The Automation Solution Security Lifecycle defines the engineering process used to design, build, operate,
maintain, and retire a secure Industrial Automation and Control System (IACS).
Figure – The eight engineering phases of the Automation Solution Security Lifecycle.
Introduction
While the IACS Cybersecurity Lifecycle focuses on the continuous management of cybersecurity, the Automation
Solution Security Lifecycle describes the eight engineering phases that occur throughout the life of an industrial
control system.
Each phase defines clear activities, deliverables, and responsibilities for the Asset Owner, Integration Service
Provider, Maintenance Service Provider, and Product Supplier. Together, these phases ensure cybersecurity is
integrated into every stage of an automation project's lifecycle—from the earliest concept through to secure
decommissioning.
The lifecycle follows established systems engineering principles and aligns cybersecurity with operational
reliability, functional safety, and long-term asset management.
Why an Automation Solution Lifecycle?
Industrial automation projects typically remain operational for decades and undergo numerous modifications during
their lifetime.
Without a structured engineering lifecycle:
Security requirements may be overlooked during design.
Systems may be deployed with insecure default configurations.
Security testing may be inconsistent.
Maintenance activities may introduce new vulnerabilities.
Equipment may be retired without securely removing sensitive data.
The Automation Solution Security Lifecycle provides a repeatable framework that integrates cybersecurity into
every engineering activity, ensuring systems remain secure throughout their operational life.
The Eight Lifecycle Phases
Phase 1 – Specification
The Specification phase establishes the cybersecurity requirements before system design begins.
The Asset Owner identifies the System Under Consideration (SUC) and performs an initial cybersecurity risk
assessment.
Key activities include:
Define the System Under Consideration.
Perform an initial cybersecurity risk assessment.
Partition the system into Zones and Conduits.
Assign Target Security Levels (SL-T).
Identify business, operational, and regulatory requirements.
Define initial cybersecurity objectives.
Primary Responsibility: Asset Owner
Supporting Roles: Product Supplier (consultation)
Key Deliverables:
Initial Risk Assessment
Zone and Conduit Model
Target Security Levels
Initial Cybersecurity Requirements
Phase 2 – Design
The Design phase develops the detailed cybersecurity architecture required to achieve the Target Security Levels.
Each Zone and Conduit is assessed individually to determine the required technical and organisational security
measures.
Activities include:
Perform detailed cybersecurity risk assessments.
Design technical security controls.
Develop organisational security procedures.
Identify compensating controls where required.
Produce the Cybersecurity Requirements Specification (CRS).
The Asset Owner must approve the Cybersecurity Requirements Specification before implementation begins.
Primary Responsibility: Integration Service Provider
Accountable: Asset Owner
Supporting Roles: Product Supplier
Key Deliverables:
Cybersecurity Requirements Specification
Detailed Security Architecture
Approved System Design
Phase 3 – Implementation
During implementation, the designed security measures are installed, configured, and integrated into the
Automation Solution.
Security must also be maintained throughout the installation process.
Typical activities include:
Install hardware and software.
Configure secure communications.
Implement authentication and access control.
Apply network segmentation.
Install product security updates.
Configure logging and monitoring.
Develop operational procedures.
Develop maintenance procedures.
The implementation phase should maintain physical and logical security throughout commissioning.
Primary Responsibility: Integration Service Provider
Supporting Roles: Product Supplier, Maintenance Service Provider, Asset Owner
Key Deliverables:
Configured Automation Solution
Implemented Technical Security Controls
Operational Procedures
Maintenance Procedures
Phase 4 – Verification
Verification confirms that the system has been built according to the approved design.
It answers the question:
"Did we build the system correctly?"
Activities include:
Verify technical security controls.
Review configurations.
Perform vulnerability scanning.
Verify security requirements.
Confirm compliance with the Cybersecurity Requirements Specification.
Verification focuses on ensuring implementation matches design.
Phase 5 – Validation
Validation confirms the completed Automation Solution satisfies operational requirements.
It answers the question:
"Did we build the correct system?"
Activities include:
Validate organisational security procedures.
Perform Factory Acceptance Testing (FAT).
Perform Site Acceptance Testing (SAT).
Validate operational functionality.
Confirm cybersecurity objectives have been achieved.
Formally hand over the system to Operations.
Immediately before commissioning, default credentials, vendor passwords, and encryption keys should be replaced to
ensure the system enters service securely.
Phase 6 – Operations
Once commissioned, the Automation Solution enters normal operation.
The Asset Owner is responsible for operating the system securely while maintaining both organisational and
technical security measures.
Activities include:
Operate the industrial process.
Execute organisational security procedures.
Monitor system health.
Perform incident response.
Perform recovery activities.
Review cybersecurity performance.
Trigger maintenance activities when required.
Cybersecurity becomes part of daily operational management.
Primary Responsibility: Asset Owner
Phase 7 – Maintenance
Maintenance ensures the Automation Solution continues meeting its cybersecurity objectives throughout its
operational life.
Maintenance may be triggered by:
New vulnerabilities.
Vendor security updates.
Hardware replacement.
Software upgrades.
Operational changes.
Security incidents.
Emerging cyber threats.
Typical maintenance activities include:
Patch management.
Firmware updates.
Backup verification.
Vulnerability monitoring.
Periodic security testing.
Risk reassessment.
Management of Change (MoC).
Updating technical and organisational security measures.
Maintenance should continuously improve the security posture of the Automation Solution.
Primary Responsibility: Maintenance Service Provider
Supporting Roles: Product Supplier, Asset Owner
Phase 8 – Decommissioning
Eventually, equipment reaches the end of its operational life.
The Decommissioning phase ensures obsolete equipment does not become a future cybersecurity risk.
Activities include:
Remove equipment from service.
Purge sensitive data.
Destroy credentials and encryption keys.
Securely erase storage devices.
Dispose of hardware securely.
Update engineering documentation.
Maintain operational continuity during replacement.
Secure decommissioning prevents confidential information from remaining accessible after equipment has been
retired.
Primary Responsibility: Maintenance Service Provider
Approval: Asset Owner
Roles Throughout the Lifecycle
Cybersecurity is a shared responsibility throughout every lifecycle phase.
Asset Owner
Accountable for cybersecurity risk.
Defines security requirements.
Approves cybersecurity deliverables.
Operates the Automation Solution.
Approves Management of Change.
Approves decommissioning.
Integration Service Provider
Designs cybersecurity architecture.
Implements technical security measures.
Performs integration.
Conducts verification activities.
Supports commissioning and handover.
Maintenance Service Provider
Maintains cybersecurity during operation.
Applies patches and updates.
Monitors vulnerabilities.
Performs Management of Change.
Supports secure decommissioning.
Product Supplier
Develops secure products.
Provides product security updates.
Provides technical support.
Advises on product security capabilities.
Supports vulnerability management.
Although responsibilities are shared, the Asset Owner remains accountable for the cybersecurity of the IACS
throughout its lifecycle.
Continuous Security Throughout the Lifecycle
Cybersecurity is present in every engineering phase.
Rather than being completed during implementation, security is continuously maintained through:
Risk assessment
Secure design
Verification
Validation
Operations
Maintenance
Continuous improvement
Secure decommissioning
Changes to the Automation Solution should always follow a documented Management of Change (MoC) process to ensure
cybersecurity risks remain acceptable.
Key Principles
The Automation Solution Security Lifecycle is based on several important principles:
Cybersecurity begins during system specification.
Risk assessment drives engineering decisions.
Security must be engineered into the system—not added afterwards.
Verification confirms the implementation matches the design.
Validation confirms the completed system satisfies operational requirements.
Security must continue throughout operation and maintenance.
Cybersecurity supports safety, reliability, and operational resilience.
Roles and responsibilities should be clearly defined throughout every lifecycle phase.
Relationship to the IACS Cybersecurity Lifecycle
The Automation Solution Security Lifecycle is the detailed engineering implementation of the broader IACS
Cybersecurity Lifecycle.
The IACS Cybersecurity Lifecycle describes the continuous process of:
Assess
Develop & Implement
Maintain
The Automation Solution Security Lifecycle expands these concepts into eight structured engineering phases that
guide the design, deployment, operation, maintenance, and retirement of secure industrial control systems.
Together, these lifecycles ensure cybersecurity is continuously managed while also providing a practical
engineering framework for implementing secure automation solutions.
Key Takeaways
Cybersecurity should be integrated into every engineering phase of an automation project.
The lifecycle consists of eight phases from specification through to decommissioning.
Risk assessment is the foundation of secure system design.
Verification ensures the system was built correctly.
Validation ensures the correct system was built.
Operations and Maintenance continue cybersecurity throughout the system's operational life.
Secure decommissioning protects sensitive information after equipment retirement.
The Asset Owner remains accountable for cybersecurity throughout the entire lifecycle.
Standards Reference
Primary Standards
ISA/IEC 62443-2-1 – Establishing an IACS Security Program
ISA/IEC 62443-2-2 – Automation Solution Security Lifecycle (draft/evolving; defines the lifecycle model and Security Program Ratings)
ISA/IEC 62443-2-3 – Patch Management in the IACS Environment
ISA/IEC 62443-2-4 – Security Program Requirements for IACS Service Providers
ISA/IEC 62443-3-2 – Security Risk Assessment for System Design
ISA/IEC 62443-3-3 – System Security Requirements and Security Levels
AEBOK Standards Reference: Refer to ISA/IEC 62443 Part 3-2 (particularly the Zone, Conduit and
Risk Assessment process), Part 2-4 (service provider responsibilities), Part 2-3 (maintenance and patch
management), and the Automation Solution Security Lifecycle described in ISA/IEC 62443-2-2 Annex A (draft).
These documents collectively define the engineering lifecycle, associated activities, and stakeholder
responsibilities for secure IACS implementation.