← Home

IACS Security Program

ISA/IEC 62443-2-1:2024 specifies the requirements for establishing, implementing, maintaining, and continually improving an Industrial Automation and Control System (IACS) Security Program (SP).

IEC62443 Security Program
Figure – The eight Security Program Elements (SPEs) that form the IACS Security Program.

Overview

ISA/IEC 62443-2-1:2024 provides a risk-based management framework that enables organizations to protect industrial control systems against evolving cybersecurity threats while supporting safe and reliable operations.

The standard applies primarily to Asset Owners and is designed to integrate with broader organizational Information Security Management Systems (ISMS), such as ISO/IEC 27001.


Relationship with ISO/IEC 27001

Although ISA/IEC 62443-2-1 and ISO/IEC 27001 both adopt a risk-based approach to cybersecurity, they focus on different environments.

ISA/IEC 62443-2-1 ISO/IEC 27001
Industrial Automation and Control Systems (OT) Enterprise Information Technology (IT)
Industrial operations and process control Information Security Management System (ISMS)
Safety, availability and operational resilience Confidentiality, integrity and availability of information
Industrial-specific cybersecurity requirements Organization-wide information security management

ISA/IEC 62443-2-1 complements ISO/IEC 27001 by extending information security principles into industrial control environments.


What's New in the 2024 Edition

The 2024 edition replaces the original 2010 publication and introduces several significant improvements:


Security Management System vs Security Program

The standard distinguishes between two related concepts:

Security Management System (SMS)

A management framework that establishes:

Typically aligned with ISO/IEC 27001.

IACS Security Program (SP)

The operational cybersecurity program for protecting industrial systems, including:

The Security Program is normally implemented within the organization's broader Security Management System.


Security Program Elements (SPEs)

The Security Program is organised into eight Security Program Elements, each addressing a major area of industrial cybersecurity.

SPE Focus Area
SPE 1 Organization Security Measures
SPE 2 Configuration Management
SPE 3 Network and Communication Security
SPE 4 Component Security
SPE 5 Protection of Data
SPE 6 User Access Control
SPE 7 Event and Incident Management
SPE 8 System Integrity and Availability

Together, these elements implement a defense-in-depth cybersecurity strategy across the entire IACS lifecycle.


SPE 1 – Organization Security Measures

Establishes the organizational foundation for cybersecurity.

Key topics include:


SPE 2 – Configuration Management

Maintains accurate documentation and controlled system configurations.

Key topics include:


SPE 3 – Network and Communication Security

Protects industrial communications and network infrastructure.

Key topics include:


SPE 4 – Component Security

Protects hardware, software and embedded devices from cyber threats.

Key topics include:


SPE 5 – Protection of Data

Protects operational information against unauthorized disclosure and modification.

Key topics include:


SPE 6 – User Access Control

Ensures only authorized users, devices and software processes can access IACS resources.

Key topics include:


SPE 7 – Event and Incident Management

Provides the capability to detect, record, investigate and respond to cybersecurity events.

Key topics include:


SPE 8 – System Integrity and Availability

Maintains reliable operation of the IACS and supports system recovery following failures or cyber incidents.

Key topics include:


Security Program Maturity Levels

ISA/IEC 62443-2-1 introduces a maturity model that enables organizations to measure how effectively their Security Program has been implemented.

Rather than simply determining whether a requirement exists, the maturity model evaluates the consistency, effectiveness and sustainability of cybersecurity practices.

Typical maturity progression includes:

Level Description
Level 0 Not Performed
Level 1 Initial / Ad Hoc
Level 2 Managed
Level 3 Defined
Level 4 Quantitatively Managed
Level 5 Optimizing / Continual Improvement

Higher maturity levels demonstrate increasingly consistent implementation, measurement and continuous improvement.


Conformance and Assessment

Conformance assessments determine whether an organization's Security Program satisfies the requirements of ISA/IEC 62443-2-1.

Assessments typically review:

Objective evidence is used to demonstrate that requirements have been implemented and are operating effectively.

Typical evidence includes:

Assessment results identify areas requiring improvement and support continual enhancement of the Security Program.


Key Takeaways


Standards Reference

Primary Standard

Related Standards

AEBOK Standards Reference: Refer to ISA/IEC 62443-2-1:2024 for the Security Program Elements, maturity model, and conformance assessment requirements that underpin the IACS Security Program.