ISA-TR62443-2-2:2025

ISA-TR62443-2-2-2025, Security for industrial automation and control systems – Part 2-2: IACS security protection scheme, explains how to build, test and operate a security protection scheme (SPS) consisting of technical, physical and process measures to safeguard industrial automation and control systems during operation. This technical report outlines a risk-based approach that divides a control system into zones and conduits, assigns specific security requirements to each zone, and specifies technical, physical and process measures, along with their documentation, to meet those requirements. Roles are clearly defined: an asset owner is accountable, integration service providers design and implement protections, maintenance service providers perform ongoing maintenance and product suppliers develop secure product features and support processes for vulnerabilities and incidents.
A simple rating system is a key feature: security protection ratings (SPR) use a 0–4 scale to show how well system security requirements are met by technical capabilities and the consistency of human-run processes. A maturity model (ML0–ML4) assesses the reliability of operational procedures, with ML3 serving as the threshold for repeatable execution, which is used to link SPR with mapped security levels (SL). Practical assessment methods include detailed requirement checks, risk-based evaluations, shorter questionnaires and examples of aggregation and dashboard views for management reporting. Validation involves technical testing by the integration teams and organizational validation by the operating organization. A predicted Implemented SPR (SPR-I) is created in advance, with regular revalidation during operation to address any threats, vulnerabilities, or system changes that may occur. Documenting recommended process measures, training records, audits and key performance indicators supports ongoing performance measurement and helps prioritize investments and maintenance actions. This overall approach translates risk targets into specific activities, clarifies who performs each task and provides a common language for planning, procurement discussions and periodic security reviews.