This part of IEC 62443 specifies asset owner security program (SP) policy and procedure
requirements for an industrial automation and control system (IACS) in operation. This
document uses the broad definition and scope of what constitutes an IACS as described in
IEC TS 62443‑1‑1. In the context of this document, asset owner also includes the operator of
the IACS.
This document recognizes that the lifespan of an IACS can exceed twenty years, and that many
legacy systems contain hardware and software that are no longer supported. Therefore, the SP
for most legacy systems addresses only a subset of the requirements defined in this document.
For example, if IACS or component software is no longer supported, security patching
requirements cannot be met. Similarly, backup software for many older systems is not available
for all components of the IACS. This document does not specify that an IACS has these
technical requirements. This document states that the asset owner needs to have policies and
procedures around these types of requirements. In the case where an asset owner has legacy
systems that do not have the native technical capabilities, compensating security measures can
be part of the policies and procedures specified in this document.
This document also recognizes that not all requirements specified in this document apply to all
IACSs. For example, requirements associated with certain technology (such as wireless) or
functions (such as remote access) will not apply to IACSs that do not include these technologies
or functions. Similarly, not all malware protection requirements apply to systems for which
malware protection software is not available for any of their devices. Therefore, this document
states that the asset owner needs to identify the IACS security requirements that are applicable
to its IACSs in their specific operating environments.
The elements of an IACS SP described in this document define required security capabilities
that apply to the secure operation of an IACS. Although the asset owner is ultimately
accountable for the secure operation of an IACS, implementation of these security capabilities
often includes support from its service providers and product suppliers. For this reason, this
document provides guidance for an asset owner when stating security requirements for their
service providers and product suppliers, referencing other parts of the IEC 62443 series.
Figure 1 illustrates the roles and responsibilities of the asset owner, service provider(s) and
product supplier(s) of an IACS and their relationships to each other and to the Automation
Solution. The Automation Solution is a technical solution implementing the control/safety and
complementary functions necessary for the IACS. It is composed of hardware and software
components that have been installed and configured to operate in the IACS. The IACS is a
combination of the Automation Solution and the organizational measures necessary for its
design, deployment, operation and maintenance.
Some of these capabilities rely on the appropriate application of integration maintenance
capabilities defined in IEC 62443‑2‑4 [2] and technical security capabilities defined in
IEC 62443‑3‑3 [3] and IEC 62443‑4‑2 [4].
| File Size : | 1
file
, 1.9 MB |
| ISBN(s) : | 9780539005028 |
| Note : | This product is unavailable in Ukraine, Russia, Belarus |
| Number of Pages : | 96 |
| Published : | 09/30/2024 |
