – Inventory management of IACS hardware/software components and
network communications . 31
7.2.1 CM 1.1: Asset inventory baseline . 31
7.2.2 CM 1.2: Infrastructure drawings/documentation . 32
7.2.3 CM 1.3: Configuration settings . 32
7.2.4 CM 1.4: Change control . 33
8 SPE 3 – Network and communications security . 33
8.1 Purpose . 33
8.2 NET 1 – System segmentation . 33
8.2.1 NET 1.1: Segmentation from non-IACS zones . 33
8.2.2 NET 1.2: Documentation of zones and network zone interconnections . 34
8.2.3 NET 1.3: Network segmentation from safety systems. 34
8.2.4 NET 1.4: Network autonomy . 35
8.2.5 NET 1.5: Network disconnection from external networks . 35
8.2.6 NET 1.6: Internal network access control . 35
8.2.7 NET 1.7: Network accessible services . 36
8.2.8 NET 1.8: User messaging . 36
8.2.9 NET 1.9: Network time distribution . 36
8.3 NET 2 – Secure wireless access . 37
8.3.1 NET 2.1: Wireless protocols . 37
8.3.2 NET 2.2: Wireless network segmentation . 37
8.3.3 NET 2.3: Wireless properties and addresses . 38
8.4 NET 3 – Secure remote access . 38
8.4.1 NET 3.1: Remote access applications . 38
8.4.2 NET 3.2: Remote access connections . 39
8.4.3 NET 3.3: Remote access termination . 39
9 SPE 4 – Component security . 40
9.1 Purpose . 40
9.2 COMP 1 – Components and portable media . 40
9.2.1 COMP 1.1: Component hardening . 40
9.2.2 COMP 1.2: Dedicated portable media . 41
9.3 COMP 2 – Malware protection . 41
9.3.1 COMP 2.1: Malware free . 41
9.3.2 COMP 2.2: Malware protection . 42
9.3.3 COMP 2.3: Malware protection software validation and installation . 42
9.4 COMP 3 – Patch management . 43
9.4.1 COMP 3.1: Security patch authenticity/integrity . 43
9.4.2 COMP 3.2: Security patch validation and installation . 43
9.4.3 COMP 3.3: Security patch status . 43
9.4.4 COMP 3.4: Security patching retention of security . 44
9.4.5 COMP 3.5: Security patch mitigation . 44
10 SPE 5 – Protection of data . 44
10.1 Purpose . 44
10.2 DATA 1 – Protection of data. 45
10.2.1 DATA 1.1: Data classification . 45
10.2.2 DATA 1.2: Data confidentiality . 45
10.2.3 DATA 1.3: Safety system configuration mode . 46
10.2.4 DATA 1.4: Data retention policy . 46
10.2.5 DATA 1.5: Cryptographic mechanisms . 47

– 4 – IEC 62443-2-1:2024 © IEC 2024
10.2.6 DATA 1.6: Key management . 47
10.2.7 DATA 1.7: Data Integrity . 47
11 SPE 6 – User access control . 48
11.1 Purpose . 48
11.2 USER 1 – Identification and authentication . 48
11.2.1 USER 1.1: User identity assignment . 48
11.2.2 USER 1.2: User identity removal. 49
11.2.3 USER 1.3: User identity persistence . 49
11.2.4 USER 1.4: Access rights assignment . 50
11.2.5 USER 1.5: Least privilege . 50
11.2.6 USER 1.6: Software service authentication . 50
11.2.7 USER 1.7: Software services interactive login rights . 51
11.2.8 USER 1.8: Human user authentication . 51
11.2.9 USER 1.9: Multifactor authentication (MFA) . 51
11.2.10 USER 1.10: Mutual authentication . 52
11.2.11 USER 1.11: Password protection . 52
11.2.12 USER 1.12: Shared and disclosed/compromised passwords . 53
11.2.13 USER 1.13: User login display information. 53
11.2.14 USER 1.14: User login failure displays . 53
11.2.15 USER 1.15: Consecutive login failures. 54
11.2.16 USER 1.16: Session integrity . 54
11.2.17 USER 1.17: Concurrent sessions . 54
11.2.18 USER 1.18: Screen lock . 55
11.2.19 USER 1.19: Component authentication . 55
11.3 USER 2 – Authorization and access control . 55
11.3.1 USER 2.1: Authorization . 55
11.3.2 USER 2.2: Separation of duties . 56
11.3.3 USER 2.3: Multiple approvals . 56
11.3.4 USER 2.4: Manual elevation of privileges . 57
12 SPE 7 – Event and incident management . 57
12.1 Purpose . 57
12.2 EVENT 1 – Event and incident management . 57
12.2.1 EVENT 1.1: Event detection . 57
12.2.2 EVENT 1.2: Event reporting . 58
12.2.3 EVENT 1.3: Event reporting interfaces . 58
12.2.4 EVENT 1.4: Logging . 59
12.2.5 EVENT 1.5: Log entries . 59
12.2.6 EVENT 1.6: Log access . 59
12.2.7 EVENT 1.7: Event analysis . 60
12.2.8 EVENT 1.8: Incident handling and response . 60
12.2.9 EVENT 1.9: Vulnerability handling . 60
13 SPE 8 – System integrity and availability . 61
13.1 Purpose . 61
13.2 AVAIL 1 – System availability and intended functionality . 61
13.2.1 AVAIL 1.1: Continuity management . 61
13.2.2 AVAIL 1.2: Resource availability management . 62
13.2.3 AVAIL 1.3: Failure-state. 62
13.3 AVAIL 2 – Backup/restore/archive . 62
13.3.1 AVAIL 2.1: Backup . 62

13.3.2 AVAIL 2.2: Backup non-interference . 63
13.3.3 AVAIL 2.3: Backup verification . 63
13.3.4 AVAIL 2.4: Backup media . 63
13.3.5 AVAIL 2.5: Backup restoration . 64
Annex A (informative) Cross-references to other standards . 65
A.1 Requirements relationship to IEC 62443‑2‑4 . 65
A.2 Requirements relationship to IEC 62443‑3‑3 . 68
A.3 Requirements relationship to IEC 62443‑4‑2 . 70
A.4 Requirements relationship to ISO/IEC 27001:2013 . 73
A.5 Requirements relationship to the NIST CSF . 77
Annex B (informative) Establishing and maintaining an IACS SP . 81
B.1 General . 81
B.2 Managing cybersecurity risk . 82
B.2.1 Understanding cybersecurity risk . 82
B.2.2 Impacts of cybersecurity compromises. 82
B.2.3 Risk ranking . 82
B.2.4 Cybersecurity attack exposure versus likelihood . 83
B.3 Elements of a cybersecurity risk assessment/management process . 84
B.4 Elements of a cybersecurity risk assessment/management process . 85
Annex C (informative) Evaluating MLs . 87
C.1 Approach to evaluating MLs . 87
C.2 Examples of how to evaluate MLs . 88
Bibliography . 89

Figure 1 – Roles and responsibilities in the IEC 62443 series . 11
Figure B.1 – Example of process flow for cybersecurity risk management . 85
Figure B.2 – Levels of protection an asset requires . 86

Table 1 – ML levels and descriptions . 20
Table 2 – Typical conformity evidence types . 23
Table A.1 – IEC 62443‑2‑4 cross-references . 65
Table A.2 – Cross-reference of IEC 62443‑2‑1 to IEC 62443‑2‑4 . 66
Table A.3 – IEC 62443‑3‑3 cross-references . 68
Table A.4 – Cross-reference of IEC 62443‑2‑1 to IEC 62443‑3‑3 . 69
Table A.5 – IEC 62443‑4‑2 cross-references . 70
Table A.6 – Cross-reference of IEC 62443‑2‑1 to IEC 62443‑4‑2 . 72
Table A.7 – ISO/IEC 27001:2013 cross-references . 73
Table A.8 – Cross-reference of IEC 62443‑2‑1 to ISO/IEC 27001:2013 . 75
Table A.9 – NIST CSF cross-references . 77
Table A.10 – Cross-reference of IEC 62443‑2‑1 to NIST CSF . 79
Table B.1 – Example risk levels . 83

– 6 – IEC 62443-2-1:2024 © IEC 2024
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS –

Part 2-1: Security program requirements for IACS asset owners

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) IEC draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). IEC takes no position concerning the evidence, validity or applicability of any claimed patent rights in
respect thereof. As of the date of publication of this document, IEC had not received notice of (a) patent(s), which
may be required to implement this document. However, implementers are cautioned that this may not represent
the latest information, which may be obtained from the patent database available at https://patents.iec.ch. IEC
shall not be held responsible for identifying any or all such patent rights.
IEC 62443‑2‑1 has been prepared by IEC technical committee 65: Industrial process
measurement, control and automation, in collaboration with the liaison ISA99: ISA committee
on Security for industrial automation and control systems. It is an International Standard.
This second edition cancels and replaces the first edition published in 2010. This edition
constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous
edition:
a) revised requirement structure into SP elements (SPEs),
b) revised requirements to eliminate duplication of an information security management system
(ISMS), and
c) defined a maturity model for evaluating requirements.

The text of this International Standard is based on the following documents:
Draft Report on voting
65/1044/FDIS 65/1053/RVD
Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this International Standard is English.
This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
at www.iec.ch/members_experts/refdocs. The main document types developed by IEC are
described in greater detail at www.iec.ch/publications.
A list of all parts in the IEC 62443 series, published under the general title Security for industrial
automation and control systems, can be found on the IEC website.
Future standards in this series will carry the new general title as cited above. Titles of existing
standards in this series will be updated at the time of the next edition.
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under webstore.iec.ch in the data related to the
specific document. At this date, the document will be
• reconfirmed,
• withdrawn, or
• revised.
IMPORTANT – The "colour inside" logo on the cover page of this document indicates
that it contains colours which are considered to be useful for the correct understanding
of its contents. Users should therefore print this document using a colour printer.

– 8 – IEC 62443-2-1:2024 © IEC 2024
INTRODUCTION
This document is the part of the IEC 62443 series that contains security requirements for
industrial automation and control system (IACS) asset owners. In the context of this document,
asset owner also includes the operator of the IACS. Its requirements focus on cybersecurity
and allow security capabilities that meet them to be provided as a combination of technical,
physical, process and compensating security measures.
Cybersecurity is an increasingly important topic in modern organizations. The term
cybersecurity is generally used to describe the set of security measures or practices taken to
protect a computer or computer system against unauthorized access or attack. In IACS, the
most significant concerns include unwanted access or attacks resulting in the IACS not
performing the correct functions in the required timeframe.
A very common engineering approach when faced with a challenging problem is to break the
problem into smaller pieces and address each piece in a disciplined manner. This approach is
a sound one for addressing cybersecurity risks with IACS. However, a frequent mistake is to
deal with cybersecurity one system at a time. Cybersecurity is a much larger challenge that
should address all IACS components as well as the policies, procedures, practices and
personnel that surround and utilize those IACS. Implementing such a wide-ranging management
system can require a cultural change within the organization.
Addressing cybersecurity on an organization-wide basis can seem like a daunting task. There
is no simple cookbook for security, nor is there a one-size-fits-all set of security practices.
Absolute security can be achievable but is probably undesirable because of the loss of
functionality that would be necessary to achieve this near perfect state. Security is a balance
of risk versus cost.
Each situation will be different. In some situations, the risk can be related to health, safety and
environmental (HSE) factors rather than purely economic impact. The risk can have an
unrecoverable consequence rather than a temporary financial setback. Therefore, a
predetermined set of mandatory security practices can either be overly restrictive and likely
quite costly to implement or be insufficient to address the risk.
This document supports the need to address cybersecurity for an IACS in operation by providing
requirements for establishing, implementing, maintaining and continually improving an IACS
security program (SP). These requirements, when implemented conscientiously, provide
security capabilities whose purpose is to reduce IACS security risks to a tolerable level. These
requirements are written to be implementation independent, allowing asset owners to select
approaches most suitable to their needs. IEC 62443‑3‑2 [1] describes the methodology for
addressing cybersecurity risks in an IACS system design and that assists in the identification
of risks and the selection of appropriate security requirements and associated capabilities for
an IACS SP.
Commercial-off-the-shelf (COTS) products are often not ruggedized or rigorously engineered
enough for IACS environments, where they can introduce additional vulnerabilities and threats
to the IACS.
___________
Numbers in square brackets refer to the Bibliography.

When COTS technologies are used in an IACS, they are often configured to meet IACS specific
functional needs and operational constraints. For example, security event handling in COTS
products may be configured differently for IACS applications than they are for traditional
information technology (IT) applications. Typical COTS equipment is designed for environments
where the primary objective is the protection of information. In an IACS environment, the
primary objectives are the protection of the HSE of the facility and the minimization of the
operational and business impact on facility operation. COTS technologies can be applied to
IACS applications, but the risks associated with using these technologies need to be understood
by the asset owner.
Some organizations can attempt to use pre-existing IT and business cybersecurity solutions to
address security for IACS without understanding the consequences. While many of these
solutions can be applied to IACS, it is important to apply them correctly to eliminate inadvertent
and undesired consequences. For example, in an IACS, availability may have a higher priority
than confidentiality, as opposed to typical IT applications.
Asset owners may wish to apply their IACS SP across the organization to address the
organization needs and objectives, security requirements, business and work processes, as
well as the organization size and structure. All of these influencing factors are dynamic and will
likely change over time. Thus, the adoption of an IACS SP is a strategic decision for the
organization.
The effectiveness of an IACS SP is often enhanced through coordination or integration with the
organization’s processes and overall information security management system (ISMS). For
example, security can be added to the organization supply chain processes to require security
in the design of processes, systems and controls. It is also expected that IACS SP will be scaled
in accordance with the needs of the IACS and the organization.

– 10 – IEC 62443-2-1:2024 © IEC 2024
SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS –

Part 2-1: Security program requirements for IACS asset owners

1 Scope
This part of IEC 62443 specifies asset owner security program (SP) policy and procedure
requirements for an industrial automation and control system (IACS) in operation. This
document uses the broad definition and scope of what constitutes an IACS as described in
IEC TS 62443‑1‑1. In the context of this document, asset owner also includes the operator of
the IACS.
This document recognizes that the lifespan of an IACS can exceed twenty years, and that many
legacy systems contain hardware and software that are no longer supported. Therefore, the SP
for most legacy systems addresses only a subset of the requirements defined in this document.
For example, if IACS or component software is no longer supported, security patching
requirements cannot be met. Similarly, backup software for many older systems is not available
for all components of the IACS. This document does not specify that an IACS has these
technical requirements. This document states that the asset owner needs to have policies and
procedures around these types of requirements. In the case where an asset owner has legacy
systems that do not have the native technical capabilities, compensating security measures can
be part of the policies and procedures specified in this document.
This document also recognizes that not all requirements specified in this document apply to all
IACSs. For example, requirements associated with certain technology (such as wireless) or
functions (such as remote access) will not apply to IACSs that do not include these technologies
or functions. Similarly, not all malware protection requirements apply to systems for which
malware protection software is not available for any of their devices. Therefore, this document
states that the asset owner needs to identify the IACS security requirements that are applicable
to its IACSs in their specific operating environments.
The elements of an IACS SP described in this document define required security capabilities
that apply to the secure operation of an IACS. Although the asset owner is ultimately
accountable for the secure operation of an IACS, implementation of these security capabilities
often includes support from its service providers and product suppliers. For this reason, this
document provides guidance for an asset owner when stating security requirements for their
service providers and product suppliers, referencing other parts of the IEC 62443 series.
Figure 1 illustrates the roles and responsibilities of the asset owner, service provider(s) and
product supplier(s) of an IACS and their relationships to each other and to the Automation
Solution. The Automation Solution is a technical solution implementing the control/safety and
complementary functions necessary for the IACS. It is composed of hardware and software
components that have been installed and configured to operate in the IACS. The IACS is a
combination of the Automation Solution and the organizational measures necessary for its
design, deployment, operation and maintenance.
Some of these capabilities rely on the appropriate application of integration maintenance
capabilities defined in IEC 62443‑2‑4 [2] and technical security capabilities defined in
IEC 62443‑3‑3 [3] and IEC 62443‑4‑2 [4].

Figure 1 – Roles and responsibilities in the IEC 62443 series
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies.
For undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC TS 62443‑1‑1:2009, Industrial communication networks – Network and system security −
Part 1-1: Terminology, concepts and models
3 Terms, definitions, abbreviated terms and conventions
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC TS 62443‑1‑1 and
the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at https://www.electropedia.org/
• ISO Online browsing platform: available at https://www.iso.org/obp

– 12 – IEC 62443-2-1:2024 © IEC 2024
3.1.1
access right
permission to access system resources or privilege to execute system functions
Note 1 to entry: Permissions are generally rights to access resources such as data and executable files, while
privileges are generally rights to execute function calls provided by the operating system (OS).
3.1.2
asset owner
organizational role ultimately accountable for one or more IACS
Note 1 to entry: Used in place of the generic word end user to provide differentiation.
Note 2 to entry: In the context of this document, asset owner also includes the operator of the IACS.
[SOURCE IEC 62443‑3‑3:2013, 3.1.2, modified – Changed in definition "individual or company
responsible" into "organizational role ultimately accountable" to reflect role; in Note 1 to entry
changed "The term "asset owner" is used" into "Used"; removed Note 2 to entry; in Note 3 to
entry changed "this standard, an asset owner" into "this document, asset owner".]
3.1.3
Automation Solution
control system and any complementary hardware and software components that have been
installed and configured to operate in an IACS
Note 1 to entry: Automation Solution is used as a proper noun in this document.
Note 2 to entry: The difference between
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

This May Also Interest You

IEC
IEC PAS 62443-2-2:2025(Main)
Security for industrial automation and control systems – Part 2-2: IACS security protection scheme

IEC PAS 62443-2-2: 2025 provides guidance on the development, validation, operation, and maintenance of a set of technical, physical, and process security measures called Security Protection Scheme (SPS). The document’s goal is to provide the asset owner implementing an IACS Security Program (SP) with mechanisms and procedures to ensure that the design, implementation and operation of an SPS manage the risks resulting from cyberthreats to each of the IACS included in its operating facility.
The document is based on contents specified in other documents of the IEC 62443 series and explains how these contents can be used to support the development of technical, physical, and process security measures addressing the risks to the IACS during the operation phase.

  • Technical specification
    44 pages
    English language
    sale 15% off
IEC
IEC 62443-2-4:2023(Main)
Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers

IEC 62443-2:2023 specifies a comprehensive set of requirements for security-related processes that IACS service providers can offer to the asset owner during integration and maintenance activities of an Automation Solution. Because not all requirements apply to all industry groups and organizations, Subclause 4.1.4 provides for the development of "profiles" that allow for the subsetting of these requirements. Profiles are used to adapt this document to specific environments, including environments not based on an IACS.
NOTE 1 The term "Automation Solution" is used as a proper noun (and therefore capitalized) in this document to prevent confusion with other uses of this term. Collectively, the security processes offered by an IACS service provider are referred to as its Security Program (SP) for IACS asset owners. In a related specification, IEC 62443-2-1 describes requirements for the Security Management System of the asset owner.
NOTE 2 In general, these security capabilities are policy, procedure, practice and personnel related. Figure 1 illustrates the integration and maintenance security processes of the asset owner, service provider(s), and product supplier(s) of an IACS and their relationships to each other and to the Automation Solution. Some of the requirements of this document relating to the safety program are associated with security requirements described in IEC 62443-3-3 and IEC 62443-4-2.
NOTE 3 The IACS is a combination of the Automation Solution and the organizational measures necessary for its design, deployment, operation, and maintenance.
NOTE 4 Maintenance of legacy system with insufficient security technical capabilities, implementation of policies, processes and procedures can be addressed through risk mitigation.

  • Standard
    194 pages
    English and French language
    sale 15% off
IEC
IEC TS 62872-1:2019(Main)
Industrial-process measurement, control and automation - Part 1: System interface between industrial facilities and the smart grid

IEC 62872-1:2019(E) defines the interface, in terms of information flow, between industrial facilities and the “smart grid”. It identifies, profiles and extends where required, the standards needed to allow the exchange of the information needed to support the planning, management and control of electric energy flow between the industrial facility and the smart grid.
The scope of this document specifically excludes the protocols needed for the direct control of energy resources within a facility where the control and ultimate liability for such control is delegated by the industrial facility to the external entity (e.g. distributed energy resource (DER) control by the electrical grid operator).

  • Technical specification
    101 pages
    English language
    sale 15% off
IEC
IEC 62443-2-4:2015(Main)
Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers

IEC 62443-2-4:2015 specifies requirements for security capabilities for IACS service providers that they can offer to the asset owner during integration and maintenance activities of an Automation Solution. The contents of the corrigendum of August 2015 have been included in this copy.

  • Standard
    180 pages
    English language
    sale 15% off
  • Standard
    389 pages
    English and French language
    sale 15% off
IEC
IEC 62443-2-4:2015/COR1:2015(Corrigendum)
Corrigendum 1 - Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers

Specifies the test methods to be used for testing polymeric insulating and sheathing material of electric cables for power distribution and telecommunications including cables used on ships.[
]Gives the methods for the ozone resistance test, hot set test and mineral oil immersion test, which apply to elastomeric compounds.

  • Standard
    10 pages
    English and French language
    sale 15% off
  • Standard
    10 pages
    English and French language
    sale 15% off
IEC
IEC TR 62443-2-3:2015(Main)
Security for industrial automation and control systems - Part 2-3: Patch management in the IACS environment

IEC TR 62443-2-3:2015(E) describes requirements for asset owners and industrial automation and control system (IACS) product suppliers that have established and are now maintaining an IACS patch management program. This Technical Report recommends a defined format for the distribution of information about security patches from asset owners to IACS product suppliers, a definition of some of the activities associated with the development of the patch information by IACS product suppliers and deployment and installation of the patches by asset owners. The exchange format and activities are defined for use in security related patches; however, it may also be applicable for non-security related patches or updates.

  • Technical report
    61 pages
    English language
    sale 15% off
IEC
IEC 62443-2-1:2010(Main)
Industrial communication networks - Network and system security - Part 2-1: Establishing an industrial automation and control system security program

IEC 62443-2-1:2010 defines the elements necessary to establish a cyber security management system (CSMS) for industrial automation and control systems (IACS) and provides guidance on how to develop those elements. This standard uses the broad definition and scope of what constitutes an IACS described in IEC/TS 62443-1-1. The elements of a CSMS described in this standard are mostly policy, procedure, practice and personnel related, describing what shall or should be included in the final CSMS for the organization. This bilingual version (2012-04) corresponds to the monolingual English version, published in 2010-11.

  • Standard
    159 pages
    English language
    sale 15% off
  • Standard
    338 pages
    English and French language
    sale 15% off
IEC
IEC TR 62443-3-1:2009(Main)
Industrial communication networks - Network and system security - Part 3-1: Security technologies for industrial automation and control systems

IEC/TR 62443-3-1:2009(E) provides a current assessment of various cybersecurity tools, mitigation counter-measures, and technologies that may effectively apply to the modern electronically based IACSs regulating and monitoring numerous industries and critical infrastructures. It describes several categories of control system-centric cybersecurity technologies, the types of products available in those categories, the pros and cons of using those products in the automated IACS environments, relative to the expected threats and known cyber vulnerabilities, and, most important, the preliminary recommendations and guidance for using these cybersecurity technology products and/or countermeasures.

  • Technical report
    102 pages
    English language
    sale 15% off
IEC
IEC 62541-100:2025(Main)
OPC unified architecture - Part 100: Devices

IEC 62541-100:2025 defines the information model associated with Devices. This document describes three models which build upon each other as follows:
• The (base) Device Model is intended to provide a unified view of devices and their hardware and software parts irrespective of the underlying device protocols.
• The Device Communication Model adds Network and Connection information elements so that communication topologies can be created.
• The Device Integration Host Model finally adds additional elements and rules required for host systems to manage integration for a complete system. It enables reflecting the topology of the automation system with the devices as well as the connecting communication networks.
This document also defines AddIns that can be used for the models in this document but also for models in other information models. They are:
• Locking model – a generic AddIn to control concurrent access,
• Software update model – an AddIn to manage software in a Device.
This second edition cancels and replaces the first edition published in 2015. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a a ComponentType that can be used to model any HW or SW element of a device has been defined and a SoftwareType has been added as subtype of ComponentType;
b the new OPC UA interface concept and defined interfaces for Nameplate, DeviceHealth, and SupportInfo has been added.
c) a new model for Software Update (Firmware Update) has been added;
d) a new entry point for documents where each document is represented by a FileType instance has been specified;
e) a model that provides information about the lifetime, related limits and semantic of the lifetime of things like tools, material or machines has been added.

  • Standard
    152 pages
    English language
    sale 15% off
  • Standard
    158 pages
    French language
    sale 15% off
  • Standard
    310 pages
    English and French language
    sale 15% off
IEC
IEC 62541-13:2025(Main)
OPC Unified Architecture - Part 13: Aggregates

IEC 62541-13:2025 is available as IEC 62541-13:2025 RLV which contains the International Standard and its Redline version, showing all changes of the technical content compared to the previous edition.IEC 62541-13:2025 defines the information model associated with Aggregates. Programmatically produced aggregate examples are listed in Annex A. This third edition cancels and replaces the second edition published in 2020. This edition constitutes a technical revision.
This edition includes the following technical changes with respect to the previous edition:
a) Multiple fixes for the computation of aggregates
• The Raw status bit is always set for non-bad StatusCodes for the Start and End aggregates.
• Entries in the Interpolative examples Tables A2.2 Historian1, Historian2, and Historian3 have been changed from Good to Good, Raw status codes when the timestamp matches with the timestamp of the data source.
• Missing tables have been added for DurationInStateZero and DurationInStateNonZero.
• The value of zero has been removed for results with a StatusCode of bad.
• Data Type was listed as "Status Code" when it is "Double" for both Standard Deviation and both Variance Aggregates.
• Rounding Error in TimeAverage and TimeAverage2 have been corrected.
• The status codes have been corrected for the last two intervals and the value has been corrected in the last interval.
• The wording has been changed to be more consistent with the certification testing tool.
• UsedSlopedExtrapolation set to true for Historian2 and all examples locations needed new values or status' are modified.
• Values affected by percent good and percent bad have been updated.
• PercentGood/PercentBad are now accounted for in the calculation.
• TimeAverage uses SlopedInterpolation but the Time aggregate is incorrectly allowed to used Stepped Interpolation.
• Partial bit is now correctly calculated.
• Unclear sentence was removed.
• Examples have been moved to a CSV.
• The value and status code for Historian 3 have been updated.
• TimeAverage2 Historian1 now takes uncertain regions into account when calculating StatusCodes.
• TimeAverage2 Historian2 now takes uncertain regions into account when calculating StatusCodes.
• Total2 Historian1 now takes uncertain regions into account when calculating StatusCodes
• Total2 Historian2 now takes uncertain regions into account when calculating StatusCodes
• Maximum2 Historian1 now takes uncertain regions into account when calculating StatusCodes
• MaximumActualTime2 Historian1 now takes uncertain regions into account when calculating StatusCodes
• Minimum2 Historian1 now takes uncertain regions into account when calculating StatusCodes
• MinimumActualTime2 Historian1 now has the StatusCodes calculated while using the TreatUncertainAsBad flag.
• Range2 Historian1 now looks at TreatUncertainAsBad in the calculation of the StatusCodes.
• Clarifications have been made to the text defining how PercentGood/PercentBad are used. The table values and StatusCodes of the TimeAverage2 and Total2 aggregates have been corrected.

  • Standard
    64 pages
    English language
    sale 15% off
  • Standard
    64 pages
    French language
    sale 15% off
  • Standard
    128 pages
    English and French language
    sale 15% off