• Furious Warrior
  • Posts
  • What's new for Asset Owner in IEC 62443 ? Security for IACS with IEC 62443 2-1

What's new for Asset Owner in IEC 62443 ? Security for IACS with IEC 62443 2-1

Security program requirements for IACS asset owners

Want SOC 2 compliance without the Security Theater?

  • Oneleet is the all-in-one platform for SOC 2 Compliance & Attestation.

  • Get the automation software, penetration test, 3rd party audit, and vCISO services in one place!

  • Focus on what matters to build real-world security & pass security reviews!

What's fresh on the horizon for those who hold the keys to the kingdom in the realm of industrial automation and control systems?

Dive into the latest chapter of safeguarding your digital empire with the updated guidelines of IEC 62443 2-1.

Security for industrial automation and control systems - IEC 62443-2-1: Security program requirements for IACS asset owners

IEC 62443-2-1:2024 specifies asset owner security program (SP) policy and procedure requirements for an industrial automation and control system (IACS) in operation. This document uses the broad definition and scope of what constitutes an IACS as described in IEC TS 62443‑1‑1. In the context of this document, asset owner also includes the operator of the IACS.

IEC 62443 Standard for Industrial Cyber Security Updated in 2024

The International Electrotechnical Commission (IEC) has released an important update to the IEC 62443 series of standards for industrial control system cyber security in 2024. Most notably, IEC 62443-2-1, which covers security program requirements for asset owners, has been significantly revised.

Key updates to IEC 62443-2-1:2024 include:

  • Restructured requirements into new "Security Program Elements" (SPEs)

  • Removed duplication with Information Security Management System (ISMS) requirements

  • Introduced a new maturity model for evaluating security program requirements

  • Expanded guidance on applying the standard to both new and legacy industrial control systems

The updated IEC 62443-2-1 provides a more streamlined and practical approach for asset owners to establish, implement, maintain and continually improve their industrial automation and control system (IACS) security programs. It recognizes that many legacy systems may not be able to meet all technical requirements, and provides flexibility for compensating security measures.

Other parts of the IEC 62443 series are also being updated to align with the 2024 revision of IEC 62443-2-1. This includes updates to standards covering system security requirements, component security requirements, and security program requirements for service providers.

The 2024 update represents an important evolution of the IEC 62443 series to address the changing industrial cybersecurity landscape. Asset owners, system integrators, and product suppliers in industries like manufacturing, energy, and critical infrastructure should review the updated standards as part of their cybersecurity programs.

Organizations currently certified to previous versions of IEC 62443 standards will likely need to update their programs to maintain compliance. The IEC is expected to provide transition guidance for shifting to the 2024 versions.

Overall, the 2024 update to IEC 62443 aims to make the standards more practical to implement while still providing robust cybersecurity guidance for industrial control systems. Asset owners should begin evaluating how to incorporate the updated requirements into their security programs.


The IEC 62443-2-1 standard and the new certification scheme for asset owners are closely interconnected. Let me explain their relationship:

  1. Foundation for Certification: IEC 62443-2-1:2024 serves as the foundational document for the new certification scheme. The standard defines the requirements and guidelines for establishing and maintaining an Industrial Automation and Control Systems (IACS) security program. The certification scheme will assess compliance against these requirements.

  2. Structured Assessment: The new structure of IEC 62443-2-1:2024, which organizes requirements into Security Program Elements (SPEs), provides a clear framework for the certification scheme. Auditors will likely use these SPEs as a checklist or roadmap during the certification process.

  3. Maturity Model Alignment: The 2024 update introduces a maturity model for evaluating security program requirements. This model will likely be integrated into the certification scheme, allowing organizations to be certified at different maturity levels. This approach provides a path for continuous improvement and allows organizations to demonstrate progress over time.

  4. Scope of Certification: The certification scheme will assess an organization's overall IACS security program as defined in IEC 62443-2-1:2024. This includes policies, procedures, and organizational measures, rather than just technical controls.

  5. Flexibility for Legacy Systems: IEC 62443-2-1:2024 acknowledges the challenges of legacy systems and allows for compensating controls. The certification scheme is expected to incorporate this flexibility, making it more practical for organizations with older systems to achieve certification.

  6. Evidence Requirements: The standard outlines the types of evidence that can demonstrate conformity. The certification scheme will likely use these guidelines to define what documentation and demonstrations are required during the audit process.

  7. Continuous Improvement: Both the standard and the certification scheme emphasize ongoing improvement of security programs. The certification process will likely include periodic reassessments to ensure continued compliance and encourage advancement through maturity levels.

  8. Integration with Other Standards: IEC 62443-2-1:2024 includes cross-references to other parts of the IEC 62443 series and related standards. The certification scheme may incorporate these relationships, potentially allowing for integrated or streamlined certifications across multiple standards.

  9. Risk-Based Approach: The standard emphasizes a risk-based approach to security, which is likely to be reflected in the certification process. Organizations may need to demonstrate how their security controls align with their specific risk profile.

  10. Guidance for Implementation: While IEC 62443-2-1:2024 provides the requirements, the certification scheme will likely offer more detailed guidance on how to implement and demonstrate compliance with these requirements in practice.

In essence, IEC 62443-2-1:2024 provides the "what" in terms of security program requirements, while the new certification scheme will provide the "how" in terms of assessing and verifying compliance with these requirements. The scheme will operationalize the standard, making it a practical tool for organizations to demonstrate their commitment to industrial cybersecurity.

With New Certification Scheme for Asset Owners

The International Electrotechnical Commission (IEC) has in process to released a significant update to the IEC 62443 series of standards for industrial control system cybersecurity in 2024. Most notably, IEC 62443-2-1, which covers security program requirements for asset owners, has been extensively revised. Additionally, a new certification scheme for asset owners is on the horizon, marking a major development in the industrial cybersecurity landscape.

Key updates to IEC 62443-2-1:2024 include:

  • Restructured requirements into new "Security Program Elements" (SPEs)

  • Removed duplication with Information Security Management System (ISMS) requirements

  • Introduced a new maturity model for evaluating security program requirements

  • Expanded guidance on applying the standard to both new and legacy industrial control systems

The updated IEC 62443-2-1 provides a more streamlined and practical approach for asset owners to establish, implement, maintain and continually improve their industrial automation and control system (IACS) security programs. It recognizes that many legacy systems may not be able to meet all technical requirements, and provides flexibility for compensating security measures.

The IEC is introducing a certification scheme that will enable asset owners to certify their adherence to IEC 62443-2-1:2024. This scheme is expected to launch in the near future and will provide several benefits:

  1. Standardized Assessment: Asset owners will be able to have their security programs evaluated against a consistent, globally recognized standard.

  2. Demonstrable Compliance: Certification will provide a clear way for asset owners to demonstrate their commitment to industrial cybersecurity to stakeholders, regulators, and partners.

  3. Continuous Improvement: The certification process will encourage ongoing enhancement of security programs, aligned with the maturity model introduced in the 2024 update.

  4. Risk Management: By adhering to the certified standard, asset owners can better manage and mitigate cybersecurity risks in their industrial control systems.

  5. Supply Chain Trust: Certified asset owners may be viewed more favorably in the supply chain, potentially leading to improved business relationships and opportunities.

The evolving landscape of industrial cybersecurity is prompting a significant overhaul of a key series of standards. As the 2024 revision approaches, various segments of this series are being meticulously updated to ensure alignment. These updates encompass system security requirements, component security mandates, and the security protocols for service providers. This forthcoming revision marks a pivotal step forward, addressing the dynamic challenges faced by industries such as manufacturing, energy, and critical infrastructure.

For asset owners, system integrators, and product suppliers, the updated standards are not just a recommendation but a necessity. A thorough review of these new guidelines should be an integral part of their cybersecurity strategies. Those already certified under previous versions will find it imperative to revise their programs to stay compliant. Fortunately, transition guidance is anticipated to ease this shift.

The 2024 update, along with a new certification scheme for asset owners, aims to enhance the practicality of these standards while maintaining robust cybersecurity measures for industrial control systems. It is crucial for asset owners to start assessing how these updated requirements can be woven into their security frameworks. Moreover, they should consider the benefits of certification once the new scheme is rolled out.

Want SOC 2 compliance without the Security Theater?

  • Oneleet is the all-in-one platform for SOC 2 Compliance & Attestation.

  • Get the automation software, penetration test, 3rd party audit, and vCISO services in one place!

  • Focus on what matters to build real-world security & pass security reviews!

Please select up to three topics that interest you the most:

Login or Subscribe to participate in polls.

Reply

or to participate.