IEC 62443 defines several key roles responsible for cybersecurity in Industrial Automation and Control Systems (IACS).
The Asset Owner is the organisation that owns or operates the Industrial Automation and Control System.
This role has the overall accountability for cybersecurity and is ultimately responsible for ensuring the IACS remains secure throughout its operational life.
Although many security tasks may be delegated to contractors or service providers, accountability always remains with the Asset Owner.
A Maintenance Service Provider performs operational support and maintenance activities on behalf of the Asset Owner.
Because maintenance personnel often require privileged access to control systems, they represent both a valuable resource and a potential cybersecurity risk.
The Integration Service Provider designs, builds and commissions the Industrial Automation and Control System by combining products from multiple vendors into a complete operational solution.
The integrator plays a critical role in implementing cybersecurity requirements defined by the Asset Owner and ensuring products are securely configured before entering service.
The Product Supplier develops, manufactures and supports the products that make up the Industrial Automation and Control System.
Products may include:
A secure product provides the foundation upon which secure systems can be built.
One of the key messages of IEC 62443 is that cybersecurity is a shared responsibility.
Each organisation has different responsibilities:
| Role | Primary Responsibility |
|---|---|
| Asset Owner | Owns the risk, defines security requirements, operates and maintains the IACS securely. |
| Maintenance Service Provider | Maintains and supports the operational system while following secure maintenance practices. |
| Integration Service Provider | Designs, installs, configures and commissions secure IACS solutions. |
| Product Supplier | Develops, manufactures and supports secure products throughout their lifecycle. |
Strong cybersecurity depends on all four roles working together. Weaknesses in any one organisation can increase the risk to the entire Industrial Automation and Control System.