SIST EN IEC 62443-2-1:2024
(Main)Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners (IEC 62443-2-1:2024)
Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners (IEC 62443-2-1:2024)
IEC 62443-2-1:2024 specifies asset owner security program (SP) policy and procedure requirements for an industrial automation and control system (IACS) in operation. This document uses the broad definition and scope of what constitutes an IACS as described in IEC TS 62443‑1‑1. In the context of this document, asset owner also includes the operator of the IACS.
This document recognizes that the lifespan of an IACS can exceed twenty years, and that many legacy systems contain hardware and software that are no longer supported. Therefore, the SP for most legacy systems addresses only a subset of the requirements defined in this document. For example, if IACS or component software is no longer supported, security patching requirements cannot be met. Similarly, backup software for many older systems is not available for all components of the IACS. This document does not specify that an IACS has these technical requirements. This document states that the asset owner needs to have policies and procedures around these types of requirements. In the case where an asset owner has legacy systems that do not have the native technical capabilities, compensating security measures can be part of the policies and procedures specified in this document.
This edition includes the following significant technical changes with respect to the previous edition:
a) revised requirement structure into SP elements (SPEs),
b) revised requirements to eliminate duplication of an information security management system (ISMS), and
c) defined a maturity model for evaluating requirements.
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-1: Anforderungen an ein IT-Sicherheitsprogramm für IACS-Betreiber (IEC 62443-2-1:2024)
Sécurité des systèmes d'automatisation et de commande industrielles - Partie 2-1: Exigences de programme de sécurité pour les propriétaires d'actif IACS (IEC 62443-2-1:2024)
IEC 62443-2-1:2024 spécifie les exigences de politiques et de procédures du programme de sécurité (SP) du propriétaire d’actif pour un système d’automatisation et de commande industrielle (IACS) opérationnel. Le présent document utilise, au sens large, la définition et le domaine d’application de ce qui constitue un IACS décrit dans l’IEC TS 62443‑1-1. Dans le contexte du présent document, le propriétaire d’actif inclut également l’opérateur de l’IACS.
Le présent document reconnaît que la durée de vie d’un IACS peut dépasser vingt ans et que de nombreux systèmes patrimoniaux contiennent du matériel et du logiciel qui ne sont plus pris en charge. Par conséquent, le SP de la plupart des systèmes patrimoniaux ne concerne qu’un sous-ensemble des exigences définies dans le présent document. Les exigences en matière de correctifs de sécurité, par exemple, ne peuvent pas être satisfaites si l’IACS ou le logiciel composant n’est plus pris en charge. De même, le logiciel de sauvegarde de la plupart des systèmes plus anciens n’est pas disponible pour tous les composants de l’IACS. Le présent document ne précise pas qu'un IACS doit satisfaire à ces exigences techniques. Il indique qu’il est nécessaire que le propriétaire d’actif dispose de politiques et de procédures relatives à ces types d'exigences. Dans le cas où le propriétaire d'actif possède des systèmes patrimoniaux qui ne comportent pas des capacités techniques natives, des mesures de sécurité compensatoires peuvent faire partie des politiques et procédures spécifiées dans le présent document.
Cette édition inclut les modifications techniques majeures suivantes par rapport à l'édition précédente:
a) la structure des exigences a été révisée en éléments SP (SPE – SP element);
b) les exigences ont été révisées pour éliminer la répétition d'un système de management de la sécurité de l'information (SMSI); et
c) un modèle de stabilisation a été défini pour l'évaluation des exigences.
Zaščita industrijske avtomatizacije in kontrolnih sistemov - 2-1. del: Zahteve za program varnosti zaščite za lastnike sredstev IACS (IEC 62443-2-1:2024)
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-december-2024
Zaščita industrijske avtomatizacije in kontrolnih sistemov - 2-1. del: Zahteve za
program varnosti zaščite za lastnike sredstev IACS (IEC 62443-2-1:2024)
Security for industrial automation and control systems - Part 2-1: Security program
requirements for IACS asset owners (IEC 62443-2-1:2024)
IT-Sicherheit für industrielle Automatisierungssysteme - Teil 2-1: Anforderungen an ein
IT-Sicherheitsprogramm für IACS-Betreiber (IEC 62443-2-1:2024)
Sécurité des systèmes d'automatisation et de commande industrielles - Partie 2-1:
Exigences de programme de sécurité pour les propriétaires d'actif IACS (IEC 62443-2-
1:2024)
Ta slovenski standard je istoveten z: EN IEC 62443-2-1:2024
ICS:
25.040.01 Sistemi za avtomatizacijo v Industrial automation
industriji na splošno systems in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN IEC 62443-2-1
NORME EUROPÉENNE
EUROPÄISCHE NORM September 2024
ICS 25.040.40; 35.100.05
English Version
Security for industrial automation and control systems - Part 2-1:
Security program requirements for IACS asset owners
(IEC 62443-2-1:2024)
Sécurité des systèmes d'automatisation et de commande IT-Sicherheit für industrielle Automatisierungssysteme - Teil
industrielles - Partie 2-1: Exigences de programme de 2-1: Anforderungen an ein IT-Sicherheitsprogramm für
sécurité pour les propriétaires d'actif IACS IACS-Betreiber
(IEC 62443-2-1:2024) (IEC 62443-2-1:2024)
This European Standard was approved by CENELEC on 2024-09-11. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2024 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62443-2-1:2024 E
European foreword
The text of document 65/1044/FDIS, future edition 2 of IEC 62443-2-1, prepared by TC 65 "Industrial-
process measurement, control and automation" was submitted to the IEC-CENELEC parallel vote and
approved by CENELEC as EN IEC 62443-2-1:2024.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2025-06-11
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2027-09-11
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Standard IEC 62443-2-1:2024 was approved by CENELEC as a
European Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standard indicated:
IEC 62443-3-2:2020 NOTE Approved as EN IEC 62443-3-2:2020 (not modified)
IEC 62443-2-4:2023 NOTE Approved as EN IEC 62443-2-4:2024 (not modified)
IEC 62443-3-3:2013 NOTE Approved as EN IEC 62443-3-3:2019 (not modified)
IEC 62443-4-2:2019 NOTE Approved as EN IEC 62443-4-2:2019 (not modified)
ISO/IEC 27000:2018 NOTE Approved as EN ISO/IEC 27000:2020 (not modified)
IEC 62443-4-1:2018 NOTE Approved as EN IEC 62443-4-1:2018 (not modified)
ISO/IEC 17000:2020 NOTE Approved as EN ISO/IEC 17000:2020 (not modified)
ISO/IEC 27002:2022 NOTE Approved as EN ISO/IEC 27002:2022 (not modified)
IEC 62591:2016 NOTE Approved as EN 62591:2016 (not modified)
IEC 62734:2014 NOTE Approved as EN 62734:2015 (not modified)
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod), the
relevant EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cencenelec.eu.
Publication Year Title EN/HD Year
IEC/TS 62443-1-1 2009 Industrial communication networks - - -
Network and system security - Part 1-1:
Terminology, concepts and models
IEC 62443-2-1 ®
Edition 2.0 2024-08
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Security for industrial automation and control systems –
Part 2-1: Security program requirements for IACS asset owners
Sécurité des systèmes d’automatisation et de commande industrielles –
Partie 2-1: Exigences de programme de sécurité pour les propriétaires d’actif
IACS
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040.40, 35.100.05 ISBN 978-2-8322-9459-8
– 2 – IEC 62443-2-1:2024 © IEC 2024
CONTENTS
FOREWORD . 6
INTRODUCTION . 8
1 Scope . 10
2 Normative references . 11
3 Terms, definitions, abbreviated terms and conventions . 11
3.1 Terms and definitions . 11
3.2 Abbreviated terms and acronyms . 15
3.3 Conventions . 16
4 Concepts . 17
4.1 Use of this document . 17
4.1.1 Applicable roles . 17
4.1.2 Use of this document by asset owners . 17
4.1.3 Use of this document by service providers and product suppliers. 19
4.2 Maturity level (ML) definitions . 20
4.3 Security levels (SLs) . 21
4.4 Requirements definitions . 21
4.4.1 Requirements organization . 21
4.4.2 Requirements cross-references . 22
4.4.3 Requirement conventions . 22
5 Conformance and assessment . 22
5.1 Overview. 22
5.2 Conformity evidence . 23
5.3 Requirements evaluation and profiles . 24
5.3.1 Overview . 24
5.3.2 Evaluation of risk to requirements . 24
5.3.3 Profiles . 24
5.3.4 Conformity assessment for the asset owner role . 25
6 SPE 1 – Organizational security measures . 25
6.1 Purpose . 25
6.2 ORG 1 – Security related organization and policies. 25
6.2.1 ORG 1.1: Information security management system (ISMS) . 25
6.2.2 ORG 1.2: Background checks . 26
6.2.3 ORG 1.3: Security roles and responsibilities . 26
6.2.4 ORG 1.4: Security awareness training . 27
6.2.5 ORG 1.5: Security responsibilities training . 27
6.2.6 ORG 1.6: Supply chain security . 28
6.3 ORG 2 – Security assessments and reviews . 28
6.3.1 ORG 2.1: Security risk mitigation . 28
6.3.2 ORG 2.2: Processes for discovery of security anomalies . 29
6.3.3 ORG 2.3: Secure development and support . 30
6.3.4 ORG 2.4: SP reviews . 30
6.4 ORG 3 – Security of physical access . 30
6.4.1 ORG 3.1: Physical access control . 30
7 SPE 2 – Configuration management . 31
7.1 Purpose . 31
IEC 62443-2-1:2024 © IEC 2024 – 3 –
7.2 CM 1 – Inventory management of IACS hardware/software components and
network communications . 31
7.2.1 CM 1.1: Asset inventory baseline . 31
7.2.2 CM 1.2: Infrastructure drawings/documentation . 32
7.2.3 CM 1.3: Configuration settings . 32
7.2.4 CM 1.4: Change control . 33
8 SPE 3 – Network and communications security . 33
8.1 Purpose . 33
8.2 NET 1 – System segmentation . 33
8.2.1 NET 1.1: Segmentation from non-IACS zones . 33
8.2.2 NET 1.2: Documentation of zones and network zone interconnections . 34
8.2.3 NET 1.3: Network segmentation from safety systems. 34
8.2.4 NET 1.4: Network autonomy . 35
8.2.5 NET 1.5: Network disconnection from external networks . 35
8.2.6 NET 1.6: Internal network access control . 35
8.2.7 NET 1.7: Network accessible services . 36
8.2.8 NET 1.8: User messaging . 36
8.2.9 NET 1.9: Network time distribution . 36
8.3 NET 2 – Secure wireless ac
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.