IEC 62443: A Cybersecurity Guide for Industrial Systems (Part 3)

Welcome back to the series on the IEC 62443 standard for industrial cybersecurity. This third installment will investigate the documents that are part of the second series of documents, or documents in the IEC 62443-2 series.

This series of documents are still somewhat aimed at the softer areas of industrial security,Policies, procedures and the like, but they all come with guidance on which parts should be part of the policies and procedures!

Like in the previous article on the documents that are part of the IEC 62443-1 series, I will provide you with knowledge of some of the content that is part of the documents in the IEC62443-2 series. That way, you can focus on the documents that will provide you with most value, since the cost of buying the documents from your national standards body is nontrivial.

The purpose of IEC 6244321 is to provide guidance and requirements for establishing and maintaining an effective cybersecurity management system (CSMS) for industrial automation and control systems (IACS), focusing on the asset owner’s responsibilities.

In simpler terms, it tells an organization how to organize, implement, and maintain cybersecurity for its industrial systems, rather than specifying technical device requirements.

Structure & Core Content

1. Introduction to the IACS Security Program

• Explains why traditional IT cybersecurity approaches are not sufficient for IACS.
• Outlines program objectives, including:
  • Protecting availability and safety
  • Reducing risk of cyber incidents
  • Meeting regulatory and business requirements

2. Security Program Requirements

The standard defines the minimum elements of a cybersecurity program, including:

1. Policy and Governance
   • Establishing an IACS security policy
   • Assigning roles and responsibilities for cybersecurity
   • Management commitment and resource allocation
2. Risk Management
   • Performing IACS-specific risk assessments
   • Identifying critical assets and vulnerabilities
   • Determining target security levels (SL-T)
3. Security Program Implementation
   • Planning and prioritizing security controls
   • Developing procedures and guidelines
   • Training personnel and raising awareness
4. Monitoring and Continuous Improvement
   • Tracking program effectiveness using KPIs
   • Regularly auditing and updating the program
   • Incorporating lessons learned from incidents

3. Cybersecurity Management System (CSMS) Model

• Similar to the PDCA cycle (Plan-Do-Check-Act) in ISO 27001.
• Consists of:
  1. Establishing the CSMS
  2. Implementing and operating the CSMS
  3. Monitoring and reviewing performance
  4. Maintaining and improving the CSMS

4. Integration with IEC 62443 Lifecycle

• Aligns with security lifecycle concepts from IEC 62443-1-4.
• Connects management processes to technical controls (defined in 3-3, see next article in this series).
• Supports defence in depth by coordinating organizational and technical layers

5. Documentation and Reporting

• Recommends clear documentation for:
  • Security policies
  • Asset inventories
  • Risk assessments
  • Incident logs

The part about regulatory requirements is important to many sectors, like the life science sector, but with the ever-increasing regulations from authorities, the IEC 62443 standard in general, can help show compliance and responsibility!

The purpose of IEC 6244322 is to provide practical, operational guidance for implementing and maintaining security protections for Industrial Automation and Control Systems (IACS).

1. Security Protection Scheme (SPS) Definition

• Defines SPS as the portfolio of technical, physical, and process measures deployed to manage cyber risks during IACS operation
• SPS extends the high-level CSMS from 6244321 with detailed protection mechanisms.

2. Lifecycle Guidance

• Frames the SPS lifecycle across key stages: development, validation, deployment, operation, and maintenance.
• Aligns cybersecurity operations with overall asset owner security program goals

3. Context & References

• Builds on prior parts of the 62443 series—namely 21, 24, 32, and 33 (see next article in this series)—to ground its recommendations in established terminology, risk assessment, and system requirements

4. Maturity Assessment Model

• Includes tables (e.g., maturity level assessment procedures and attributes) that help evaluate how maturely the SPS is implemented in practice

The maturity assessment model might be new to you, the ISA/IEC 62443 SMM is the typical maturity model for industrial cybersecurity. It evaluates an organization’s governance, processes, and technical practices to determine how effectively they can manage and sustain IACS security.

Much like the CMMi model Capability Maturity Model Integration – Wikipedia, but with a focus on the challenges facing industrial cybersecurity.

The purpose of IEC 6244323 (Patch management in the IACS environment, published as a Technical Report) is to provide guidance for establishing and managing a patch management process specifically for Industrial Automation and Control Systems (IACS).

Unlike IT patching, which is frequent and routine, OT environments (plants, SCADA, DCS, PLCs) require special handling because downtime or unexpected behaviour can impact safety, availability, and production

1. Patch Management Lifecycle

Describes a complete programmatic lifecycle covering:

• Patch Identification – sourcing vendor advisories and bulletins
• Prioritization – based on risk, criticality, and operational impact
• Testing – validation in sandbox or staging environments
• Deployment – scheduled rollout using change management procedures
• Verification – confirming successful installation and system stability

2. Standardized Patch Information Exchange

Defines a recommended format (often XML-based) for communicating patch details from suppliers to asset owners, including metadata and applicability criteria

3. Role Clarification

• Product Suppliers: responsible for preparing and distributing patch content and supporting guidance.
• Asset Owners: tasked with evaluation, testing, deployment, rollback planning, and tracking of patch
• Product Suppliers: responsible for preparing and distributing patch content and supporting guidance.
• Asset Owners: tasked with evaluation, testing, deployment, rollback planning, and tracking of patch

4. OT-Specific Challenges

Addresses unique issues in industrial settings:

• Safety-critical operations
• Legacy and specialized equipment
• High availability requirements
• Need for rollback mechanisms and risk controls when applying patches

Because most industrial environments have a lot of legacy equipment, normal patching as known from the IT world, is not applicable in an industrial setting.

The purpose of IEC 6244324 (Security program requirements for IACS service providers) is to define cybersecurity requirements for organizations that provide services to Industrial Automation and Control Systems (IACS).

It ensures that system integrators, maintenance providers, and other service organizations follow consistent, auditable cybersecurity practices when they design, integrate, maintain, or operate IACS for asset owners.

1. Purpose of the Standard

• Ensure that external parties (integrators, service providers) handling IACS implement cybersecurity measures aligned with the asset owner’s security program.
• Support procurement, compliance, and auditing by defining clear requirements for suppliers.

2. Security Program Requirements

The document defines requirements for a service provider’s internal security program, including:

1. Organizational Security
   • Documented cybersecurity policies
   • Defined roles and responsibilities
   • Personnel vetting, training, and awareness programs
2. System and Network Security Practices
   • Application of secure configuration and hardening
   • Access control, account management, and password policies
   • Remote access management, including secure channels and monitoring
3. Operational and Maintenance Security
   • Patch and vulnerability management procedures
   • Change management and documentation
   • Backup and recovery procedures
4. Incident and Risk Management
   • Incident response planning and reporting
   • Risk assessments and mitigation planning
   • Logging and audit trails for security-relevant event

3. Supplier Assessment and Auditing

• Provides a framework for evaluating service provider compliance with IEC 62443.
• Supports asset owners in procurement by giving measurable requirements for vendor selection and contracts.

4. Mapping to Security Levels

• Connects supplier requirements to the Security Levels (SL 1–4) introduced in IEC 6244311 and 33.
• Helps determine if a supplier can support systems requiring higher SLs.

5. Documentation Requirements

• Service providers must maintain clear, auditable documentation of:
  • Security policies and procedures
  • Change logs and maintenance records
  • Incident reports and corrective actions

This is the document you, as a customer should use whenever you are looking for new equipment, or a new service provider for an already existing environment. I personally expect this document to become evermore important in the coming years, as the EU NIS2 and CRA (Cyber Resiliency Act) takes effect.

The documents that are part of the IEC 62443-2 series, are important foundational documents, that helps us design and implement policies and procedures for cybersecurity in an industrial setting.

The next article in the series will be looking at the document in the IEC 62443-3 series:

For those of you, of a more technical bent, the next article will be looking into the more technical parts of industrial security!

Check out the rest of the series: Part I | Part II | Part III | Vocabulary