Hello there,

This is Part-4 of a multi-part series on ISA/IEC 62443 standards overview - and will be expanding further on the standards, talking about the a key updates to part of the standard series, i.e., ISA/IEC 62443-2-1:2024 release updates and more.

Quick test: Try to recall the 4 groups in the standards series using the tip from Part 1. If you can't, click the Part 1 link for a reminder. Hope this helps!

IEC 62443-2-1:2024 - Standard updated 📜 

International Society of Automation (ISA) and International Electrotechnical Commission (IEC), recently released, the second edition of the ISA/IEC 62443-2-1:2024 standard, updating IACS security standards, outlining essential security program elements (policies and procedures) for IACS asset owners.

This second edition replaces the 2010 first edition and is technical revision.

The ANSI/ISA-62443-2-1-2024 standard, developed by ISA99 and IEC Technical Committee 65, outlines requirements for implementing security in industrial systems using technical, physical, procedural, and compensatory measures.

Created with global cybersecurity experts input, offer a flexible framework to address security vulnerabilities in IACS across all industry sectors and critical infrastructure.

IEC 62443-2-1:2024 Updates / Changes 

Aligned with the ISA-62443-1-1 definition of IACS, there’s an emphasizing on shared security responsibilities to ensures consistency with industry best practices and expands 'asset owner' to include IACS operators as well.

The latest edition includes major technical changes to the previous edition such as:

• A revised requirement structure into Security Program Elements (SPEs),

• Several revised requirements to eliminate duplication of an information security management system (ISMS),

• defined a maturity model for evaluating compliance with the requirements, streamlining the framework and enhancing security program assessment.

• flexible requirements for creating and improving security programs to reduce IACS security risks, allowing asset owners to choose the best approaches for their needs.

• outlines the required security capabilities for the secure operation of an IACS.

• While the asset owner is accountable, service providers and product suppliers often support implementation. It also guides asset owners in stating security requirements for these parties, referencing the ISA‐62443 series.

CSMS (Cyber Security Management System) is no more?

The new standard completely overhauls the old one, replacing the term CSMS (Cyber Security Management System) with Security Program (SP). This refers to a Management System for implementing cybersecurity in Industrial Automation and Control Systems.

The new version advises aligning the Security Program (SP) with the organization's existing ISMS to avoid duplication, as most large IT systems already have one.

ANSI/ISA-62443-2-1-2024 acknowledges that IACS can last over twenty years, with many legacy systems having unsupported hardware and software.

The ANSI/ISA-62443-2-1-2024 document doesn't specify technical requirements for IACS but requires asset owners to have policies for such needs.

Consequently, the SP for most legacy systems covers only a subset of the document's requirements.

If the IACS or component software is unsupported, security patches can't be applied, and backup software for older systems may be unavailable.

For legacy systems lacking technical capabilities, compensating security measures should be included in these policies.

Summary of few other changes in IEC 62443 standard series in 2024:

• The categories have increased from 4 to 6, but Category 5 is reserved for future use, with no documents currently assigned to it.

• IEC 62443-1-5 has been released. It deals with Security Profiles. In future, typical security profiles for different applications, will be released with the nomenclature of IEC 62443-5-x, where x could be 1,2, 3, etc for different application or industry profile documents.

• IEC 62443-4-3, initially for IIoT devices, is now IEC 62443-1-6 in category 1 and remains in draft mode.

• IEC 62443-6-1 has been released. It is an evaluation guide for third party assessors to examine compliance to IEC 62443-2-4.

We’ll conclude part 4 here.

Stay tuned to find out more in Part 5 - ISA/IEC 62443 Standards Series Overview in a future newsletter edition, in which we’ll cover, cybersecurity risk assessments using 62443-3-2 and 3-3, applicability of different parts of the standard across the cybersecurity lifecycle phases, and more.

References

• ISA main website → https://www.isa.org/

• Announcement on the 62443-2-1 updated → https://www.isa.org/news-press-releases/2025/january/update-to-isa-iec-62443-standards-addresses-organi

• ISA Global Cybersecurity Alliance (ISAGCA) → https://gca.isa.org/resources. e.g.:

  • Quick Start Guide to ISA/IEC 62443

  • IoT Security Maturity Model: 62443 Mappings for Asset Owners and Product Suppliers

  • and more…

Feedback

I invite #SecuringThings community to share their feedback.

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society. Thank you for your trust and continued support.

Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway. Also:

Thanks for reading - until the next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal.

Follow Securing Things on LinkedIn | X/Twitter & YouTube.