As you may be aware, the International Electrotechnical Commission (IEC) recently updated the 62443-2-1 standard. 

This is a great update. It means that the Industrial Automation and Control Systems (IACS) and Operational Technology (OT) sectors now have additional guidance in key areas, such as creating and maintaining an IACS/OT security program. 

The Security Program Requirements 

The updated standard provides a step-by-step guide on ways to create, implement, maintain and improve a security program. One of its key areas of focus is that the requirements are designed to reduce IACS security risks to manageable levels.

Flexibility and Independence 

Another great improvement is that the standard enables more flexibility, meaning that the requirements are written in a way that allows for a tailoring based on specific needs of the organisation.

The outcome of this is that organisations can more effectively tailor their programs to fit their operational environments, such as tailoring the access control to the needs and risk profiles of each part of the system. 

Changes to the Requirements Structure 

The update also included a revised version of the requirements structure for security program elements (SPEs). This will make it much easier for organisations to understand – and implement – the requirements. It also aligns with other parts of the standard nomenclature. 

Understanding Legacy System Challenges 

The updates note that the role and impact of legacy systems is a key issue. To address this, guidance is provided on how to address these challenges. This includes compensating controls for these systems, which is important considering that this maintains security postures without replacing large portions of the system. 

Risk versus Cost 

Also of note is that the standard calls out balancing risk versus cost, and recognises that all organisations have nuance in how their security postures are managed. A one-size-fits-all approach may not only be costly and restrictive, it may also not address the right risks. By ensuring flexibility, it allows each organisation to tailor the program to suit their needs and be pragmatic by managing cost versus risk. 

Conclusion 

The latest release of IEC 62443-2-1 is very much welcomed and shows that the development group and the industry are focused on ensuring the standard remains not only at the forefront of guidance, but remain workable and able to be implemented, which is a key driver in adoption. 

For more information on how Anchoram Consulting can assist with this and other IACS and OT challenges, reach out at anytime for a discussion.