The IACS Cybersecurity Lifecycle is a continuous process defined within the ISA/IEC 62443 series to ensure cybersecurity is effectively managed throughout the entire life of an Industrial Automation and Control System (IACS).
Industrial control systems often remain in service for 20 years or more. During this time, cyber threats evolve, vulnerabilities are discovered, technology changes, and operational requirements continually develop. As a result, cybersecurity cannot be treated as a one-time engineering project—it must be continuously assessed, maintained, and improved.
The lifecycle provides a repeatable framework for identifying cyber risks, implementing appropriate security measures, maintaining the required level of protection, and continuously adapting to new threats. By following this lifecycle, organisations can improve the resilience, reliability, availability, and safety of their industrial operations while reducing cybersecurity risk.
Cybersecurity is never "complete." Every change to an industrial control system—whether installing new equipment, applying software updates, modifying network architecture, or changing operational procedures—can introduce new cybersecurity risks.
A structured lifecycle enables organisations to:
The lifecycle follows a process of continual improvement rather than a fixed sequence of activities.
The first stage evaluates the current cybersecurity posture of the system and determines what level of protection is required.
During the assessment phase organisations:
The assessment stage establishes the baseline for all future cybersecurity activities and produces the Cybersecurity Requirements Specification that guides implementation.
Once cybersecurity requirements have been identified, appropriate security measures are designed and implemented.
Activities typically include:
The objective is to ensure each security zone achieves the Target Security Level established during the risk assessment.
Security controls should always remain aligned with evolving threats, operational requirements, and organisational policies.
Cybersecurity must continue throughout the operational life of the system.
Maintenance activities include:
Maintenance ensures that security remains effective despite changes to technology, personnel, or the threat landscape.
The IACS Cybersecurity Lifecycle is not a linear process—it is a continuous cycle.
After maintenance activities are completed, organisations reassess their cybersecurity posture and begin the assessment process again.
This continual improvement model allows organisations to:
Continuous improvement is one of the fundamental principles of ISA/IEC 62443 and ensures cybersecurity remains effective throughout the entire operational life of the IACS.
One of the primary objectives of the lifecycle is maintaining the required level of security for every security zone.
Every zone is assigned a Target Security Level (SL-T) during the risk assessment process.
Following implementation and ongoing maintenance, the organisation measures the Security Level Achieved (SL-A).
The fundamental objective is:
If the achieved security level falls below the target, additional technical or organisational security measures must be implemented until the required level of protection is restored.
Risk assessment drives the entire cybersecurity lifecycle.
The process begins by identifying:
These factors determine the acceptable level of risk and establish the Target Security Level required for each security zone.
As the system evolves, risk assessments are periodically repeated to ensure security controls remain appropriate.
Without regular risk assessments, security measures quickly become outdated and ineffective.
The IACS Cybersecurity Lifecycle is built upon several fundamental principles:
The IACS Cybersecurity Lifecycle provides the high-level framework for continuously managing cybersecurity throughout the life of an industrial control system.
The Automation Solution Security Lifecycle expands this concept into a structured engineering methodology consisting of eight phases:
Together, these lifecycles ensure cybersecurity is considered from the earliest stages of system design through to final retirement.
Primary Standards