The International Electrotechnical Commission (IEC) has published a new standard, IEC 62443-2-1:2024, which sets security requirements for industrial automation and control systems (IACS). The standard is part of the IEC 62443 series, which provides a comprehensive framework for securing industrial control systems.

The new standard specifies asset owner security program (SP) policy and procedure requirements for an IACS in operation. It recognizes that the lifespan of an IACS can exceed twenty years, and that many legacy systems contain hardware and software that are no longer supported. The standard also supports the need to address cybersecurity for an IACS in operation by providing requirements for establishing, implementing, maintaining, and continually improving an IACS security program (SP).

The standard is intended to help asset owners establish a security program that is tailored to their specific needs. It provides a framework for identifying and assessing risks, developing security policies and procedures, and implementing security measures. The standard also provides guidance on how to monitor and evaluate the effectiveness of the security program.

The IEC 62443-2-1:2024 standard is an important step in helping to protect industrial control systems from cyberattacks. By providing a comprehensive framework for security, the standard can help asset owners to reduce their risk and improve the security of their operations.

The IEC 62443-2-1:2024 standard provides a framework for asset owners to establish a security program for their industrial automation and control systems (IACS). It specifies policy and procedure requirements for an IACS in operation, recognizing that the lifespan of an IACS can exceed twenty years.

Key technical details:

• Asset owner security program (SP) policy and procedure requirements: The standard defines the requirements for establishing, implementing, maintaining, and continually improving an IACS security program.
• Life cycle management: The standard recognizes that IACS systems have a long lifespan and may contain legacy components. It provides guidance on how to manage the security of these systems throughout their lifecycle.
• Risk assessment and management: The standard requires asset owners to identify and assess risks to their IACS. It provides guidance on how to develop and implement security measures to mitigate these risks.
• Security policies and procedures: The standard specifies the requirements for developing and implementing security policies and procedures. These policies and procedures should address a variety of security issues, such as access control, authentication, and data protection.
• Security measures: The standard provides guidance on the types of security measures that asset owners should implement. These measures may include hardware, software, and procedural controls.
• Monitoring and evaluation: The standard requires asset owners to monitor and evaluate the effectiveness of their security program. This includes assessing compliance with security policies and procedures, identifying and responding to security incidents, and making improvements to the security program.
• Overall, the IEC 62443-2-1:2024 standard provides a comprehensive framework for securing industrial automation and control systems. By following the requirements of the standard, asset owners can reduce their risk of cyberattacks and improve the security of their operations.