Disclaimer: All views presented here, in this newsletter, are my own.
Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.
Hey there,
Hope you are doing well.
This is Part-6 of a multi-part series on ISA/IEC 62443 standards overview - and I will be expanding further on the following:
✍️ Links to my previous five parts of the ISA/IEC 62443 overview series.
📘 Recap 62443 Standards Series Updates & Security Program📜
↪️ Security for industrial automation and control systems – Part 2-2: IACS security protection scheme - ISA/IEC 62443-2-2. 📜
‼️Announcements & Updates - upcoming sessions & newsletters✍️
📜 ISA Secure Assurance Certification Schemes.
Recent most viewed social media posts - in case you missed previous ones.
So let’s dig in.
Yours truly.
— Yousuf.
In case you missed, here’s are the previous 5 parts of the series:
introduction & background about the standards series,
key stakeholders, IACS roles & responsibilities,
4 groups of standards requirements,
3 phase IACS Cybersecurity Lifecycle,
ISA Secure Certifications for Suppliers, Products, Asset owners & individuals,
important terms, definitions & relationships,
Standards series introduction (of each standard part),
Standards elements, security levels, & types of standards requirements.
Foundational Requirements (FRs) and its relationships with System Requirements (SRs) and Component Requirements (CRs)
Zones, Sub-zones and conduits
Recently updated ISA/IEC 62443-2-1:2024 standard intro for Asset Owners. Security Program.
ISA/IEC 62443-2-1:2024 Security Program Elements (SPEs)
But before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care or liked and keep me motivated to publish more. Thanks!
Securing Things Academy:
IT & OT CySEAT (Cyber Security Education And Transformation) course is designed for IT and OT cybersecurity practitioners. Join the wait-list → here.
Checkout a brief overview below:
Security for industrial automation and control systems – Part 2-2: IACS security protection scheme
IEC 62443-2-2 has been prepared by IEC technical committee 65: Industrial-process measurement, control and automation. It is a Publicly Available Specification.
IEC PAS 62443-2-2 has been developed by IEC TC 65 and the liaison ISA99: ISA committee on Security for industrial automation and control systems.
The IEC PAS 62443-2-2 standard, provides a foundation for asset owners to build their IACS (industrial automation control systems) (or simply OT) Security Program (note: mentioned in Part 4, OT CSMS is no longer used).
IEC PAS 62443-2-2 can be purchased → HERE.
Some important definitions to understand are:
Security Protection Scheme (or SPS) - is a set of technical, physical, and process security measures designed to address cyber security concerns of an IACS during operation
Security Program (or SP) - for IACS asset owners refers to the policies and procedures defined by them to address cybersecurity concerns of the IACS. This can include technical, process, physical and compensating security measures used to reduce the cybersecurity attack surface.
Target security protection ratings - levels of the system security requirements that an asset owner desires to be fulfilled during operation
Implemented security protection ratings - Levels system security requirements which can be fulfilled during implementation by the designed technical, physical, and process security measures, under the assumption that the process security measures will be executed during operation with a demonstrated repeatability and effectiveness
Operated security protection ratings - levels of system security requirements that have been fulfilled by the technical, physical, and process security measures at a given point of time during operation, with demonstrated process security measures that are repeatable and effective
Maturity level - qualitative method of characterizing the capability of an organization to implement security requirements according to documented policies and procedures and their historical performance in doing so.
According to the IEC 62443-2-2 standard document:
”This part of IEC 62443 provides guidance on the development, validation, operation, and maintenance of a set of technical, physical, and process security measures called Security Protection Scheme (SPS).
The document’s goal is to provide the asset owner implementing an IACS Security Program (SP) with mechanisms and procedures to ensure that the design, implementation and operation of an SPS manage the risks resulting from cyberthreats to each of the IACS included in its operating facility“.
IEC 62443-2-2 offers more details than those found in IEC 62443-2-1, which pertains to a Security Program for Asset Owners.
IEC 62443-2-1 serves as a broad framework, whereas IEC 62443-2-2 is expected to provide more specific guidelines related to this framework.
This document is relevant to Asset Owners and EPC (Engineering, Procurement, and Construction) companies involved in constructing plants and facilities. It covers the specification, installation, commissioning, and testing of Industrial Automation and Control Systems (IACS) to manage operations and protect against cyber threats.
It outlines how IEC 62443 series contents can support developing security measures for IACS risks during the operation phase.
Figure 1 of the standards document, illustrates a simplified IACS life cycle as below.
Source: IEC PAS 62443-2-2
The latest edition includes the following guidance:
Relationship between Security Program (SP) and Security Protection Scheme (SPS) and process for generating SPS.
Security Program Ratings (SPR) - reference to 62443-2-1 maturity model for driving SPR values, grouping of security requirements, SPR and SL types, .
Principle roles between Asset Owner, Integration Service Provider, Maintenance Service Provider, Product Supplier .
Duties and activities in the IACS life cycle related to the security protection scheme. Including:
Generation of the cybersecurity requirement specification (CRS)
Design and implementation of the security measures
Generation and documentation of the process security measures
Validation of the security protection scheme
Periodic revalidation of the SPS during operation.
Concluding part 6 here.
Stay tuned to find out more in Part 7 - ISA/IEC 62443 Standards Series Overview in a future newsletter edition, in which we’ll cover, cybersecurity risk assessments using 62443-3-2 and 3-3, applicability of different parts of the standard across the cybersecurity lifecycle phases, and more.
References
Announcement on the 62443-2-1 updated → https://www.isa.org/news-press-releases/2025/january/update-to-isa-iec-62443-standards-addresses-organi
ISA Global Cybersecurity Alliance (ISAGCA) → https://gca.isa.org/resources.
Related Securing Things Offer:
Current iteration of my OT-CBPRS toolkit - Perfect for small to medium-sized regional or global manufacturers! This toolkit outlines OT cybersecurity best practices requirements specification. It sets a baseline and offers complementary support for your OT security policy needs. Use it to establish upfront requirements for any new OT security projects and watch your security soar!
Next iteration of my OT-CBPRS toolkit will include an OT Security Policy document as well for an additional amount and these requirements more closely aligned towards ISA/IEC 62443-2-1 requirements.
Get ready to supercharge your OT security! Dive into the OT-CBPRS toolkit and register your interest now to craft the ultimate policy and requirements specification. Don't miss out on this offer to uplift your OT Cybersecurity Program!
Read more about → OT/ICS Cybersecurity Requirements Specification for SMB Manufacturers [Securing Things by M. Yousuf Faisal].
Announcements & Updates
Last chance to register for “Securing the Digital Factory: Lessons from the Field on Security Challenges from Industry 3.0 to 4.0 and Beyond” in Industrial Cyber Days for Manufacturing conference series for → APAC on 3rd June.
Serves as a mini-course introduction to IT-OT CySEAT (Cyber Security Education and Transformation) program, providing insights into securing digital factories. If you haven’t checked out yet - do join IT-OT CySEAT waiting List before the launch discount closes.
Upcoming newsletters:
🔐 " OT Cybersecurity Procurement Process & Practices (OTCS PPP) - ultimate guide"- for procuring / buying industrial solutions / services that protect industrial operations across water/wastewater utilities, manufacturing plants, and beyond. An exclusive Multi-Part Series with Alana Murray.
Upcoming newsletter edition:
🔐 “The Real Security Risk? The Divide Between Cyber and Physical” - with Jamie Williams. 🚨 The biggest security risk in critical infrastructure isn’t just cyber or physical — it’s the dangerous gap between them.
ISA Secure Assurance Certification Schemes
Here are some interesting reads of the week:
System Security Assurance (SSA) Certification SSA requirements for certification include all control system requirements in the ISA/IEC 62443-3-3 standard. Latest version is 4.0.0.
Security Development Lifecycle Assurance (SDLA) Certification. The SDLA certifies compliance to the ISA/IEC 62443-4-1 standard. Latest version is 3.0.0.
IIoT Component Security Assurance (ICSA) Product certification for IIoT Components.
Component Security Assurance (CSA) Certification - CSA focuses on the security of software applications, embedded devices, host devices, and network devices, as defined by the ISA/IEC 62443-4-2 standard..
New ISASecure Site Assessment (ACSSA) Program - Certification scheme launching soon for Asset Owners.
ISA Secure - Learning Center- have a number of great resources like whitepapers, webinars, guides etc..
My Recent Most Viewed Social Posts:
In case you’ve missed - here are some of my recent most viewed social posts.
[ST # 65] Cybersecurity and AI Across IT-OT Automation Stack - Monthly Digest # 2 ✅ Competence Framework for Solutions Architects and Security Architects on industry 4.0, cybersecurity and AI across the automation stack (Cloud, ERP, DMZ, MES, SCADA, HMI, PLC/Edge), physical devices & more.🚀 [Securing Things by M. Yousuf Faisal]
📰[ST#64] IT & OT Cybersecurity Requirements Specifications - Do’s & Don’ts ✅ Deadly Sins (Common Mistakes) & Quick Wins (recommended fixes) for Cybersecurity requirements specification for Industrial environments 🚨- You Can’t Afford to Ignore! Plus🚨Announcement on OT Cybersecurity Procurement Process & Practices Series - an ultimate guide for IT-OT Tech, Cybersecurity & Procurement Professionals. [Securing Things by M. Yousuf Faisal]
📰[ST # 63] IT & OT Network Security - Example Do's & Don'ts ✅ Deadly Sins (Common Mistakes) & Quick Wins (recommended fixes) for Industrial / Manufacturing environments. Plus CISO's query and my response on Managed vs. Unmanaged switches for production environment🚀 [Securing Things by M. Yousuf Faisal]
📰 [ST # 62] ✅Cybersecurity Insights from Q1 2025 - ✅ IT, OT, AI Cybersecurity Market Insights, M&As, Incidents, breaches, ransomware, threats and changing regulatory landscape🚀 [Securing Things by M. Yousuf Faisal]
📰 [ST # 61] ✅My list of IT-OT & Cybersecurity, Leadership, Productivity, Personal Development, and Money/Business books - must read for Cyber Leaders and Practitioners. Few updates on OT Security conference, & more.🚀 [Securing Things by M. Yousuf Faisal] 📰
📢 [ST #60] All Series Index - Securing Things 📢✅IT, OT & AI Cybersecurity – Program, Digital Factory, Guides, Standards, Crash Courses, Quarterly Insights & more.🚀 [Securing Things by M. Yousuf Faisal] 🗞️🗞️🗞️
Ways in which I can help?
Whenever you are ready - I can help you with:
A - IT & OT Cybersecurity Advisory / Consulting services - for securing your business and or its digital transformation journey.
B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program through our subscription based service.
C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.
Visit the newsletter website for Links to above services and or reach out at info[at]securingthings[dot]com or DM me via LinkedIn.
D - Securing Things Newsletter - Sponsor this newsletter to showcase your brand globally, or subscribe to simply Get Smarter at Securing Things.
Reach out at newsletter[at]securingthings[dot]com or DM me via LinkedIn.
Feedback
I invite #SecuringThings community to share their feedback.
Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society. Thank you for your trust and continued support.
Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway. Also:
Rate the newsletter content
Thanks for reading - until the next edition!
It’s a Great Day to Start Securing Things for a Smart & Safer Society.
Take care and Best Regards,
M. Yousuf Faisal. (Advice | Consult Cyber & business leaders in their journey on Securing Things (IT, OT/ICS, IIOT, digital transformation, Industry 4.0, & AI) & share everything I learn on this Newsletter | and upcoming Academy).
